mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-20 18:36:10 +00:00
f2ac1ece55
add
447 lines
16 KiB
C#
447 lines
16 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: eRecoveryService.ServerClass
|
|
// Assembly: eRecoveryService, Version=2.5.3.6, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 08DF666A-8C92-4CCB-869A-390134BB6787
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77.exe
|
|
|
|
using eSettings.Model.Library;
|
|
using Microsoft.Win32;
|
|
using ServiceInterface;
|
|
using System;
|
|
using System.Diagnostics;
|
|
using System.IO;
|
|
using System.Runtime.InteropServices;
|
|
using System.Runtime.Remoting.Lifetime;
|
|
using System.Text;
|
|
using System.Threading;
|
|
|
|
namespace eRecoveryService
|
|
{
|
|
public class ServerClass : MarshalByRefObject, Interface
|
|
{
|
|
public const int BOOT_FLOPPY = 0;
|
|
public const int BOOT_HD = 1;
|
|
public const int BOOT_ODD = 2;
|
|
public const int BOOT_SCSI = 3;
|
|
public const int BOOT_D2D = 4;
|
|
public const int BOOT_LS120 = 5;
|
|
public const int BOOT_PCMCIA = 6;
|
|
public const int BOOT_NETWORK = 7;
|
|
public const int BOOT_ZIP = 8;
|
|
public const int BOOT_1394ODD = 9;
|
|
public const int BOOT_USBHD = 10;
|
|
public const int BOOT_USBODD = 11;
|
|
public const int BOOT_USBFDD = 12;
|
|
public const int BOOT_USBRD = 13;
|
|
public const int BOOT_SECHD = 14;
|
|
public const int BOOT_USBZIP = 15;
|
|
public const int BOOT_USBOTH = 16;
|
|
public const int BOOT_OTHER = 17;
|
|
private IntPtr INVALID_HANDLE_VALUE = new IntPtr(-1);
|
|
private System.Timers.Timer PercentageTiemr;
|
|
private string m_szTmpHid;
|
|
public int globalint;
|
|
private System.Timers.Timer SWCDExtractTimer;
|
|
private string wimFile;
|
|
private string tmpDir;
|
|
private string applyDir;
|
|
private ILease lease;
|
|
|
|
public override object InitializeLifetimeService()
|
|
{
|
|
if (this.lease == null)
|
|
{
|
|
this.lease = (ILease) base.InitializeLifetimeService();
|
|
if (this.lease.CurrentState == LeaseState.Initial)
|
|
this.lease.InitialLeaseTime = TimeSpan.Zero;
|
|
}
|
|
return (object) this.lease;
|
|
}
|
|
|
|
public bool SetBootSeqFromInt15(int nType)
|
|
{
|
|
IntPtr bootSequence = INT15.GetBootSequence();
|
|
int length = 0;
|
|
int num1 = 0;
|
|
if (bootSequence != IntPtr.Zero)
|
|
{
|
|
byte num2;
|
|
while ((num2 = Marshal.ReadByte(bootSequence, length)) != byte.MaxValue)
|
|
{
|
|
++length;
|
|
if (num2 == (byte) 0)
|
|
++num1;
|
|
else
|
|
num1 = 0;
|
|
if (num1 == 4)
|
|
{
|
|
length -= 3;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
int index = 0;
|
|
byte[] sequence = new byte[length];
|
|
if (nType == 0 || nType == 1)
|
|
{
|
|
for (int ofs = 0; ofs < length; ++ofs)
|
|
{
|
|
byte num3 = Marshal.ReadByte(bootSequence, ofs);
|
|
sequence[ofs] = num3;
|
|
if (sequence[ofs] == (byte) 1)
|
|
index = ofs;
|
|
}
|
|
sequence[index] = sequence[0];
|
|
sequence[0] = (byte) 1;
|
