ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-20 10:26:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9432413cf6
MalwareSourceCode/MSIL/Trojan/Win32/P/Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77/ImpersonateUser.cs
vxunderground f2ac1ece55 auto-decompiled msil via petikvx 
add
2022-08-18 06:28:56 -05:00

235 lines
10 KiB
C#
Raw Blame History

// Decompiled with JetBrains decompiler
// Type: eRecoveryService.ImpersonateUser
// Assembly: eRecoveryService, Version=2.5.3.6, Culture=neutral, PublicKeyToken=null
// MVID: 08DF666A-8C92-4CCB-869A-390134BB6787
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77.exe
using Microsoft.Win32;
using System;
using System.Management;
using System.Runtime.InteropServices;
using System.Text;
namespace eRecoveryService
{
public class ImpersonateUser
{
private static IntPtr nToken = IntPtr.Zero;
private static string currentLoggedOnUser = string.Empty;
public static IntPtr CurrentUserToken => ImpersonateUser.nToken;
public static void DeleteeRecovery()
{
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
string str1;
if (registryKey.GetValue("InstallPath") != null)
{
string str2 = registryKey.GetValue("InstallPath").ToString();
int startIndex = str2.IndexOf("\\eRecovery", StringComparison.OrdinalIgnoreCase);
str1 = str2.Remove(startIndex);
}
else
str1 = "C:\\Acer\\Empowering Technology";
string lpApplicationName = str1 + "\\Remove_eRecovery.exe";
WIN32.PROCESS_INFORMATION lpProcessInformation = new WIN32.PROCESS_INFORMATION();
WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO();
WIN32.SECURITY_ATTRIBUTES lpProcessAttributes = new WIN32.SECURITY_ATTRIBUTES();
WIN32.SECURITY_ATTRIBUTES lpThreadAttributes = new WIN32.SECURITY_ATTRIBUTES();
lpProcessAttributes.nLength = Marshal.SizeOf((object) lpProcessAttributes);
lpThreadAttributes.nLength = Marshal.SizeOf((object) lpThreadAttributes);
WIN32.CreateProcess(lpApplicationName, "", ref lpProcessAttributes, ref lpThreadAttributes, false, 0U, IntPtr.Zero, (string) null, ref lpStartupInfo, out lpProcessInformation);
}
public static bool IsHiddenPartitionExist()
{
foreach (ManagementObject managementObject in new ManagementObjectSearcher(new ManagementScope("root\\cimv2", new ConnectionOptions()
{
Username = (string) null,
Password = (string) null
}), new ObjectQuery("SELECT * FROM Win32_LogicalDiskToPartition")).Get())
{
string szDepedent = managementObject["Dependent"].ToString();
string szAntecedent = managementObject["Antecedent"].ToString();
if (ImpersonateUser.FindCPartition(szDepedent))
{
if (ImpersonateUser.IsCtheSecondPartition(szAntecedent))
return true;
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\Empowering Technology 2.5\\Framework", false);
string lpFileName = registryKey.GetValue("BaseFolder") == null ? "C:\\Acer\\Empowering Technology\\eRecoveryLog.ini" : registryKey.GetValue("BaseFolder").ToString() + "\\eRecoveryLog.ini";
WIN32.WritePrivateProfileString("Service delete eRecovery", "Time", DateTime.Now.ToString(), lpFileName);
WIN32.WritePrivateProfileString("Service delete eRecovery", "Dependent", szDepedent.ToString(), lpFileName);
WIN32.WritePrivateProfileString("Service delete eRecovery", "Antecedent", szAntecedent.ToString(), lpFileName);
return false;
}
}
return true;
}
private static bool FindCPartition(string szDepedent)
{
int num = szDepedent.IndexOf("Win32_LogicalDisk.DeviceID", StringComparison.OrdinalIgnoreCase);
return num > 0 && szDepedent.Substring(num + 26).IndexOf("c:", StringComparison.OrdinalIgnoreCase) > 0;
}
private static bool IsCtheSecondPartition(string szAntecedent)
{
int num1 = szAntecedent.IndexOf("Win32_DiskPartition.DeviceID", StringComparison.OrdinalIgnoreCase);
if (num1 > 0)
{
string str = szAntecedent.Substring(num1 + 28);
int num2 = str.IndexOf("Partition", StringComparison.OrdinalIgnoreCase);
if (num2 > 0 && str.Substring(num2 + 9).IndexOf("#1", StringComparison.OrdinalIgnoreCase) > 0)
return true;
}
return false;
}
public static string CurrentLoggedOnUser => ImpersonateUser.currentLoggedOnUser;
public static void StopToImpersonateCurrentUser()
{
if (!(ImpersonateUser.nToken != IntPtr.Zero))
return;
WIN32.CloseHandle(ImpersonateUser.nToken);
ImpersonateUser.nToken = IntPtr.Zero;
ImpersonateUser.currentLoggedOnUser = string.Empty;
WIN32.RevertToSelf();
}
private static string getAccountNameFromSid(IntPtr SID)
{
int cbName = 0;
int cbDomainName = 0;
int peUse = 0;
StringBuilder stringBuilder = new StringBuilder();
StringBuilder Account1 = (StringBuilder) null;
StringBuilder DomainName1 = (StringBuilder) null;
if (WIN32.LookupAccountSid((string) null, SID, Account1, ref cbName, DomainName1, ref cbDomainName, ref peUse) && Marshal.GetLastWin32Error() == 259)
