mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-20 18:36:10 +00:00
f2ac1ece55
add
235 lines
10 KiB
C#
235 lines
10 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: eRecoveryService.ImpersonateUser
|
|
// Assembly: eRecoveryService, Version=2.5.3.6, Culture=neutral, PublicKeyToken=null
|
|
// MVID: 08DF666A-8C92-4CCB-869A-390134BB6787
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Trojan.Win32.Patched.mf-d8d6de6a708417645ef396f90e846eda5ae240e20dd2ceba0b7c9c1e4a6a7d77.exe
|
|
|
|
using Microsoft.Win32;
|
|
using System;
|
|
using System.Management;
|
|
using System.Runtime.InteropServices;
|
|
using System.Text;
|
|
|
|
namespace eRecoveryService
|
|
{
|
|
public class ImpersonateUser
|
|
{
|
|
private static IntPtr nToken = IntPtr.Zero;
|
|
private static string currentLoggedOnUser = string.Empty;
|
|
|
|
public static IntPtr CurrentUserToken => ImpersonateUser.nToken;
|
|
|
|
public static void DeleteeRecovery()
|
|
{
|
|
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
|
|
string str1;
|
|
if (registryKey.GetValue("InstallPath") != null)
|
|
{
|
|
string str2 = registryKey.GetValue("InstallPath").ToString();
|
|
int startIndex = str2.IndexOf("\\eRecovery", StringComparison.OrdinalIgnoreCase);
|
|
str1 = str2.Remove(startIndex);
|
|
}
|
|
else
|
|
str1 = "C:\\Acer\\Empowering Technology";
|
|
string lpApplicationName = str1 + "\\Remove_eRecovery.exe";
|
|
WIN32.PROCESS_INFORMATION lpProcessInformation = new WIN32.PROCESS_INFORMATION();
|
|
WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO();
|
|
WIN32.SECURITY_ATTRIBUTES lpProcessAttributes = new WIN32.SECURITY_ATTRIBUTES();
|
|
WIN32.SECURITY_ATTRIBUTES lpThreadAttributes = new WIN32.SECURITY_ATTRIBUTES();
|
|
lpProcessAttributes.nLength = Marshal.SizeOf((object) lpProcessAttributes);
|
|
lpThreadAttributes.nLength = Marshal.SizeOf((object) lpThreadAttributes);
|
|
WIN32.CreateProcess(lpApplicationName, "", ref lpProcessAttributes, ref lpThreadAttributes, false, 0U, IntPtr.Zero, (string) null, ref lpStartupInfo, out lpProcessInformation);
|
|
}
|
|
|
|
public static bool IsHiddenPartitionExist()
|
|
{
|
|
foreach (ManagementObject managementObject in new ManagementObjectSearcher(new ManagementScope("root\\cimv2", new ConnectionOptions()
|
|
{
|
|
Username = (string) null,
|
|
Password = (string) null
|
|
}), new ObjectQuery("SELECT * FROM Win32_LogicalDiskToPartition")).Get())
|
|
{
|
|
string szDepedent = managementObject["Dependent"].ToString();
|
|
string szAntecedent = managementObject["Antecedent"].ToString();
|
|
if (ImpersonateUser.FindCPartition(szDepedent))
|
|
{
|
|
if (ImpersonateUser.IsCtheSecondPartition(szAntecedent))
|
|
return true;
|
|
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\Empowering Technology 2.5\\Framework", false);
|
|
string lpFileName = registryKey.GetValue("BaseFolder") == null ? "C:\\Acer\\Empowering Technology\\eRecoveryLog.ini" : registryKey.GetValue("BaseFolder").ToString() + "\\eRecoveryLog.ini";
|
|
WIN32.WritePrivateProfileString("Service delete eRecovery", "Time", DateTime.Now.ToString(), lpFileName);
|
|
WIN32.WritePrivateProfileString("Service delete eRecovery", "Dependent", szDepedent.ToString(), lpFileName);
|
|
WIN32.WritePrivateProfileString("Service delete eRecovery", "Antecedent", szAntecedent.ToString(), lpFileName);
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
private static bool FindCPartition(string szDepedent)
|
|
{
|
|
int num = szDepedent.IndexOf("Win32_LogicalDisk.DeviceID", StringComparison.OrdinalIgnoreCase);
|
|
return num > 0 && szDepedent.Substring(num + 26).IndexOf("c:", StringComparison.OrdinalIgnoreCase) > 0;
|
|
}
|
|
|
|
private static bool IsCtheSecondPartition(string szAntecedent)
|
|
{
|
|
int num1 = szAntecedent.IndexOf("Win32_DiskPartition.DeviceID", StringComparison.OrdinalIgnoreCase);
