// Decompiled with JetBrains decompiler // Type: eRecoveryService.ServerClass // Assembly: eRecoveryService, Version=2.5.3.6, Culture=neutral, PublicKeyToken=null // MVID: 08DF666A-8C92-4CCB-869A-390134BB6787 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77.exe using eSettings.Model.Library; using Microsoft.Win32; using ServiceInterface; using System; using System.Diagnostics; using System.IO; using System.Runtime.InteropServices; using System.Runtime.Remoting.Lifetime; using System.Text; using System.Threading; namespace eRecoveryService { public class ServerClass : MarshalByRefObject, Interface { public const int BOOT_FLOPPY = 0; public const int BOOT_HD = 1; public const int BOOT_ODD = 2; public const int BOOT_SCSI = 3; public const int BOOT_D2D = 4; public const int BOOT_LS120 = 5; public const int BOOT_PCMCIA = 6; public const int BOOT_NETWORK = 7; public const int BOOT_ZIP = 8; public const int BOOT_1394ODD = 9; public const int BOOT_USBHD = 10; public const int BOOT_USBODD = 11; public const int BOOT_USBFDD = 12; public const int BOOT_USBRD = 13; public const int BOOT_SECHD = 14; public const int BOOT_USBZIP = 15; public const int BOOT_USBOTH = 16; public const int BOOT_OTHER = 17; private IntPtr INVALID_HANDLE_VALUE = new IntPtr(-1); private System.Timers.Timer PercentageTiemr; private string m_szTmpHid; public int globalint; private System.Timers.Timer SWCDExtractTimer; private string wimFile; private string tmpDir; private string applyDir; private ILease lease; public override object InitializeLifetimeService() { if (this.lease == null) { this.lease = (ILease) base.InitializeLifetimeService(); if (this.lease.CurrentState == LeaseState.Initial) this.lease.InitialLeaseTime = TimeSpan.Zero; } return (object) this.lease; } public bool SetBootSeqFromInt15(int nType) { IntPtr bootSequence = INT15.GetBootSequence(); int length = 0; int num1 = 0; if (bootSequence != IntPtr.Zero) { byte num2; while ((num2 = Marshal.ReadByte(bootSequence, length)) != byte.MaxValue) { ++length; if (num2 == (byte) 0) ++num1; else num1 = 0; if (num1 == 4) { length -= 3; break; } } } int index = 0; byte[] sequence = new byte[length]; if (nType == 0 || nType == 1) { for (int ofs = 0; ofs < length; ++ofs) { byte num3 = Marshal.ReadByte(bootSequence, ofs); sequence[ofs] = num3; if (sequence[ofs] == (byte) 1) index = ofs; } sequence[index] = sequence[0]; sequence[0] = (byte) 1; } else { for (int ofs = 0; ofs < length; ++ofs) { byte num4 = Marshal.ReadByte(bootSequence, ofs); sequence[ofs] = num4; if (sequence[ofs] == (byte) 2) index = ofs; } sequence[index] = sequence[0]; sequence[0] = (byte) 2; } return INT15.SetBootSequenceNB(sequence, length); } public bool StartBackupMachine() { RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false); if (registryKey == null || registryKey.GetValue("InstallPath") == null) return false; string str = registryKey.GetValue("InstallPath").ToString(); new Process() { StartInfo = { FileName = (str + "\\BackupMachine.exe") } }.Start(); registryKey.Close(); return true; } public bool LauncSetFDFolderExe(string InArg) { RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false); if (registryKey == null || registryKey.GetValue("InstallPath") == null) return false; Process.Start(registryKey.GetValue("InstallPath").ToString() + "\\SetFDFolder.exe", InArg); registryKey.Close(); return true; } public bool SetMBR() { RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false); if (registryKey == null || registryKey.GetValue("InstallPath") == null) return false; string str = registryKey.GetValue("InstallPath").ToString(); new Process() { StartInfo = { FileName = (str + "\\MBRwrWin.exe"), Arguments = "-directh" } }.Start(); registryKey.Close(); return true; } public bool CheckD2DBIOS() => INT15.GetD2DBIOS(); public void DeleteFile(string filePath) => File.Delete(filePath); public bool WriteLocalRegString(string RegSubKeyString, string RegKeyName, int RegKeyValue) { RegistryKey subKey = Registry.LocalMachine.CreateSubKey(RegSubKeyString); try { subKey.SetValue(RegKeyName, (object) RegKeyValue); } catch { return false; } return true; } public bool IsNeedToExtractData() { string lpFileName = this.FindAutorunPath() + "\\Autorun.ini"; bool extractData = true; IntPtr