return "Error";
StringBuilder Account2 = new StringBuilder(cbName);
StringBuilder DomainName2 = new StringBuilder(cbDomainName);
if (WIN32.LookupAccountSid((string) null, SID, Account2, ref cbName, DomainName2, ref cbDomainName, ref peUse))
{
stringBuilder.Append((object) DomainName2);
stringBuilder.Append("\\");
stringBuilder.Append((object) Account2);
}
else
stringBuilder.Append("Win32 Error: " + (object) Marshal.GetLastWin32Error());
return stringBuilder.ToString();
}
public static bool StartToImpersonateCurrentUser()
{
bool impersonateCurrentUser = false;
if (ImpersonateUser.nToken != IntPtr.Zero)
return impersonateCurrentUser;
uint consoleSessionId = WIN32.WTSGetActiveConsoleSessionId();
if (consoleSessionId != uint.MaxValue)
{
IntPtr ProcessHandle = IntPtr.Zero;
IntPtr ppProcessInfo = IntPtr.Zero;
uint pCount = 0;
if (WIN32.WTSEnumerateProcesses(WIN32.WTC_CURRENT_SERVER_HANDLE, 0, 1U, ref ppProcessInfo, ref pCount))
{
IntPtr pMemory = ppProcessInfo;
for (int index = 0; (long) index < (long) pCount; ++index)
{
WIN32.WTSProcessInfo structure = (WIN32.WTSProcessInfo) Marshal.PtrToStructure(ppProcessInfo, typeof (WIN32.WTSProcessInfo));
ppProcessInfo = (IntPtr) ((int) ppProcessInfo + Marshal.SizeOf((object) structure));
if (structure.pProcessName.ToLower().IndexOf("explorer") != -1 && (int) structure.SessionId == (int) consoleSessionId)
{
ImpersonateUser.currentLoggedOnUser = ImpersonateUser.getAccountNameFromSid(structure.pUserSid);
ProcessHandle = WIN32.OpenProcess(2035711U, false, structure.ProcessId);
break;
}
}
WIN32.WTSFreeMemory(pMemory);
}
IntPtr TokenHandle;
if (ProcessHandle != IntPtr.Zero && WIN32.OpenProcessToken(ProcessHandle, 10U, out TokenHandle))
{
if (WIN32.DuplicateTokenEx(TokenHandle, 11U, IntPtr.Zero, WIN32.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, WIN32.TOKEN_TYPE.TokenPrimary, out ImpersonateUser.nToken) && WIN32.ImpersonateLoggedOnUser(ImpersonateUser.nToken))
impersonateCurrentUser = true;
WIN32.CloseHandle(TokenHandle);
}
}
if (!impersonateCurrentUser)
ImpersonateUser.currentLoggedOnUser = string.Empty;
return impersonateCurrentUser;
}
public static bool ImpersonateUserToCreateProcessSilent()
{
bool createProcessSilent = false;
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
string str;
try
{
registryKey.GetValue("InstallPath");
str = registryKey.GetValue("InstallPath").ToString();
}
catch
{
str = "C:\\Acer\\Empowering Technology\\eRecovery";
}
string lpCommandLine = str + "\\eRAgent.exe -s";
if (ImpersonateUser.StartToImpersonateCurrentUser())
{
WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO();
lpStartupInfo.cb = Marshal.SizeOf((object) lpStartupInfo);
if (WIN32.CreateProcessAsUser(ImpersonateUser.nToken, (string) null, lpCommandLine, IntPtr.Zero, IntPtr.Zero, false, 48U, IntPtr.Zero, (string) null, ref lpStartupInfo, out WIN32.PROCESS_INFORMATION _))
createProcessSilent = true;
ImpersonateUser.StopToImpersonateCurrentUser();
}
return createProcessSilent;
}
public static bool ImpersonateUserToCreateProcess()
{
bool createProcess = false;
RegistryKey registryKey1 = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
string str1;
try
{
registryKey1.GetValue("InstallPath");
str1 = registryKey1.GetValue("InstallPath").ToString();
}
catch
{
str1 = "C:\\Acer\\Empowering Technology\\eRecovery";
}
string lpCommandLine = str1 + "\\eRAgent.exe -init";
registryKey1.Close();
RegistryKey registryKey2 = Registry.LocalMachine.OpenSubKey("Software\\acer\\Empowering Technology 2.5\\Framework", false);
string str2;
try
{
registryKey2.GetValue("BaseFolder");
str2 = registryKey2.GetValue("BaseFolder").ToString();
}
catch
{
str2 = "C:\\Acer\\Empowering Technology";
}
string lpApplicationName = str2 + "\\Acer.Empowering.Framework.Supervisor.exe";
registryKey2.Close();
if (ImpersonateUser.StartToImpersonateCurrentUser())
{
WIN32.STARTUPINFO lpStartupInfo1 = new WIN32.STARTUPINFO();
lpStartupInfo1.cb = Marshal.SizeOf((object) lpStartupInfo1);
WIN32.STARTUPINFO lpStartupInfo2 = new WIN32.STARTUPINFO();
lpStartupInfo2.cb = Marshal.SizeOf((object) lpStartupInfo2);
WIN32.PROCESS_INFORMATION lpProcessInformation;
if (WIN32.CreateProcessAsUser(ImpersonateUser.nToken, lpApplicationName, (string) null, IntPtr.Zero, IntPtr.Zero, false, 48U, IntPtr.Zero, (string) null, ref lpStartupInfo2, out lpProcessInformation))
createProcess = true;
if (WIN32.CreateProcessAsUser(ImpersonateUser.nToken, (string) null, lpCommandLine, IntPtr.Zero, IntPtr.Zero, false, 48U, IntPtr.Zero, (string) null, ref lpStartupInfo1, out lpProcessInformation))
createProcess = true;
ImpersonateUser.StopToImpersonateCurrentUser();
}
return createProcess;
}
}
}
Reference in New Issue View Git Blame Copy Permalink