// Decompiled with JetBrains decompiler // Type: ServiceRemoting // Assembly: MobilityService, Version=1.0.2519.23335, Culture=neutral, PublicKeyToken=null // MVID: DCE01E20-F0BF-43A3-ABD9-0E64E99A2DB6 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-b68a9fa2c98a839bfc61691e6eb35adb96800cd5aaf0117d115403b016aa72c1.exe using \u003CCppImplementationDetails\u003E; using MobilityInterface; using System; using System.Runtime.InteropServices; public class ServiceRemoting : MarshalByRefObject, MobilityRemotingInterface { public unsafe WMI* m_WMI; public unsafe ServiceRemoting() { if ((IntPtr) this.m_WMI != IntPtr.Zero) return; WMI* wmiPtr1 = (WMI*) \u003CModule\u003E.@new(28U); WMI* wmiPtr2; // ISSUE: fault handler try { wmiPtr2 = (IntPtr) wmiPtr1 == IntPtr.Zero ? (WMI*) 0 : \u003CModule\u003E.WMI\u002E\u007Bctor\u007D(wmiPtr1); } __fault { \u003CModule\u003E.delete((void*) wmiPtr1); } this.m_WMI = wmiPtr2; } [return: MarshalAs(UnmanagedType.U1)] public virtual unsafe bool GetFileSharingServiceStatus() { SC_HANDLE__* scHandlePtr1 = \u003CModule\u003E.OpenSCManagerA((sbyte*) 0, (sbyte*) 0, 2147483648U); if ((IntPtr) scHandlePtr1 == IntPtr.Zero) return false; SC_HANDLE__* scHandlePtr2 = \u003CModule\u003E.OpenServiceA(scHandlePtr1, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0N\u0040GEBNOFCA\u0040lanmanserver\u003F\u0024AA\u0040, 2147483648U); _SERVICE_STATUS serviceStatus; // ISSUE: cast to a reference type // ISSUE: explicit reference operation return (IntPtr) scHandlePtr2 != IntPtr.Zero && \u003CModule\u003E.QueryServiceStatus(scHandlePtr2, &serviceStatus) != 0 && ^(int&) ((IntPtr) &serviceStatus + 4) == 4; } public virtual unsafe void StartFileSharingService() { SC_HANDLE__* scHandlePtr1 = \u003CModule\u003E.OpenSCManagerA((sbyte*) 0, (sbyte*) 0, 983103U); if ((IntPtr) scHandlePtr1 == IntPtr.Zero) return; SC_HANDLE__* scHandlePtr2 = \u003CModule\u003E.OpenServiceA(scHandlePtr1, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_07BCFNLIJJ\u0040Browser\u003F\u0024AA\u0040, 983551U); if ((IntPtr) scHandlePtr2 == IntPtr.Zero) return; \u003CModule\u003E.StartServiceA(scHandlePtr2, 0U, (sbyte**) 0); } public virtual unsafe void StopFileSharingService() { SC_HANDLE__* scHandlePtr1 = \u003CModule\u003E.OpenSCManagerA((sbyte*) 0, (sbyte*) 0, 983103U); if ((IntPtr) scHandlePtr1 == IntPtr.Zero) return; SC_HANDLE__* scHandlePtr2 = \u003CModule\u003E.OpenServiceA(scHandlePtr1, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_07BCFNLIJJ\u0040Browser\u003F\u0024AA\u0040, 983551U); _SERVICE_STATUS serviceStatus; if ((IntPtr) scHandlePtr2 != IntPtr.Zero) { \u003CModule\u003E.ControlService(scHandlePtr2, 1U, &serviceStatus); if (\u003CModule\u003E.QueryServiceStatus(scHandlePtr2, &serviceStatus) != 0) { int num = 30; // ISSUE: cast to a reference type // ISSUE: explicit reference operation if (^(int&) ((IntPtr) &serviceStatus + 4) != 1) { while (num > 0) { \u003CModule\u003E.Sleep(500U); --num; // ISSUE: cast to a reference type // ISSUE: explicit reference operation if (\u003CModule\u003E.QueryServiceStatus(scHandlePtr2, &serviceStatus) == 0 || ^(int&) ((IntPtr) &serviceStatus + 4) == 1) break; } } } \u003CModule\u003E.CloseServiceHandle(scHandlePtr2); } SC_HANDLE__* scHandlePtr3 = \u003CModule\u003E.OpenServiceA(scHandlePtr1, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0N\u0040GEBNOFCA\u0040lanmanserver\u003F\u0024AA\u0040, 983551U); if ((IntPtr) scHandlePtr3 == IntPtr.Zero) return; \u003CModule\u003E.ControlService(scHandlePtr3, 1U, &serviceStatus); if (\u003CModule\u003E.QueryServiceStatus(scHandlePtr3, &serviceStatus) != 0) { int num = 30; // ISSUE: cast to a reference type // ISSUE: explicit reference operation if (^(int&) ((IntPtr) &serviceStatus + 4) != 1) { while (num > 0) { \u003CModule\u003E.Sleep(500U); --num; // ISSUE: cast to a reference type // ISSUE: explicit reference operation if (\u003CModule\u003E.QueryServiceStatus(scHandlePtr3, &serviceStatus) == 0 || ^(int&) ((IntPtr) &serviceStatus + 4) == 1) break; } } } \u003CModule\u003E.CloseServiceHandle(scHandlePtr3); } public unsafe uint GetLogOnUserSecurityDescriptor(void** pSecurityDescriptor, _ACL** pACL) { // ISSUE: untyped stack allocation int num1 = (int) __untypedstackalloc(\u003CModule\u003E.