firstFile1 = WIN32.FindFirstFile("C:\\Acer\\Empowering Technology\\eRecovery\\Autorun.ini", out WIN32.WIN32_FIND_DATA _); if (firstFile1 != this.INVALID_HANDLE_VALUE) { WIN32.FindClose(firstFile1); int length = 4096; byte[] lpszReturnBuffer = new byte[length]; StringBuilder lpReturnedString1 = new StringBuilder(4096); StringBuilder lpReturnedString2 = new StringBuilder(32); StringBuilder lpReturnedString3 = new StringBuilder(8); WIN32.GetPrivateProfileSectionNames(lpszReturnBuffer, lpszReturnBuffer.Length, lpFileName); string lpAppName = ""; for (int index = 0; index < length; ++index) { string str = lpszReturnBuffer[index].ToString().CompareTo("0") == 0 ? "\0" : ((byte) ((uint) lpszReturnBuffer[index] - 48U)).ToString(); if (str.CompareTo("\0") == 0) { if (lpAppName.CompareTo("") != 0) { int privateProfileString1 = (int) WIN32.GetPrivateProfileString(lpAppName, "Filename", "xfail", lpReturnedString1, (uint) lpReturnedString1.Capacity, lpFileName); WIN32.WIN32_FIND_DATA lpFindFileData; IntPtr firstFile2 = WIN32.FindFirstFile(lpReturnedString1.ToString(), out lpFindFileData); if (firstFile2 == this.INVALID_HANDLE_VALUE) { extractData = false; index = length + 1; } else { WIN32.FindClose(firstFile2); int privateProfileString2 = (int) WIN32.GetPrivateProfileString(lpAppName, "Size", "xfail", lpReturnedString2, (uint) lpReturnedString2.Capacity, lpFileName); uint uint32 = Convert.ToUInt32(lpReturnedString2.ToString()); if ((int) lpFindFileData.nFileSizeLow != (int) uint32) { extractData = false; index = length + 1; } else { int privateProfileString3 = (int) WIN32.GetPrivateProfileString(lpAppName, "Time", "xfail", lpReturnedString3, (uint) lpReturnedString3.Capacity, lpFileName); lpReturnedString3.ToString(); } } lpAppName = ""; } else break; } else lpAppName += str; } } else extractData = false; return extractData; } public bool GetSystemVolumnInfo() { long num = this.GetSysVolumnSize("C:\\System Volume Information") / 1048576L; try { Registry.LocalMachine.CreateSubKey("Software\\acer\\eRecovery\\Main", RegistryKeyPermissionCheck.ReadWriteSubTree).SetValue("SysVolSize", (object) num, RegistryValueKind.DWord); } catch { return false; } return true; } private long GetSysVolumnSize(string pPath) { long sysVolumnSize = 0; WIN32.WIN32_FIND_DATA lpFindFileData; IntPtr firstFile = WIN32.FindFirstFile(pPath + "\\*.*", out lpFindFileData); if (firstFile == this.INVALID_HANDLE_VALUE) return 0; do { string cFileName = lpFindFileData.cFileName; if (((int) lpFindFileData.dwFileAttributes & 16) != 0) { if (cFileName.CompareTo(".") != 0 && cFileName.CompareTo("..") != 0) { string pPath1 = pPath + "\\" + lpFindFileData.cFileName; sysVolumnSize += this.GetSysVolumnSize(pPath1); } } else sysVolumnSize += (long) lpFindFileData.nFileSizeHigh * 4294967296L + (long) lpFindFileData.nFileSizeLow; } while (WIN32.FindNextFile(firstFile, out lpFindFileData)); WIN32.FindClose(firstFile); return sysVolumnSize; } public bool ExtractData() { string autorunPath = this.FindAutorunPath(); string path1 = autorunPath + "\\autorun.ini"; string path2 = autorunPath + "\\autorun"; if (Directory.Exists(path2)) { File.SetAttributes(path2, FileAttributes.Normal); WIN32.SHFileOperation(ref new WIN32.SHFILEOPSTRUCT() { hwnd = IntPtr.Zero, wFunc = WIN32.FO_Func.FO_DELETE, pFrom = path2 + "\0\0", pTo = "", fFlags = (ushort) 3604 }); } if (File.Exists(path1)) File.Delete(path1); this.m_szTmpHid = this.GetAvailableDrLetter(); this.MountHiddenPartition(this.m_szTmpHid); this.wimFile = this.m_szTmpHid + "\\autorun\\swcd.wim"; RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", true); string str; if (registryKey.GetValue("InstallPath") != null) { this.applyDir = registryKey.GetValue("InstallPath").ToString(); this.tmpDir = this.applyDir.Remove(this.applyDir.IndexOf("eRecovery")); str = registryKey.GetValue("InstallPath").ToString(); } else { this.applyDir = "C:\\Acer\\Empowering Technology\\eRecovery"; this.tmpDir = "C:\\Acer\\Empowering Technology"; str = "C:\\Acer\\Empowering Technology\\eRecovery"; } if (!File.Exists(this.wimFile)) return false; this.CallProcessNoWait("\"" + str + "\\imagex.exe\" /apply " + this.m_szTmpHid + "\\autorun\\swcd.wim 1 \"" + str + "\""); return true; } private void SampleApplyCleanup(IntPtr