// Decompiled with JetBrains decompiler // Type: ai // Assembly: SpeechGridService, Version=1.0.0.81, Culture=neutral, PublicKeyToken=0b1522110151bc44 // MVID: EC73F2A1-74C8-4B65-87F0-244E72253AC2 // Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan.Win32.Patched.mf-e8127d5ac262f8a18c98990240938f5b10bb0eb14e19d9b9912199b94bd711a1.exe using Microsoft.Win32; using System; using System.ComponentModel; using System.Diagnostics; using System.IO; using System.Reflection; using System.Runtime.InteropServices; using System.Security.AccessControl; using System.Security.Principal; using System.ServiceProcess; using System.Threading; public class ai : ServiceBase { private IContainer a; private Timer b; private static readonly TimeSpan c = TimeSpan.FromMinutes(5.0); private EventWaitHandle d; private EventWaitHandle e; protected override void Dispose(bool disposing) { if (disposing && this.a != null) this.a.Dispose(); base.Dispose(disposing); } private void i() { this.a = (IContainer) new Container(); this.ServiceName = "Service1"; } public ai() => this.i(); protected override void OnStart(string[] args) { this.RequestAdditionalTime(120000); ThreadPool.QueueUserWorkItem(new WaitCallback(this.c), (object) null); } protected override void OnStop() => ai.a("SpeechGridService stopped"); private void c(object A_0) { ai.a("SpeechGridService started"); try { global::e A_0_1 = new global::e(); A_0_1.b(ai.d()); A_0_1.a(new k(this.c)); A_0_1.a(ai.b()); A_0_1.a(true); A_0_1.a(new ah(ai.a)); A_0_1.a(new a3(ai.a)); A_0_1.b(new a3(ai.b)); @as.b(A_0_1); this.g(); this.f(); this.h(); } catch (Exception ex) { ai.a("Exception during service startup", ex); } } private void h() { try { this.d = this.b("Global\\SpeechGrid-EnableAutomaticUpdates"); this.e = this.b("Global\\SpeechGrid-DisableAutomaticUpdates"); ThreadPool.QueueUserWorkItem(new WaitCallback(this.b), (object) this.d); ThreadPool.QueueUserWorkItem(new WaitCallback(this.b), (object) this.e); } catch (Exception ex) { ai.a("Error starting listening for automatic update signaling events", ex); } } private void b(object A_0) { try { EventWaitHandle eventWaitHandle = (EventWaitHandle) A_0; while (true) { eventWaitHandle.WaitOne(); bool flag = eventWaitHandle == this.d; using (RegistryKey subKey = Registry.LocalMachine.CreateSubKey("Software\\SpeechGrid\\AppData")) subKey?.SetValue("AutomaticUpdatesEnabled", (object) (flag ? 1L : 0L), RegistryValueKind.QWord); ai.a(string.Format("Set LocalMachine automatic updates flag to {0}", (object) flag)); } } catch (Exception ex) { ai.a("Error listening for automatic update signaling event", ex); } } private EventWaitHandle b(string A_0) { EventWaitHandleAccessRule rule = new EventWaitHandleAccessRule((IdentityReference) new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, (SecurityIdentifier) null), EventWaitHandleRights.Modify | EventWaitHandleRights.Synchronize, AccessControlType.Allow); EventWaitHandleSecurity eventSecurity = new EventWaitHandleSecurity(); eventSecurity.AddAccessRule(rule); bool createdNew; return new EventWaitHandle(false, EventResetMode.AutoReset, A_0, out createdNew, eventSecurity); } private void g() => this.b = new Timer(new TimerCallback(this.a), (object) null, ai.c, ai.c); private void a(object A_0) { try { using (RegistryKey subKey = Registry.LocalMachine.CreateSubKey("Software\\SpeechGrid\\AppData")) { object obj1 = subKey.GetValue("AliveTime", (object) 0L); if (obj1 == null || !(obj1 is long)) obj1 = (object) 0L; object obj2 = (object) ((long) obj1 + ai.c.Ticks); subKey.SetValue("AliveTime", obj2, RegistryValueKind.QWord); } } catch (Exception ex) { ai.a("Exception trying to update the service alive timer", ex); } } [DllImport("kernel32.dll")] private static extern bool ProcessIdToSessionId(uint A_0, out uint A_1); [DllImport("wtsapi32.dll", SetLastError = true)] private static extern bool WTSQueryUserToken(uint A_0, out IntPtr A_1); [DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)] private static extern bool CreateProcessAsUser( IntPtr A_0, string A_1, string A_2, IntPtr A_3, IntPtr A_4, bool A_5, uint A_6, IntPtr A_7, string A_8, ref ai.b A_9, out ai.a A_10); [DllImport("userenv.dll", SetLastError = true)] private static extern bool CreateEnvironmentBlock(out IntPtr A_0, IntPtr A_1, bool A_2); [DllImport("userenv.dll", SetLastError = true)] [return: MarshalAs(UnmanagedType.Bool)] private static extern bool DestroyEnvironmentBlock(IntPtr A_0); [DllImport("kernel32.dll", SetLastError = true)] private static extern bool CloseHandle(IntPtr A_0); private void a(Process A_0) { try { uint A_1; if (!ai.ProcessIdToSessionId((uint) A_0.Id, out A_1)) return; ai.a(string.Format("Remembering client app session information for relaunch after update. (Session {0})", (object) A_1)); using (RegistryKey subKey = Registry.LocalMachine.CreateSubKey("Software\\SpeechGrid\\AppData")) { subKey.SetValue("UpdateUserSessionID", (object) (long) A_1, RegistryValueKind.QWord); subKey.SetValue("UpdateUserSessionIDTimestamp", (object) DateTime.UtcNow.Ticks, RegistryValueKind.QWord); } } catch (Exception ex) { ai.a("Exception trying to record client app session ID", ex); } } private void f() { try { using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\SpeechGrid\\AppData", true)) { if (registryKey == null) return; long valueOrDefault1 = (registryKey.GetValue("UpdateUserSessionID") as long?).GetValueOrDefault(0L); long valueOrDefault2 = (registryKey.GetValue("UpdateUserSessionIDTimestamp") as long?).GetValueOrDefault(0L); registryKey.DeleteValue("UpdateUserSessionID", false); registryKey.DeleteValue("UpdateUserSessionIDTimestamp", false); bool flag = true; if (valueOrDefault1 < 0L) flag = false; if (valueOrDefault2 <= 0L || DateTime.UtcNow.Subtract(new DateTime(valueOrDefault2)) > TimeSpan.FromMinutes(5.0)) flag = false; if (!flag) { ai.a(string.Format("Not relaunching client app after an update (sessionID = {0}, timestamp = {1}).", (object) valueOrDefault1, (object) valueOrDefault2)); } else { ai.a("Trying to relaunch client app after an update..."); if (this.a().Length > 0) { ai.a("Client app is already running."); } else { string str = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "SpeechGrid.exe"); if (!File.Exists(str)) { ai.a("Client app could not be found."); } else { IntPtr A_1; if (!ai.WTSQueryUserToken((uint) valueOrDefault1, out A_1)) { ai.a("Query user token failed"); } else { try { IntPtr A_0; if (!ai.CreateEnvironmentBlock(out A_0, A_1, false)) { ai.a("Creating environment block failed"); return; } try { ai.b A_9 = new ai.b() { c = "winsta0\\default" }; A_9.a = Marshal.SizeOf((object) A_9); ai.a A_10; if (ai.CreateProcessAsUser(A_1, str, (string) null, IntPtr.Zero, IntPtr.Zero, false, 1024U, A_0, Path.GetDirectoryName(str), ref A_9, out A_10)) { ai.CloseHandle(A_10.a); ai.CloseHandle(A_10.b); } else { ai.a("Creating process as user failed"); return; } } finally { ai.DestroyEnvironmentBlock(A_0); } } finally { ai.CloseHandle(A_1); } ai.a("Client app restarted successfully."); } } } } } } catch (Exception ex) { ai.a("Exception trying to record client app session ID", ex); } } private static bool e() { try { using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\SpeechGrid", false)) { if (registryKey == null) return false; if (!(registryKey.GetValue("IsDebug") is string empty)) empty = string.Empty; return empty.ToLowerInvariant() == "true"; } } catch { return false; } } private static bool d() => ai.e(); private void c() { Process[] processArray = this.a(); if (processArray.Length != 1) return; this.a(processArray[0]); } private static void a(string A_0) { if (!ai.e()) return; try { string source = "SpeechGridService"; if (!EventLog.SourceExists(source)) EventLog.CreateEventSource(source, "Application"); EventLog.WriteEntry(source, A_0); } catch { } try { ai.OutputDebugString("SpeechGridService: " + A_0); } catch { } } private static void a(string A_0, Exception A_1, string A_2) => ai.a(string.Join(" -- ", new string[6] { A_0, A_2, "Message: " + A_1.Message, "StackTrace: " + A_1.StackTrace, "InnerMessage: " + (A_1.InnerException == null ? string.Empty : A_1.InnerException.Message), "InnerStackTrace: " + (A_1.InnerException == null ? string.Empty : A_1.InnerException.StackTrace) })); private static void b(string A_0, Exception A_1) => ai.a(A_0, A_1, "Warning"); private static void a(string A_0, Exception A_1) => ai.a(A_0, A_1, "Error"); [DllImport("kernel32.dll", CharSet = CharSet.Unicode)] private static extern void OutputDebugString(string A_0); private static string b() { try { using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\SpeechGrid", false)) { if (registryKey == null) return string.Empty; if (registryKey.GetValue("ClientGuid") is string g) { try { return ai.a(new Guid(g)); } catch (FormatException ex) { ai.b("Format exception while trying to read client guid from registry", (Exception) ex); } } return string.Empty; } } catch (Exception ex) { ai.a("Exception reading or building ClientGuid", ex); return string.Empty; } } private static string a(Guid A_0) => A_0.ToString().Replace("-", string.Empty).ToUpperInvariant(); private Process[] a() => Process.GetProcessesByName("SpeechGrid"); private struct a { public IntPtr a; public IntPtr b; public int c; public int d; } [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] private struct b { public int a; public string b; public string c; public string d; public int e; public int f; public int g; public int h; public int i; public int j; public int k; public int l; public short m; public short n; public IntPtr o; public IntPtr p; public IntPtr q; public IntPtr r; } [System.Flags] private enum c { a = 16777216, // 0x01000000 b = 67108864, // 0x04000000 c = 16, // 0x00000010 d = 512, // 0x00000200 e = 134217728, // 0x08000000 f = 262144, // 0x00040000 g = 33554432, // 0x02000000 h = 2048, // 0x00000800 i = 4096, // 0x00001000 j = 4, k = 1024, // 0x00000400 l = 2, m = 1, n = 8, o = 524288, // 0x00080000 p = 65536, // 0x00010000 } }