// Decompiled with JetBrains decompiler // Type: Bmc.Services.Ticket.SecureStateManager // Assembly: ticketservice, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: 3DFB8186-7053-43AF-8B45-70866071B1F2 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-fd200e64412b6be5c177c3cfa7b94e83e807ff04211ce324f12e2ffa5537eb36.exe using Bmc.RegistryAccess.Ticket; using Microsoft.Win32; using Net.LShift.SPKI; using Net.LShift.Utilities; using System; using System.Collections; using System.IO; using System.Security.Cryptography; namespace Bmc.Services.Ticket { public class SecureStateManager { private static readonly string old_mac_subkey = "SOFTWARE\\Classes\\Interface"; private static readonly string mac_subkey = BuildVersion.ProductRegistryKey + "\\HideMe"; private static readonly SECURE_FIELD[] FixedKeys = new SECURE_FIELD[2] { null, (SECURE_FIELD) 1 }; private string FixedKeyMac; private RegistryKey HidingKey; private string HidingValue; private IDictionary State; private string StateMAC; private bool Dirty = false; private static byte[] MacKey = new byte[16] { (byte) 185, (byte) 215, (byte) 27, (byte) 51, (byte) 201, (byte) 82, (byte) 154, (byte) 129, (byte) 59, (byte) 241, (byte) 233, (byte) 83, (byte) 190, (byte) 249, (byte) 125, (byte) 206 }; private string MACSexp(SPKISexp sexp) { HMACSHA1 transform = new HMACSHA1(SecureStateManager.MacKey); CryptoStream cryptoStream = new CryptoStream(Stream.Null, (ICryptoTransform) transform, CryptoStreamMode.Write); sexp.Marshal((Stream) cryptoStream); cryptoStream.Close(); string upper = ChecksumUtilities.HexEncode(transform.Hash).ToUpper(); return "{" + string.Format("{0}-{1}-{2}-{3}-{4}", (object) upper.Substring(0, 8), (object) upper.Substring(8, 4), (object) upper.Substring(12, 4), (object) upper.Substring(16, 4), (object) upper.Substring(20, 12)) + "}"; } private string MACKeys(string id, SECURE_FIELD[] keys) { ArrayList arrayList = new ArrayList(); arrayList.Add((object) new SPKISexp("key-pairs")); arrayList.Add((object) new SPKISexp(id)); for (int index = 0; index < keys.Length; ++index) { SECURE_FIELD key = (SECURE_FIELD) (int) keys[index]; string str = (string) this.State[(object) key]; if (str != null) arrayList.Add((object) new SPKISexp(new SPKISexp[3] { new SPKISexp("pair"), new SPKISexp(((Enum) (object) key).ToString()), new SPKISexp(str) })); } return this.MACSexp(new SPKISexp((SPKISexp[]) arrayList.ToArray(typeof (SPKISexp)))); } private static bool IsFixedKey(SECURE_FIELD f) { foreach (int fixedKey in SecureStateManager.FixedKeys) { SECURE_FIELD secureField = (SECURE_FIELD) fixedKey; if (f == secureField) return true; } return false; } private string MACFixedKeys() { foreach (int fixedKey in SecureStateManager.FixedKeys) { if (!this.State.Contains((object) (SECURE_FIELD) fixedKey)) throw new SecureStateException(); } return this.MACKeys("fixed-keys", SecureStateManager.FixedKeys); } private string MACAllKeys() => this.MACKeys("all-keys", (SECURE_FIELD[]) Enum.GetValues(typeof (SECURE_FIELD))); private void GetHidingPlace() { if (this.HidingKey != null) return; this.FixedKeyMac = this.MACFixedKeys(); this.HidingValue = (string) null; this.HidingKey = Registry.LocalMachine.CreateSubKey(SecureStateManager.mac_subkey).CreateSubKey(this.FixedKeyMac).CreateSubKey("ProxyStubClsid32"); } private void DeleteHidingPlace() { this.GetHidingPlace(); Registry.LocalMachine.CreateSubKey(SecureStateManager.old_mac_subkey).DeleteSubKeyTree(this.FixedKeyMac); this.HidingKey = (RegistryKey) null; } private string HiddenMAC { get => (string) this.HidingKey.GetValue(this.HidingValue); set { this.HidingKey.SetValue(this.HidingValue, (object) value); this.HidingKey.Flush(); } } private RegistryKey StateKey => SecureState.Instance.StateKey; private void UpdateState() { if (this.Dirty || this.StateMAC != null && !