// Decompiled with JetBrains decompiler // Type: eRecoveryService.WIN32 // Assembly: eRecoveryService, Version=2.5.3.6, Culture=neutral, PublicKeyToken=null // MVID: 08DF666A-8C92-4CCB-869A-390134BB6787 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77.exe using System; using System.Runtime.InteropServices; using System.Security; using System.Text; namespace eRecoveryService { public class WIN32 { public const string g_szC_AutorunIni = "C:\\Acer\\Empowering Technology\\eRecovery\\Autorun.ini"; public const string g_szC_AutorunFolder = "C:\\Acer\\Empowering Technology\\eRecovery\\Autorun"; public const string HIDDEN_PATH = "\\Device\\Harddisk0\\Partition1"; public const string g_szH_AutorunExe = "\\imagex.exe\" /apply"; public const string g_sz_CompressFileSrc = "\\autorun\\swcd.wim"; public const string g_sz_ExtractDestFolder = "C:\\Acer\\Empowering Technology\\eRecovery"; public const int ERROR_NO_MORE_ITEMS = 259; public const uint TOKEN_DUPLICATE = 2; public const uint TOKEN_QUERY = 8; public const uint TOKEN_ASSIGN_PRIMARY = 1; public const uint CREATE_NEW_CONSOLE = 16; public const uint BELOW_NORMAL_PRIORITY_CLASS = 16384; public const uint NORMAL_PRIORITY_CLASS = 32; public const uint FILE_ATTRIBUTE_DIRECTORY = 16; public static readonly IntPtr WTC_CURRENT_SERVER_HANDLE = IntPtr.Zero; [DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)] public static extern uint WIMRegisterMessageCallback( IntPtr hwim, WIN32.WIMMessageCallback fpMessageProc, IntPtr lpvUserData); [DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)] public static extern IntPtr WIMCreateFile( string lpszWimPath, int dwDesiredAccess, int dwCreationDisposition, int dwFlagsAndAttributes, int dwCompressionType, int lpdwCreationResult); [DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)] public static extern bool WIMGetAttributes( IntPtr hWim, ref WIN32.WIM_INFO lpWimInfo, int cbWimInfo); [DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)] public static extern bool WIMSetTemporaryPath(IntPtr hWim, string lpszPath); [DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)] public static extern IntPtr WIMLoadImage(IntPtr hwim, int dwImageIndex); [DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)] public static extern bool WIMApplyImage(IntPtr hImage, string lpszPath, int dwApplyFlags); [DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)] public static extern bool WIMCloseHandle(IntPtr hObject); [DllImport("wimgapi.dll", CharSet = CharSet.Unicode, CallingConvention = CallingConvention.StdCall, SetLastError = true)] public static extern bool WIMUnregisterMessageCallback( IntPtr hwim, WIN32.WIMMessageCallback fpMessageProc); [DllImport("kernel32.dll")] public static extern void SetLastError(uint dwErrCode); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern bool FindNextFile( IntPtr hFindFile, out WIN32.WIN32_FIND_DATA lpFindFileData); [DllImport("kernel32.dll")] public static extern bool CreateProcess( string lpApplicationName, string lpCommandLine, ref WIN32.SECURITY_ATTRIBUTES lpProcessAttributes, ref WIN32.SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref WIN32.STARTUPINFO lpStartupInfo, out WIN32.PROCESS_INFORMATION lpProcessInformation); [DllImport("shell32.dll", CharSet = CharSet.Unicode)] public static extern int SHFileOperation([In] ref WIN32.SHFILEOPSTRUCT lpFileOp); [DllImport("kernel32.dll")] public static extern IntPtr OpenProcess( uint dwDesiredAccess, bool bInheritHandle, uint dwProcessId); [DllImport("advapi32.dll", CharSet = CharSet.Unicode, SetLastError = true)] public static extern bool CreateProcessAsUser( IntPtr hToken, string