|
}
|
|
else
|
|
{
|
|
for (int ofs = 0; ofs < length; ++ofs)
|
|
{
|
|
byte num4 = Marshal.ReadByte(bootSequence, ofs);
|
|
sequence[ofs] = num4;
|
|
if (sequence[ofs] == (byte) 2)
|
|
index = ofs;
|
|
}
|
|
sequence[index] = sequence[0];
|
|
sequence[0] = (byte) 2;
|
|
}
|
|
return INT15.SetBootSequenceNB(sequence, length);
|
|
}
|
|
|
|
public bool StartBackupMachine()
|
|
{
|
|
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
|
|
if (registryKey == null || registryKey.GetValue("InstallPath") == null)
|
|
return false;
|
|
string str = registryKey.GetValue("InstallPath").ToString();
|
|
new Process()
|
|
{
|
|
StartInfo = {
|
|
FileName = (str + "\\BackupMachine.exe")
|
|
}
|
|
}.Start();
|
|
registryKey.Close();
|
|
return true;
|
|
}
|
|
|
|
public bool LauncSetFDFolderExe(string InArg)
|
|
{
|
|
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
|
|
if (registryKey == null || registryKey.GetValue("InstallPath") == null)
|
|
return false;
|
|
Process.Start(registryKey.GetValue("InstallPath").ToString() + "\\SetFDFolder.exe", InArg);
|
|
registryKey.Close();
|
|
return true;
|
|
}
|
|
|
|
public bool SetMBR()
|
|
{
|
|
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
|
|
if (registryKey == null || registryKey.GetValue("InstallPath") == null)
|
|
return false;
|
|
string str = registryKey.GetValue("InstallPath").ToString();
|
|
new Process()
|
|
{
|
|
StartInfo = {
|
|
FileName = (str + "\\MBRwrWin.exe"),
|
|
Arguments = "-directh"
|
|
}
|
|
}.Start();
|
|
registryKey.Close();
|
|
return true;
|
|
}
|
|
|
|
public bool CheckD2DBIOS() => INT15.GetD2DBIOS();
|
|
|
|
public void DeleteFile(string filePath) => File.Delete(filePath);
|
|
|
|
public bool WriteLocalRegString(string RegSubKeyString, string RegKeyName, int RegKeyValue)
|
|
{
|
|
RegistryKey subKey = Registry.LocalMachine.CreateSubKey(RegSubKeyString);
|
|
try
|
|
{
|
|
subKey.SetValue(RegKeyName, (object) RegKeyValue);
|
|
}
|
|
catch
|
|
{
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
public bool IsNeedToExtractData()
|
|
{
|
|
string lpFileName = this.FindAutorunPath() + "\\Autorun.ini";
|
|
bool extractData = true;
|
|
IntPtr firstFile1 = WIN32.FindFirstFile("C:\\Acer\\Empowering Technology\\eRecovery\\Autorun.ini", out WIN32.WIN32_FIND_DATA _);
|
|
if (firstFile1 != this.INVALID_HANDLE_VALUE)
|
|
{
|
|
WIN32.FindClose(firstFile1);
|
|
int length = 4096;
|
|
byte[] lpszReturnBuffer = new byte[length];
|
|
StringBuilder lpReturnedString1 = new StringBuilder(4096);
|
|
StringBuilder lpReturnedString2 = new StringBuilder(32);
|
|
StringBuilder lpReturnedString3 = new StringBuilder(8);
|
|
WIN32.GetPrivateProfileSectionNames(lpszReturnBuffer, lpszReturnBuffer.Length, lpFileName);
|
|
string lpAppName = "";
|
|
for (int index = 0; index < length; ++index)
|
|
{
|
|
string str = lpszReturnBuffer[index].ToString().CompareTo("0") == 0 ? "\0" : ((byte) ((uint) lpszReturnBuffer[index] - 48U)).ToString();
