// Decompiled with JetBrains decompiler // Type: eRecoveryService.ImpersonateUser // Assembly: eRecoveryService, Version=2.5.3.6, Culture=neutral, PublicKeyToken=null // MVID: 08DF666A-8C92-4CCB-869A-390134BB6787 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77.exe using Microsoft.Win32; using System; using System.Management; using System.Runtime.InteropServices; using System.Text; namespace eRecoveryService { public class ImpersonateUser { private static IntPtr nToken = IntPtr.Zero; private static string currentLoggedOnUser = string.Empty; public static IntPtr CurrentUserToken => ImpersonateUser.nToken; public static void DeleteeRecovery() { RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false); string str1; if (registryKey.GetValue("InstallPath") != null) { string str2 = registryKey.GetValue("InstallPath").ToString(); int startIndex = str2.IndexOf("\\eRecovery", StringComparison.OrdinalIgnoreCase); str1 = str2.Remove(startIndex); } else str1 = "C:\\Acer\\Empowering Technology"; string lpApplicationName = str1 + "\\Remove_eRecovery.exe"; WIN32.PROCESS_INFORMATION lpProcessInformation = new WIN32.PROCESS_INFORMATION(); WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO(); WIN32.SECURITY_ATTRIBUTES lpProcessAttributes = new WIN32.SECURITY_ATTRIBUTES(); WIN32.SECURITY_ATTRIBUTES lpThreadAttributes = new WIN32.SECURITY_ATTRIBUTES(); lpProcessAttributes.nLength = Marshal.SizeOf((object) lpProcessAttributes); lpThreadAttributes.nLength = Marshal.SizeOf((object) lpThreadAttributes); WIN32.CreateProcess(lpApplicationName, "", ref lpProcessAttributes, ref lpThreadAttributes, false, 0U, IntPtr.Zero, (string) null, ref lpStartupInfo, out lpProcessInformation); } public static bool IsHiddenPartitionExist() { foreach (ManagementObject managementObject in new ManagementObjectSearcher(new ManagementScope("root\\cimv2", new ConnectionOptions() { Username = (string) null, Password = (string) null }), new ObjectQuery("SELECT * FROM Win32_LogicalDiskToPartition")).Get()) { string szDepedent = managementObject["Dependent"].ToString(); string szAntecedent = managementObject["Antecedent"].ToString(); if (ImpersonateUser.FindCPartition(szDepedent)) { if (ImpersonateUser.IsCtheSecondPartition(szAntecedent)) return true; RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\Empowering Technology 2.5\\Framework", false); string lpFileName = registryKey.GetValue("BaseFolder") == null ? "C:\\Acer\\Empowering Technology\\eRecoveryLog.ini" : registryKey.GetValue("BaseFolder").ToString() + "\\eRecoveryLog.ini"; WIN32.WritePrivateProfileString("Service delete eRecovery", "Time", DateTime.Now.ToString(), lpFileName); WIN32.WritePrivateProfileString("Service delete eRecovery", "Dependent", szDepedent.ToString(), lpFileName); WIN32.WritePrivateProfileString("Service delete eRecovery", "Antecedent", szAntecedent.ToString(), lpFileName); return false; } } return true; } private static bool FindCPartition(string szDepedent) { int num = szDepedent.IndexOf("Win32_LogicalDisk.DeviceID", StringComparison.OrdinalIgnoreCase); return num > 0 && szDepedent.Substring(num + 26).IndexOf("c:", StringComparison.OrdinalIgnoreCase) > 0; } private static bool IsCtheSecondPartition(string szAntecedent) { int num1 = szAntecedent.IndexOf("Win32_DiskPartition.DeviceID", StringComparison.OrdinalIgnoreCase); if (num1 > 0) { string str = szAntecedent.Substring(num1 + 28); int num2 = str.IndexOf("Partition", StringComparison.OrdinalIgnoreCase); if (num2 > 0 && str.Substring(num2 + 9).IndexOf("#1", StringComparison.OrdinalIgnoreCase) > 0) return true; } return false; } public static string CurrentLoggedOnUser => ImpersonateUser.currentLoggedOnUser; public static void StopToImpersonateCurrentUser() { if (!(ImpersonateUser.nToken != IntPtr.Zero)) return; WIN32.CloseHandle(ImpersonateUser.nToken); ImpersonateUser.nToken = IntPtr.Zero; ImpersonateUser.currentLoggedOnUser = string.Empty; WIN32.RevertToSelf(); } private static string getAccountNameFromSid(IntPtr SID) { int cbName = 0; int cbDomainName = 0; int peUse = 0; StringBuilder stringBuilder = new StringBuilder(); StringBuilder Account1 = (StringBuilder) null; StringBuilder DomainName1 = (StringBuilder) null; if (WIN32.LookupAccountSid((string) null, SID, Account1, ref cbName, DomainName1, ref cbDomainName, ref peUse) && Marshal.GetLastWin32Error() == 259) return "Error"; StringBuilder Account2 = new StringBuilder(cbName); StringBuilder DomainName2 = new StringBuilder(cbDomainName); if (WIN32.LookupAccountSid((string) null, SID, Account2, ref cbName, DomainName2, ref cbDomainName, ref peUse)) { stringBuilder.Append((object) DomainName2); stringBuilder.Append("\\"); stringBuilder.Append((object) Account2); } else stringBuilder.Append("Win32 Error: " + (object) Marshal.GetLastWin32Error()); return stringBuilder.ToString(); } public static bool StartToImpersonateCurrentUser() { bool impersonateCurrentUser = false; if (ImpersonateUser.nToken != IntPtr.Zero) return impersonateCurrentUser; uint consoleSessionId = WIN32.WTSGetActiveConsoleSessionId(); if (consoleSessionId != uint.MaxValue) { IntPtr ProcessHandle = IntPtr.Zero; IntPtr ppProcessInfo = IntPtr.Zero; uint pCount = 0; if (WIN32.WTSEnumerateProcesses(WIN32.WTC_CURRENT_SERVER_HANDLE, 0, 1U, ref ppProcessInfo, ref pCount)) { IntPtr pMemory = ppProcessInfo; for (int index = 0; (long) index < (long) pCount; ++index) { WIN32.WTSProcessInfo structure = (WIN32.WTSProcessInfo) Marshal.PtrToStructure(ppProcessInfo, typeof (WIN32.WTSProcessInfo)); ppProcessInfo = (IntPtr) ((int) ppProcessInfo + Marshal.SizeOf((object) structure)); if (structure.pProcessName.ToLower().IndexOf("explorer") != -1 && (int) structure.SessionId == (int) consoleSessionId) { ImpersonateUser.currentLoggedOnUser = ImpersonateUser.getAccountNameFromSid(structure.pUserSid); ProcessHandle = WIN32.OpenProcess(2035711U, false, structure.ProcessId); break; } } WIN32.WTSFreeMemory(pMemory); } IntPtr TokenHandle; if (ProcessHandle != IntPtr.Zero && WIN32.OpenProcessToken(ProcessHandle, 10U, out TokenHandle)) { if (WIN32.DuplicateTokenEx(TokenHandle, 11U, IntPtr.Zero, WIN32.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, WIN32.TOKEN_TYPE.TokenPrimary, out ImpersonateUser.nToken) && WIN32.ImpersonateLoggedOnUser(ImpersonateUser.nToken)) impersonateCurrentUser = true; WIN32.CloseHandle(TokenHandle); } } if (!impersonateCurrentUser) ImpersonateUser.currentLoggedOnUser = string.Empty; return impersonateCurrentUser; } public static bool ImpersonateUserToCreateProcessSilent() { bool createProcessSilent = false; RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false); string str; try { registryKey.GetValue("InstallPath"); str = registryKey.GetValue("InstallPath").ToString(); } catch { str = "C:\\Acer\\Empowering Technology\\eRecovery"; } string lpCommandLine = str + "\\eRAgent.exe -s"; if (ImpersonateUser.StartToImpersonateCurrentUser()) { WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO(); lpStartupInfo.cb = Marshal.SizeOf((object) lpStartupInfo); if (WIN32.CreateProcessAsUser(ImpersonateUser.nToken, (string) null, lpCommandLine, IntPtr.Zero, IntPtr.Zero, false, 48U, IntPtr.Zero, (string) null, ref lpStartupInfo, out WIN32.PROCESS_INFORMATION _)) createProcessSilent = true; ImpersonateUser.StopToImpersonateCurrentUser(); } return createProcessSilent; } public static bool ImpersonateUserToCreateProcess() { bool createProcess = false; RegistryKey registryKey1 = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false); string str1; try { registryKey1.GetValue("InstallPath"); str1 = registryKey1.GetValue("InstallPath").ToString(); } catch { str1 = "C:\\Acer\\Empowering Technology\\eRecovery"; } string lpCommandLine = str1 + "\\eRAgent.exe -init"; registryKey1.Close(); RegistryKey registryKey2 = Registry.LocalMachine.OpenSubKey("Software\\acer\\Empowering Technology 2.5\\Framework", false); string str2; try { registryKey2.GetValue("BaseFolder"); str2 = registryKey2.GetValue("BaseFolder").ToString(); } catch { str2 = "C:\\Acer\\Empowering Technology"; } string lpApplicationName = str2 + "\\Acer.Empowering.Framework.Supervisor.exe"; registryKey2.Close(); if (ImpersonateUser.StartToImpersonateCurrentUser()) { WIN32.STARTUPINFO lpStartupInfo1 = new WIN32.STARTUPINFO(); lpStartupInfo1.cb = Marshal.SizeOf((object) lpStartupInfo1); WIN32.STARTUPINFO lpStartupInfo2 = new WIN32.STARTUPINFO(); lpStartupInfo2.cb = Marshal.SizeOf((object) lpStartupInfo2); WIN32.PROCESS_INFORMATION lpProcessInformation; if (WIN32.CreateProcessAsUser(ImpersonateUser.nToken, lpApplicationName, (string) null, IntPtr.Zero, IntPtr.Zero, false, 48U, IntPtr.Zero, (string) null, ref lpStartupInfo2, out lpProcessInformation)) createProcess = true; if (WIN32.CreateProcessAsUser(ImpersonateUser.nToken, (string) null, lpCommandLine, IntPtr.Zero, IntPtr.Zero, false, 48U, IntPtr.Zero, (string) null, ref lpStartupInfo1, out lpProcessInformation)) createProcess = true; ImpersonateUser.StopToImpersonateCurrentUser(); } return createProcess; } } }