lpApplicationName, string lpCommandLine, IntPtr lpProcessAttributes, IntPtr lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, ref WIN32.STARTUPINFO lpStartupInfo, out WIN32.PROCESS_INFORMATION lpProcessInformation); [DllImport("advapi32.dll", SetLastError = true)] public static extern bool ImpersonateLoggedOnUser(IntPtr hToken); [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] public static extern bool DuplicateTokenEx( IntPtr hExistingToken, uint dwDesiredAccess, IntPtr lpTokenAttributes, WIN32.SECURITY_IMPERSONATION_LEVEL ImpersonationLevel, WIN32.TOKEN_TYPE TokenType, out IntPtr phNewToken); [DllImport("advapi32.dll", SetLastError = true)] public static extern bool OpenProcessToken( IntPtr ProcessHandle, uint DesiredAccess, out IntPtr TokenHandle); [SuppressUnmanagedCodeSecurity] [DllImport("wtsapi32", SetLastError = true)] public static extern void WTSFreeMemory(IntPtr pMemory); [SuppressUnmanagedCodeSecurity] [DllImport("wtsapi32", CharSet = CharSet.Auto, SetLastError = true)] public static extern bool WTSEnumerateProcesses( IntPtr ProcessHandle, int Reserved, uint Version, ref IntPtr ppProcessInfo, ref uint pCount); [DllImport("kernel32.dll", SetLastError = true)] public static extern bool CloseHandle(IntPtr hSnapshot); [DllImport("advapi32.dll", SetLastError = true)] public static extern bool RevertToSelf(); [DllImport("kernel32.dll")] public static extern uint WTSGetActiveConsoleSessionId(); [DllImport("advapi32", CharSet = CharSet.Auto, SetLastError = true)] public static extern bool LookupAccountSid( string lpSystemName, IntPtr pSid, StringBuilder Account, ref int cbName, StringBuilder DomainName, ref int cbDomainName, ref int peUse); [DllImport("kernel32.dll", CharSet = CharSet.Auto)] public static extern IntPtr FindFirstFile( string lpFileName, out WIN32.WIN32_FIND_DATA lpFindFileData); [DllImport("kernel32.dll")] public static extern bool FindClose(IntPtr hFindFile); [DllImport("kernel32.dll", EntryPoint = "GetPrivateProfileSectionNamesA")] public static extern int GetPrivateProfileSectionNames( byte[] lpszReturnBuffer, int nSize, string lpFileName); [DllImport("kernel32.dll")] public static extern uint GetPrivateProfileString( string lpAppName, string lpKeyName, string lpDefault, StringBuilder lpReturnedString, uint nSize, string lpFileName); [DllImport("kernel32.dll")] public static extern bool WritePrivateProfileString( string lpAppName, string lpKeyName, string lpString, string lpFileName); [DllImport("SysHook.dll", CharSet = CharSet.Auto, SetLastError = true)] public static extern void InstallLaunchEv(); [DllImport("SysHook.dll", CharSet = CharSet.Auto, SetLastError = true)] public static extern void UninstallLaunchEv(); [DllImport("kernel32.dll")] public static extern uint GetLogicalDrives(); [DllImport("kernel32.dll")] public static extern bool DefineDosDevice( uint dwFlags, string lpDeviceName, string lpTargetPath); [DllImport("kernel32.dll", EntryPoint = "GetStartupInfoW")] public static extern void GetStartupInfo(out WIN32.STARTUPINFO lpStartupInfo); public delegate int WIMMessageCallback(int msgId, IntPtr param1, IntPtr param2, IntPtr unused); public enum Bool { False, True, } public enum WIMMSGENUM { WIM_MSG = 38006, // 0x00009476 WIM_MSG_TEXT = 38007, // 0x00009477 WIM_MSG_PROGRESS = 38008, // 0x00009478 WIM_MSG_PROCESS = 38009, // 0x00009479 WIM_MSG_SCANNING = 38010, // 0x0000947A WIM_MSG_SETRANGE = 38011, // 0x0000947B WIM_MSG_SETPOS = 38012, // 0x0000947C WIM_MSG_STEPIT = 38013, // 0x0000947D WIM_MSG_COMPRESS = 38014, // 0x0000947E WIM_MSG_ERROR = 38015, // 0x0000947F WIM_MSG_ALIGNMENT = 38016, // 0x00009480 WIM_MSG_RETRY = 38017, // 0x00009481 WIM_MSG_SPLIT = 38018, // 0x00009482 WIM_MSG_FILEINFO = 38019, // 0x00009483 WIM_MSG_INFO = 38020, // 0x00009484 WIM_MSG_WARNING = 38021, // 0x00009485 WIM_MSG_CHK_PROCESS = 38022, // 0x00009486 } public enum FILEOP_FLAGS_ENUM : ushort { FOF_MULTIDESTFILES = 1, FOF_CONFIRMMOUSE = 2, FOF_SILENT = 4, FOF_RENAMEONCOLLISION = 8, FOF_NOCONFIRMATION = 16, // 0x0010 FOF_WANTMAPPINGHANDLE = 32, // 0x0020 FOF_ALLOWUNDO = 64, // 0x0040 FOF_FILESONLY = 128, // 0x0080 FOF_SIMPLEPROGRESS = 256, // 0x0100 FOF_NOCONFIRMMKDIR = 512, // 0x0200 FOF_NOERRORUI = 1024, // 0x0400 FOF_NOCOPYSECURITYATTRIBS = 2048, // 0x0800 FOF_NORECURSION = 4096, // 0x1000 FOF_NO_CONNECTED_ELEMENTS = 8192, // 0x2000 FOF_WANTNUKEWARNING = 16384, // 0x4000 FOF_NORECURSEREPARSE = 32768, // 0x8000 } public enum FO_Func : uint { FO_MOVE = 1, FO_COPY = 2, FO_DELETE = 3, FO_RENAME = 4, } public enum SECURITY_IMPERSONATION_LEVEL { SecurityAnonymous, SecurityIdentification, SecurityImpersonation, SecurityDelegation, } public enum TOKEN_TYPE { TokenPrimary = 1, TokenImpersonation = 2, } public struct GUID { public int a; public short b; public short c; [MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)] public byte[] d; } [StructLayout(LayoutKind.Explicit, Size = 560, CharSet = CharSet.Auto)] public struct WIM_INFO { [FieldOffset(0)] public string WimPath; [FieldOffset(520)] public WIN32.GUID Guid; [FieldOffset(536)] public int ImageCount; [FieldOffset(540)] public int CompressionType; [FieldOffset(544)] public byte PartNumber; [FieldOffset(546)] public byte TotalParts; [FieldOffset(548)] public int BootIndex; [FieldOffset(552)] public int WimAttributes; [FieldOffset(556)] public int WimFlagsAndAttr; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct SHFILEOPSTRUCT { public IntPtr hwnd; public WIN32.FO_Func wFunc; [MarshalAs(UnmanagedType.LPWStr)] public string pFrom; [MarshalAs(UnmanagedType.LPWStr)] public string pTo; public ushort fFlags; public bool fAnyOperationsAborted; public IntPtr hNameMappings; [MarshalAs(UnmanagedType.LPWStr)] public string lpszProgressTitle; } public struct PROCESS_INFORMATION { public IntPtr hProcess; public IntPtr hThread; public uint dwProcessId; public uint dwThreadId; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] public struct STARTUPINFO { public int cb; [MarshalAs(UnmanagedType.LPWStr)] public string lpReserved; [MarshalAs(UnmanagedType.LPWStr)] public string lpDesktop; [MarshalAs(UnmanagedType.LPWStr)] public string lpTitle; public int dwX; public int dwY; public int dwXSize; public int dwYSize; public int dwXCountChars; public int dwYCountChars; public int dwFillAttribute; public int dwFlags; public short wShowWindow; public short cbReserved2; public IntPtr lpReserved2; public IntPtr hStdInput; public IntPtr hStdOutput; public IntPtr hStdError; } public struct WTSProcessInfo { internal uint SessionId; internal uint ProcessId; [MarshalAs(UnmanagedType.LPTStr)] internal string pProcessName; internal IntPtr pUserSid; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Auto)] public struct WIN32_FIND_DATA { public uint dwFileAttributes; public FILETIME ftCreationTime; public FILETIME ftLastAccessTime; public FILETIME ftLastWriteTime; public uint nFileSizeHigh; public uint nFileSizeLow; public uint dwReserved0; public uint dwReserved1; [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 260)] public string cFileName; [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 14)] public string cAlternateFileName; } public struct SECURITY_ATTRIBUTES { public int nLength; public IntPtr lpSecurityDescriptor; public int bInheritHandle; } } }