|
|
if (str.CompareTo("\0") == 0)
|
|
{
|
|
if (lpAppName.CompareTo("") != 0)
|
|
{
|
|
int privateProfileString1 = (int) WIN32.GetPrivateProfileString(lpAppName, "Filename", "xfail", lpReturnedString1, (uint) lpReturnedString1.Capacity, lpFileName);
|
|
WIN32.WIN32_FIND_DATA lpFindFileData;
|
|
IntPtr firstFile2 = WIN32.FindFirstFile(lpReturnedString1.ToString(), out lpFindFileData);
|
|
if (firstFile2 == this.INVALID_HANDLE_VALUE)
|
|
{
|
|
extractData = false;
|
|
index = length + 1;
|
|
}
|
|
else
|
|
{
|
|
WIN32.FindClose(firstFile2);
|
|
int privateProfileString2 = (int) WIN32.GetPrivateProfileString(lpAppName, "Size", "xfail", lpReturnedString2, (uint) lpReturnedString2.Capacity, lpFileName);
|
|
uint uint32 = Convert.ToUInt32(lpReturnedString2.ToString());
|
|
if ((int) lpFindFileData.nFileSizeLow != (int) uint32)
|
|
{
|
|
extractData = false;
|
|
index = length + 1;
|
|
}
|
|
else
|
|
{
|
|
int privateProfileString3 = (int) WIN32.GetPrivateProfileString(lpAppName, "Time", "xfail", lpReturnedString3, (uint) lpReturnedString3.Capacity, lpFileName);
|
|
lpReturnedString3.ToString();
|
|
}
|
|
}
|
|
lpAppName = "";
|
|
}
|
|
else
|
|
break;
|
|
}
|
|
else
|
|
lpAppName += str;
|
|
}
|
|
}
|
|
else
|
|
extractData = false;
|
|
return extractData;
|
|
}
|
|
|
|
public bool GetSystemVolumnInfo()
|
|
{
|
|
long num = this.GetSysVolumnSize("C:\\System Volume Information") / 1048576L;
|
|
try
|
|
{
|
|
Registry.LocalMachine.CreateSubKey("Software\\acer\\eRecovery\\Main", RegistryKeyPermissionCheck.ReadWriteSubTree).SetValue("SysVolSize", (object) num, RegistryValueKind.DWord);
|
|
}
|
|
catch
|
|
{
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
private long GetSysVolumnSize(string pPath)
|
|
{
|
|
long sysVolumnSize = 0;
|
|
WIN32.WIN32_FIND_DATA lpFindFileData;
|
|
IntPtr firstFile = WIN32.FindFirstFile(pPath + "\\*.*", out lpFindFileData);
|
|
if (firstFile == this.INVALID_HANDLE_VALUE)
|
|
return 0;
|
|
do
|
|
{
|
|
string cFileName = lpFindFileData.cFileName;
|
|
if (((int) lpFindFileData.dwFileAttributes & 16) != 0)
|
|
{
|
|
if (cFileName.CompareTo(".") != 0 && cFileName.CompareTo("..") != 0)
|
|
{
|
|
string pPath1 = pPath + "\\" + lpFindFileData.cFileName;
|
|
sysVolumnSize += this.GetSysVolumnSize(pPath1);
|
|
}
|
|
}
|
|
else
|
|
sysVolumnSize += (long) lpFindFileData.nFileSizeHigh * 4294967296L + (long) lpFindFileData.nFileSizeLow;
|
|
}
|
|
while (WIN32.FindNextFile(firstFile, out lpFindFileData));
|
|
WIN32.FindClose(firstFile);
|
|
return sysVolumnSize;
|
|
}
|
|
|
|
public bool ExtractData()
|
|
{
|
|
string autorunPath = this.FindAutorunPath();
|
|
string path1 = autorunPath + "\\autorun.ini";
|
|
string path2 = autorunPath + "\\autorun";
|
|
if (Directory.Exists(path2))
|
|
{
|
|
File.SetAttributes(path2, FileAttributes.Normal);
|
|
WIN32.SHFileOperation(ref new WIN32.SHFILEOPSTRUCT()
|
|
{
|
|
hwnd = IntPtr.Zero,
|
|
wFunc = WIN32.FO_Func.FO_DELETE,