(this.HiddenMAC != this.StateMAC)) return; this.StateMAC = (string) null; this.State = (IDictionary) new Hashtable(); foreach (SECURE_FIELD secureField in Enum.GetValues(typeof (SECURE_FIELD))) { // ISSUE: cast to a reference type // ISSUE: explicit reference operation SECURE_FIELD key = (SECURE_FIELD) ^(int&) ref secureField; string str = (string) this.StateKey.GetValue(((Enum) (object) key).ToString()); if (str != null) this.State[(object) key] = (object) str; } if (this.State.Keys.Count == 0) { this.InitializeSecureState(); } else { this.GetHidingPlace(); string str = this.MACAllKeys(); if (this.HiddenMAC != str) { this.HidingKey = Registry.LocalMachine.CreateSubKey(SecureStateManager.old_mac_subkey).CreateSubKey(this.FixedKeyMac).CreateSubKey("ProxyStubClsid32"); if (this.HiddenMAC != str) throw new SecureStateException(); } this.StateMAC = str; } } public bool StateOK { get { try { this.UpdateState(); return true; } catch (Exception ex) { return false; } } } public void Init() { try { lock (this) this.UpdateState(); } catch (Exception ex) { } } public string this[SECURE_FIELD f] { get { lock (this) { this.UpdateState(); return (string) this.State[(object) f]; } } set { if (SecureStateManager.IsFixedKey(f)) throw new SecureStateException(); lock (this) { this.UpdateState(); this.State[(object) f] = (object) value; this.Dirty = true; } } } public void Flush() { lock (this) { if (!this.Dirty) return; this.StateMAC = this.MACAllKeys(); foreach (SECURE_FIELD key1 in (IEnumerable) this.State.Keys) { // ISSUE: cast to a reference type // ISSUE: explicit reference operation SECURE_FIELD key2 = (SECURE_FIELD) ^(int&) ref key1; this.StateKey.SetValue(((Enum) (object) key2).ToString(), this.State[(object) key2]); } this.HiddenMAC = this.StateMAC; this.StateKey.Flush(); this.Dirty = false; } } private void InitializeSecureState() { this.Dirty = true; this.State = (IDictionary) new Hashtable(); this.State[(object) (SECURE_FIELD) 0] = (object) RandomId.GenerateId("machine", 5); this.State[(object) (SECURE_FIELD) 1] = (object) RandomId.GenerateId("longid", 40); this.State[(object) (SECURE_FIELD) 2] = (object) RandomId.GenerateId("pass", 6); this.State[(object) (SECURE_FIELD) 3] = (object) "none"; this.Offset = new TimeSpan(0L); this.LastUsed = DateTime.UtcNow; this.GetHidingPlace(); this.Flush(); } public void WipeState() { lock (this) { try { this.DeleteHidingPlace(); } catch (Exception ex) { } SecureState.Instance.Flush(); Registry.LocalMachine.DeleteSubKeyTree(SecureState.STATE_SUBKEY); } } private DateTime LastUsed { get => DateTimeFormatter.ToDateTime(this[(SECURE_FIELD) 4]); set => this[(SECURE_FIELD) 4] = DateTimeFormatter.ToString(value); } private TimeSpan Offset { get => TimeSpanFormatter.ToTimeSpan(this[(SECURE_FIELD) 5]); set => this[(SECURE_FIELD) 5] = TimeSpanFormatter.ToString(value); } public void TurnTimeRatchet() { DateTime utcNow = DateTime.UtcNow; DateTime lastUsed = this.LastUsed; if (utcNow < lastUsed) this.Offset += lastUsed - utcNow; this.LastUsed = utcNow; this.Flush(); } public DateTime RatchetTime { get { this.TurnTimeRatchet(); return DateTime.UtcNow + this.Offset; } } public void SetRatchetOffset(TimeSpan off) { this.Offset = off; this.LastUsed = DateTime.UtcNow; this.Flush(); } } }