__CxxQueryExceptionSize()); uint num2 = 0; uint securityDescriptor = 1064; *(int*) pSecurityDescriptor = 0; *(int*) pACL = 0; uint consoleSessionId = \u003CModule\u003E.WTSGetActiveConsoleSessionId(); _WTS_PROCESS_INFOA* wtsProcessInfoaPtr1; if (consoleSessionId != uint.MaxValue && \u003CModule\u003E.WTSEnumerateProcessesA((void*) 0, 0U, 1U, &wtsProcessInfoaPtr1, &num2) != 0) { _WTS_PROCESS_INFOA* wtsProcessInfoaPtr2 = wtsProcessInfoaPtr1; for (uint index = 0; index < num2; ++index) { if ((IntPtr) \u003CModule\u003E._mbsstr((byte*) *(int*) ((IntPtr) wtsProcessInfoaPtr1 + 8), (byte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0N\u0040DGECLGHJ\u0040explorer\u003F4exe\u003F\u0024AA\u0040) != IntPtr.Zero) { if (*(int*) wtsProcessInfoaPtr1 == (int) consoleSessionId) { try { \u0024ArrayType\u0024\u0024\u0024BY00U_EXPLICIT_ACCESS_A\u0040\u0040 uExplicitAccessA; // ISSUE: initblk instruction __memset(ref uExplicitAccessA, 0, 32); // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ref uExplicitAccessA = 268435456; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &uExplicitAccessA + 4) = 2; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &uExplicitAccessA + 8) = 0; \u003CModule\u003E.BuildTrusteeWithSidA((_TRUSTEE_A*) ((IntPtr) &uExplicitAccessA + 12), (void*) *(int*) ((IntPtr) wtsProcessInfoaPtr1 + 12)); if (0U != \u003CModule\u003E.SetEntriesInAclA(1U, (_EXPLICIT_ACCESS_A*) &uExplicitAccessA, (_ACL*) 0, pACL)) throw new Exception(); void* voidPtr = \u003CModule\u003E.LocalAlloc(64U, 20U); *(int*) pSecurityDescriptor = (int) voidPtr; if (IntPtr.Zero == (IntPtr) voidPtr) throw new Exception(); if (\u003CModule\u003E.InitializeSecurityDescriptor(voidPtr, 1U) == 0) throw new Exception(); \u003CModule\u003E.SetSecurityDescriptorOwner((void*) *(int*) pSecurityDescriptor, (void*) *(int*) ((IntPtr) wtsProcessInfoaPtr1 + 12), 1); if (\u003CModule\u003E.SetSecurityDescriptorDacl((void*) *(int*) pSecurityDescriptor, 1, (_ACL*) *(int*) pACL, 0) == 0) throw new Exception(); securityDescriptor = 0U; break; } catch (Exception ex1) when ( { // ISSUE: unable to correctly present filter uint exceptionCode = (uint) Marshal.GetExceptionCode(); if (\u003CModule\u003E.__CxxExceptionFilter((void*) Marshal.GetExceptionPointers(), (void*) 0, 0, (void*) 0) != 0) { SuccessfulFiltering; } else throw; } ) { uint num3 = 0; \u003CModule\u003E.__CxxRegisterExceptionObject((void*) Marshal.GetExceptionPointers(), (void*) num1); try { try { } catch (Exception ex2) when ( { // ISSUE: unable to correctly present filter num3 = (uint) \u003CModule\u003E.__CxxDetectRethrow((void*) Marshal.GetExceptionPointers()); if (num3 != 0U) { SuccessfulFiltering; } else throw; } ) { } break; if (num3 != 0U) throw; else break; } finally { \u003CModule\u003E.