hwim, IntPtr himg, WIN32.WIMMessageCallback callback) { int lastWin32Error = Marshal.GetLastWin32Error(); this.WriteLocalRegString("Software\\acer\\eRecovery\\Main", "SWCDErrorCode", lastWin32Error); if (himg != IntPtr.Zero && !WIN32.WIMCloseHandle(himg) && lastWin32Error == 0) lastWin32Error = Marshal.GetLastWin32Error(); if (hwim != IntPtr.Zero && !WIN32.WIMCloseHandle(hwim) && lastWin32Error == 0) lastWin32Error = Marshal.GetLastWin32Error(); if (callback != null && !WIN32.WIMUnregisterMessageCallback(IntPtr.Zero, callback) && lastWin32Error == 0) lastWin32Error = Marshal.GetLastWin32Error(); WIN32.SetLastError((uint) lastWin32Error); } private void CallProcessNoWait(string szCommand) { WIN32.PROCESS_INFORMATION lpProcessInformation = new WIN32.PROCESS_INFORMATION(); WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO(); WIN32.SECURITY_ATTRIBUTES lpProcessAttributes = new WIN32.SECURITY_ATTRIBUTES(); WIN32.SECURITY_ATTRIBUTES lpThreadAttributes = new WIN32.SECURITY_ATTRIBUTES(); lpProcessAttributes.nLength = Marshal.SizeOf((object) lpProcessAttributes); lpThreadAttributes.nLength = Marshal.SizeOf((object) lpThreadAttributes); if (WIN32.CreateProcess((string) null, szCommand, ref lpProcessAttributes, ref lpThreadAttributes, false, 0U, IntPtr.Zero, (string) null, ref lpStartupInfo, out lpProcessInformation)) ; } private bool MountHiddenPartition(string szDr) { bool flag = false; int num = 0; while (!flag && num < 5) { flag = WIN32.DefineDosDevice(1U, szDr, "\\Device\\Harddisk0\\Partition1"); if (!flag) Thread.Sleep(1000); } return flag; } private string GetAvailableDrLetter() { uint logicalDrives = WIN32.GetLogicalDrives(); string str = ""; char ch = 'D'; int num; for (num = 3; num < 26; ++num) { if (((int) (logicalDrives >> num) & 1) == 0) { str = ch.ToString(); break; } ++ch; } string availableDrLetter = str + ":"; if (num == 26) availableDrLetter = ""; return availableDrLetter; } public bool UnMountHiddenPartition() { bool flag = false; int num = 0; if (this.m_szTmpHid.Length != 0) { for (; !flag && num < 5; ++num) { flag = WIN32.DefineDosDevice(7U, this.m_szTmpHid, "\\Device\\Harddisk0\\Partition1"); if (!flag) Thread.Sleep(1000); else break; } } return flag; } private string FindAutorunPath() { RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false); return registryKey.GetValue("InstallPath") == null ? "C:\\Acer\\Empowering Technology\\eRecovery" : registryKey.GetValue("InstallPath").ToString(); } public void LaunchCheckFiles() { string str = this.FindAutorunPath() + "\\autorun\\CheckFiles.exe"; if (!File.Exists(str)) return; WIN32.PROCESS_INFORMATION lpProcessInformation = new WIN32.PROCESS_INFORMATION(); WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO(); WIN32.SECURITY_ATTRIBUTES lpProcessAttributes = new WIN32.SECURITY_ATTRIBUTES(); WIN32.SECURITY_ATTRIBUTES lpThreadAttributes = new WIN32.SECURITY_ATTRIBUTES(); lpProcessAttributes.nLength = Marshal.SizeOf((object) lpProcessAttributes); lpThreadAttributes.nLength = Marshal.SizeOf((object) lpThreadAttributes); WIN32.CreateProcess(str, (string) null, ref lpProcessAttributes, ref lpThreadAttributes, false, 0U, IntPtr.Zero, (string) null, ref lpStartupInfo, out lpProcessInformation); } public bool UnMountHiddenPartition(string m_szTempHid) { bool flag = false; int num = 0; while (!flag && num < 5) { flag = WIN32.DefineDosDevice(7U, m_szTempHid, "\\Device\\Harddisk0\\Partition1"); if (!flag) Thread.Sleep(1000); } return flag; } public bool SetHiddenPartPassHint(string szPass, string szHint) { string availableDrLetter = this.GetAvailableDrLetter(); string str = availableDrLetter + "\\aimdrs.dat"; this.MountHiddenPartition(availableDrLetter); if (szPass.Length == 0 && File.Exists(str)) { File.SetAttributes(str, FileAttributes.Normal); File.Delete(str); this.UnMountHiddenPartition(availableDrLetter); return true; } if (szPass.Length > 0 && File.Exists(str)) File.SetAttributes(str, FileAttributes.Normal); WIN32.WritePrivateProfileString("MyData", "PD", szPass, str); WIN32.WritePrivateProfileString("MyData", "HT", szHint, str); File.SetAttributes(str, FileAttributes.ReadOnly | FileAttributes.Hidden | FileAttributes.System); this.UnMountHiddenPartition(availableDrLetter); return true; } } }