|
|
pFrom = path2 + "\0\0",
|
|
pTo = "",
|
|
fFlags = (ushort) 3604
|
|
});
|
|
}
|
|
if (File.Exists(path1))
|
|
File.Delete(path1);
|
|
this.m_szTmpHid = this.GetAvailableDrLetter();
|
|
this.MountHiddenPartition(this.m_szTmpHid);
|
|
this.wimFile = this.m_szTmpHid + "\\autorun\\swcd.wim";
|
|
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", true);
|
|
string str;
|
|
if (registryKey.GetValue("InstallPath") != null)
|
|
{
|
|
this.applyDir = registryKey.GetValue("InstallPath").ToString();
|
|
this.tmpDir = this.applyDir.Remove(this.applyDir.IndexOf("eRecovery"));
|
|
str = registryKey.GetValue("InstallPath").ToString();
|
|
}
|
|
else
|
|
{
|
|
this.applyDir = "C:\\Acer\\Empowering Technology\\eRecovery";
|
|
this.tmpDir = "C:\\Acer\\Empowering Technology";
|
|
str = "C:\\Acer\\Empowering Technology\\eRecovery";
|
|
}
|
|
if (!File.Exists(this.wimFile))
|
|
return false;
|
|
this.CallProcessNoWait("\"" + str + "\\imagex.exe\" /apply " + this.m_szTmpHid + "\\autorun\\swcd.wim 1 \"" + str + "\"");
|
|
return true;
|
|
}
|
|
|
|
private void SampleApplyCleanup(IntPtr hwim, IntPtr himg, WIN32.WIMMessageCallback callback)
|
|
{
|
|
int lastWin32Error = Marshal.GetLastWin32Error();
|
|
this.WriteLocalRegString("Software\\acer\\eRecovery\\Main", "SWCDErrorCode", lastWin32Error);
|
|
if (himg != IntPtr.Zero && !WIN32.WIMCloseHandle(himg) && lastWin32Error == 0)
|
|
lastWin32Error = Marshal.GetLastWin32Error();
|
|
if (hwim != IntPtr.Zero && !WIN32.WIMCloseHandle(hwim) && lastWin32Error == 0)
|
|
lastWin32Error = Marshal.GetLastWin32Error();
|
|
if (callback != null && !WIN32.WIMUnregisterMessageCallback(IntPtr.Zero, callback) && lastWin32Error == 0)
|
|
lastWin32Error = Marshal.GetLastWin32Error();
|
|
WIN32.SetLastError((uint) lastWin32Error);
|
|
}
|
|
|
|
private void CallProcessNoWait(string szCommand)
|
|
{
|
|
WIN32.PROCESS_INFORMATION lpProcessInformation = new WIN32.PROCESS_INFORMATION();
|
|
WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO();
|
|
WIN32.SECURITY_ATTRIBUTES lpProcessAttributes = new WIN32.SECURITY_ATTRIBUTES();
|
|
WIN32.SECURITY_ATTRIBUTES lpThreadAttributes = new WIN32.SECURITY_ATTRIBUTES();
|
|
lpProcessAttributes.nLength = Marshal.SizeOf((object) lpProcessAttributes);
|
|
lpThreadAttributes.nLength = Marshal.SizeOf((object) lpThreadAttributes);
|
|
if (WIN32.CreateProcess((string) null, szCommand, ref lpProcessAttributes, ref lpThreadAttributes, false, 0U, IntPtr.Zero, (string) null, ref lpStartupInfo, out lpProcessInformation))
|
|
;
|
|
}
|
|
|
|
private bool MountHiddenPartition(string szDr)
|
|
{
|
|
bool flag = false;
|
|
int num = 0;
|
|
while (!flag && num < 5)
|
|
{
|
|
flag = WIN32.DefineDosDevice(1U, szDr, "\\Device\\Harddisk0\\Partition1");
|
|
if (!flag)
|
|
Thread.Sleep(1000);
|
|
}
|
|
return flag;
|
|
}
|
|
|
|
private string GetAvailableDrLetter()
|
|
{
|
|
uint logicalDrives = WIN32.GetLogicalDrives();
|
|