__CxxUnregisterExceptionObject((void*) num1, (int) num3); } } } } wtsProcessInfoaPtr1 += 16; } \u003CModule\u003E.WTSFreeMemory((void*) wtsProcessInfoaPtr2); } return securityDescriptor; } [return: MarshalAs(UnmanagedType.U1)] public virtual unsafe bool AddSharedFolder(string sharedName, string sharedFolder) { char* hglobalUni1 = (char*) (void*) Marshal.StringToHGlobalUni(sharedName); char* hglobalUni2 = (char*) (void*) Marshal.StringToHGlobalUni(sharedFolder); uint num = 0; void* voidPtr = (void*) 0; _ACL* aclPtr = (_ACL*) 0; int securityDescriptor = (int) this.GetLogOnUserSecurityDescriptor(&voidPtr, &aclPtr); _SHARE_INFO_502 shareInfo502; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ref shareInfo502 = (int) hglobalUni1; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &shareInfo502 + 4) = 0; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &shareInfo502 + 8) = (int) &\u003CModule\u003E.\u003F\u003F_C\u0040_11LOCGONAA\u0040\u003F\u0024AA\u003F\u0024AA\u0040; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &shareInfo502 + 12) = 0; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &shareInfo502 + 16) = 4; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &shareInfo502 + 20) = 0; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &shareInfo502 + 24) = (int) hglobalUni2; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &shareInfo502 + 28) = 0; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &shareInfo502 + 36) = (int) voidPtr; bool flag = \u003CModule\u003E.NetShareAdd((char*) 0, 502U, (byte*) &shareInfo502, &num) == 0U; \u003CModule\u003E.SHChangeNotify(512, 1U, (void*) hglobalUni2, (void*) 0); if ((IntPtr) aclPtr != IntPtr.Zero) \u003CModule\u003E.LocalFree((void*) aclPtr); if ((IntPtr) voidPtr != IntPtr.Zero) \u003CModule\u003E.LocalFree(voidPtr); Marshal.FreeHGlobal(new IntPtr((void*) hglobalUni1)); Marshal.FreeHGlobal(new IntPtr((void*) hglobalUni2)); return flag; } [return: MarshalAs(UnmanagedType.U1)] public virtual unsafe bool RemoveSharedFolder(string sharedName, string sharedFolder) { char* hglobalUni1 = (char*) (void*) Marshal.StringToHGlobalUni(sharedName); char* hglobalUni2 = (char*) (void*) Marshal.StringToHGlobalUni(sharedFolder); bool flag = true; if (\u003CModule\u003E.NetShareDel((char*) 0, hglobalUni1, 0U) != 0U) flag = false; \u003CModule\u003E.SHChangeNotify(1024, 1U, (void*) hglobalUni2, (void*) 0); Marshal.FreeHGlobal(new IntPtr((void*) hglobalUni1)); Marshal.FreeHGlobal(new IntPtr((void*) hglobalUni2)); return flag; } public virtual unsafe int GetBluetooth() { tagVARIANT tagVariant; \u003CModule\u003E.VariantInit(&tagVariant); if (\u003CModule\u003E.WMI\u002EWMIMethodExecGet(this.m_WMI, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1GE\u0040OBACBGCF\u0040\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAD\u003F\u0024AAe\u003F\u0024AAv\u003F\u0024AAi\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAC\u003F\u0024AAo\u003F\u0024AAn\u003F\u0024AAt\u003F\u0024AAr\u003F\u0024AAo\u003F\u0024AAl\u003F\u0024AA\u003F4\u003F\u0024AAI\u003F\u0024AAn\u003F\u0024AAs\u003F\u0024AAt\u003F\u0024AAa\u003F\u0024AAn\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAN\u003F\u0024AAa\u003F\u0024AAm\u003F\u0024AAe\u003F\u0024AA\u003F\u0024DN\u003F\u0024AA\u003F\u0024CC\u003F\u0024AAA\u003F\u0024AAC\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BK\u0040CKLOFOL\u0040\u003F\u0024AAG\u003F\u0024AAe\u003F\u0024AAt\u003F\u0024AAB\u003F\u0024AAl\u003F\u0024AAu\u003F\u0024AAe\u003F\u0024AAt\u003F\u0024AAo\u003F\u0024AAo\u003F\u0024AAt\u003F\u0024AAh\u003F\u0024AA\u003F\u0024AA\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BA\u0040POAHONEM\u0040\u003F\u0024AAu\u003F\u0024AAS\u003F\u0024AAt\u003F\u0024AAa\u003F\u0024AAt\u003F\u0024AAu\u003F\u0024AAs\u003F\u0024AA\u003F\u0024AA\u0040, &tagVariant) == 0) { // ISSUE: cast to a reference type // ISSUE: explicit reference operation int bluetooth = ^(int&) ((IntPtr) &tagVariant + 8); \u003CModule\u003E.VariantClear(&tagVariant); return bluetooth; } \u003CModule\u003E.VariantClear(&tagVariant); return -1; } public virtual unsafe void SetBluetooth(int Brightness) { tagVARIANT tagVariant1; \u003CModule\u003E.VariantInit(&tagVariant1); tagVARIANT tagVariant2; \u003CModule\u003E.VariantInit(&tagVariant2); // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(short&) ref tagVariant2 = (short) 3; // ISSUE: cast to a reference type // ISSUE: explicit reference operation ^(int&) ((IntPtr) &tagVariant2 + 8) = Brightness; \u003CModule\u003E.WMI\u002EWMIMethodExecSet(this.m_WMI, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1CA\u0040FPONMHDE\u0040\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAD\u003F\u0024AAe\u003F\u0024AAv\u003F\u0024AAi\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAC\u003F\u0024AAo\u003F\u0024AAn\u003F\u0024AAt\u003F\u0024AAr\u003F\u0024AAo\u003F\u0024AAl\u003F\u0024AA\u003F\u0024AA\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1GE\u0040OBACBGCF\u0040\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAD\u003F\u0024AAe\u003F\u0024AAv\u003F\u0024AAi\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAC\u003F\u0024AAo\u003F\u0024AAn\u003F\u0024AAt\u003F\u0024AAr\u003F\u0024AAo\u003F\u0024AAl\u003F\u0024AA\u003F4\u003F\u0024AAI\u003F\u0024AAn\u003F\u0024AAs\u003F\u0024AAt\u003F\u0024AAa\u003F\u0024AAn\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAN\u003F\u0024AAa\u003F\u0024AAm\u003F\u0024AAe\u003F\u0024AA\u003F\u0024DN\u003F\u0024AA\u003F\u0024CC\u003F\u0024AAA\u003F\u0024AAC\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BK\u0040ICGNCIEN\u0040\u003F\u0024AAS\u003F\u0024AAe\u003F\u0024AAt\u003F\u0024AAB\u003F\u0024AAl\u003F\u0024AAu\u003F\u0024AAe\u003F\u0024AAt\u003F\u0024AAo\u003F\u0024AAo\u003F\u0024AAt\u003F\u0024AAh\u003F\u0024AA\u003F\u0024AA\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BA\u0040POAHONEM\u0040\u003F\u0024AAu\u003F\u0024AAS\u003F\u0024AAt\u003F\u0024AAa\u003F\u0024AAt\u003F\u0024AAu\u003F\u0024AAs\u003F\u0024AA\u003F\u0024AA\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BG\u0040IMJCDLFP\u0040\u003F\u0024AAu\u003F\u0024AAE\u003F\u0024AAr\u003F\u0024AAr\u003F\u0024AAo\u003F\u0024AAr\u003F\u0024AAC\u003F\u0024AAo\u003F\u0024AAd\u003F\u0024AAe\u003F\u0024AA\u003F\u0024AA\u0040, &tagVariant2, &tagVariant1); \u003CModule\u003E.VariantClear(&tagVariant2); } [return: MarshalAs(UnmanagedType.U1)] public virtual unsafe bool GetBluetoothExist() { tagVARIANT tagVariant; \u003CModule\u003E.VariantInit(&tagVariant); if (\u003CModule\u003E.WMI\u002EWMIDataBlockRead(this.m_WMI, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1DI\u0040KLICGGKE\u0040\u003F\u0024AAS\u003F\u0024AAE\u003F\u0024AAL\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAT\u003F\u0024AA\u003F5\u003F\u0024AA\u003F\u0024CK\u003F\u0024AA\u003F5\u003F\u0024AAF\u003F\u0024AAR\u003F\u0024AAO\u003F\u0024AAM\u003F\u0024AA\u003F5\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAD\u003F\u0024AAe\u003F\u0024AAv\u003F\u0024AAi\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAE\u003F\u0024AAx\u003F\u0024AAi\u003F\u0024AAs\u003F\u0024AAt\u003F\u0024AA\u003F\u0024AA\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BO\u0040GDAMCCI\u0040\u003F\u0024AAu\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAD\u003F\u0024AAe\u003F\u0024AAv\u003F\u0024AAi\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAE\u003F\u0024AAx\u003F\u0024AAi\u003F\u0024AAs\u003F\u0024AAt\u003F\u0024AA\u003F\u0024AA\u0040, &tagVariant) == 0) { // ISSUE: cast to a reference type // ISSUE: explicit reference operation if ((^(int&) ((IntPtr) &tagVariant + 8) & 16) != 0) { \u003CModule\u003E.VariantClear(&tagVariant); return true; } \u003CModule\u003E.VariantClear(&tagVariant); return false; } \u003CModule\u003E.VariantClear(&tagVariant); return false; } }