string str = "";
|
|
char ch = 'D';
|
|
int num;
|
|
for (num = 3; num < 26; ++num)
|
|
{
|
|
if (((int) (logicalDrives >> num) & 1) == 0)
|
|
{
|
|
str = ch.ToString();
|
|
break;
|
|
}
|
|
++ch;
|
|
}
|
|
string availableDrLetter = str + ":";
|
|
if (num == 26)
|
|
availableDrLetter = "";
|
|
return availableDrLetter;
|
|
}
|
|
|
|
public bool UnMountHiddenPartition()
|
|
{
|
|
bool flag = false;
|
|
int num = 0;
|
|
if (this.m_szTmpHid.Length != 0)
|
|
{
|
|
for (; !flag && num < 5; ++num)
|
|
{
|
|
flag = WIN32.DefineDosDevice(7U, this.m_szTmpHid, "\\Device\\Harddisk0\\Partition1");
|
|
if (!flag)
|
|
Thread.Sleep(1000);
|
|
else
|
|
break;
|
|
}
|
|
}
|
|
return flag;
|
|
}
|
|
|
|
private string FindAutorunPath()
|
|
{
|
|
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
|
|
return registryKey.GetValue("InstallPath") == null ? "C:\\Acer\\Empowering Technology\\eRecovery" : registryKey.GetValue("InstallPath").ToString();
|
|
}
|
|
|
|
public void LaunchCheckFiles()
|
|
{
|
|
string str = this.FindAutorunPath() + "\\autorun\\CheckFiles.exe";
|
|
if (!File.Exists(str))
|
|
return;
|
|
WIN32.PROCESS_INFORMATION lpProcessInformation = new WIN32.PROCESS_INFORMATION();
|
|
WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO();
|
|
WIN32.SECURITY_ATTRIBUTES lpProcessAttributes = new WIN32.SECURITY_ATTRIBUTES();
|
|
WIN32.SECURITY_ATTRIBUTES lpThreadAttributes = new WIN32.SECURITY_ATTRIBUTES();
|
|
lpProcessAttributes.nLength = Marshal.SizeOf((object) lpProcessAttributes);
|
|
lpThreadAttributes.nLength = Marshal.SizeOf((object) lpThreadAttributes);
|
|
WIN32.CreateProcess(str, (string) null, ref lpProcessAttributes, ref lpThreadAttributes, false, 0U, IntPtr.Zero, (string) null, ref lpStartupInfo, out lpProcessInformation);
|
|
}
|
|
|
|
public bool UnMountHiddenPartition(string m_szTempHid)
|
|
{
|
|
bool flag = false;
|
|
int num = 0;
|
|
while (!flag && num < 5)
|
|
{
|
|
flag = WIN32.DefineDosDevice(7U, m_szTempHid, "\\Device\\Harddisk0\\Partition1");
|
|
if (!flag)
|
|
Thread.Sleep(1000);
|
|
}
|
|
return flag;
|
|
}
|
|
|
|
public bool SetHiddenPartPassHint(string szPass, string szHint)
|
|
{
|
|
string availableDrLetter = this.GetAvailableDrLetter();
|
|
string str = availableDrLetter + "\\aimdrs.dat";
|
|
this.MountHiddenPartition(availableDrLetter);
|
|
if (szPass.Length == 0 && File.Exists(str))
|
|
{
|
|
File.SetAttributes(str, FileAttributes.Normal);
|
|
File.Delete(str);
|
|
this.UnMountHiddenPartition(availableDrLetter);
|
|
return true;
|
|
}
|
|
if (szPass.Length > 0 && File.Exists(str))
|
|
File.SetAttributes(str, FileAttributes.Normal);
|
|
WIN32.WritePrivateProfileString("MyData", "PD", szPass, str);
|
|
WIN32.WritePrivateProfileString("MyData", "HT", szHint, str);
|
|
File.SetAttributes(str, FileAttributes.ReadOnly | FileAttributes.Hidden | FileAttributes.System);
|
|
this.UnMountHiddenPartition(availableDrLetter);
|
|
return true;
|
|
}
|
|
}
|
|
}
|