|
|
if (num1 > 0)
|
|
{
|
|
string str = szAntecedent.Substring(num1 + 28);
|
|
int num2 = str.IndexOf("Partition", StringComparison.OrdinalIgnoreCase);
|
|
if (num2 > 0 && str.Substring(num2 + 9).IndexOf("#1", StringComparison.OrdinalIgnoreCase) > 0)
|
|
return true;
|
|
}
|
|
return false;
|
|
}
|
|
|
|
public static string CurrentLoggedOnUser => ImpersonateUser.currentLoggedOnUser;
|
|
|
|
public static void StopToImpersonateCurrentUser()
|
|
{
|
|
if (!(ImpersonateUser.nToken != IntPtr.Zero))
|
|
return;
|
|
WIN32.CloseHandle(ImpersonateUser.nToken);
|
|
ImpersonateUser.nToken = IntPtr.Zero;
|
|
ImpersonateUser.currentLoggedOnUser = string.Empty;
|
|
WIN32.RevertToSelf();
|
|
}
|
|
|
|
private static string getAccountNameFromSid(IntPtr SID)
|
|
{
|
|
int cbName = 0;
|
|
int cbDomainName = 0;
|
|
int peUse = 0;
|
|
StringBuilder stringBuilder = new StringBuilder();
|
|
StringBuilder Account1 = (StringBuilder) null;
|
|
StringBuilder DomainName1 = (StringBuilder) null;
|
|
if (WIN32.LookupAccountSid((string) null, SID, Account1, ref cbName, DomainName1, ref cbDomainName, ref peUse) && Marshal.GetLastWin32Error() == 259)
|
|
return "Error";
|
|
StringBuilder Account2 = new StringBuilder(cbName);
|
|
StringBuilder DomainName2 = new StringBuilder(cbDomainName);
|
|
if (WIN32.LookupAccountSid((string) null, SID, Account2, ref cbName, DomainName2, ref cbDomainName, ref peUse))
|
|
{
|
|
stringBuilder.Append((object) DomainName2);
|
|
stringBuilder.Append("\\");
|
|
stringBuilder.Append((object) Account2);
|
|
}
|
|
else
|
|
stringBuilder.Append("Win32 Error: " + (object) Marshal.GetLastWin32Error());
|
|
return stringBuilder.ToString();
|
|
}
|
|
|
|
public static bool StartToImpersonateCurrentUser()
|
|
{
|
|
bool impersonateCurrentUser = false;
|
|
if (ImpersonateUser.nToken != IntPtr.Zero)
|
|
return impersonateCurrentUser;
|
|
uint consoleSessionId = WIN32.WTSGetActiveConsoleSessionId();
|
|
if (consoleSessionId != uint.MaxValue)
|
|
{
|
|
IntPtr ProcessHandle = IntPtr.Zero;
|
|
IntPtr ppProcessInfo = IntPtr.Zero;
|
|
uint pCount = 0;
|
|
if (WIN32.WTSEnumerateProcesses(WIN32.WTC_CURRENT_SERVER_HANDLE, 0, 1U, ref ppProcessInfo, ref pCount))
|
|
{
|
|
IntPtr pMemory = ppProcessInfo;
|
|
for (int index = 0; (long) index < (long) pCount; ++index)
|
|
{
|
|
WIN32.WTSProcessInfo structure = (WIN32.WTSProcessInfo) Marshal.PtrToStructure(ppProcessInfo, typeof (WIN32.WTSProcessInfo));
|
|
ppProcessInfo = (IntPtr) ((int) ppProcessInfo + Marshal.SizeOf((object) structure));
|
|
if (structure.pProcessName.ToLower().IndexOf("explorer") != -1 && (int) structure.SessionId == (int) consoleSessionId)
|
|
{
|
|
ImpersonateUser.currentLoggedOnUser = ImpersonateUser.getAccountNameFromSid(structure.pUserSid);
|
|
ProcessHandle = WIN32.OpenProcess(2035711U, false, structure.ProcessId);
|
|
break;
|
|
}
|
|
}
|
|
WIN32.WTSFreeMemory(pMemory);
|
|
}
|
|
IntPtr TokenHandle;
|
|
if (ProcessHandle != IntPtr.Zero && WIN32.OpenProcessToken(ProcessHandle, 10U, out TokenHandle))
|
|
{
|
|
if (WIN32.DuplicateTokenEx(TokenHandle, 11U, IntPtr.Zero, WIN32.SECURITY_IMPERSONATION_LEVEL.SecurityImpersonation, WIN32.TOKEN_TYPE.TokenPrimary, out ImpersonateUser.nToken) && WIN32.ImpersonateLoggedOnUser(ImpersonateUser.nToken))
|
|
impersonateCurrentUser = true;
|
|
WIN32.CloseHandle(TokenHandle);
|
|
}
|
|
}
|
|
if (!impersonateCurrentUser)
|
|
ImpersonateUser.currentLoggedOnUser = string.Empty;
|
|
return impersonateCurrentUser;
|
|
}
|
|
|
|
public static bool ImpersonateUserToCreateProcessSilent()
|
|
{
|
|
bool createProcessSilent = false;
|
|
RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
|
|
string str;
|
|
try
|
|
{
|
|
registryKey.GetValue("InstallPath");
|
|
str = registryKey.GetValue("InstallPath").ToString();
|
|
}
|
|
catch
|
|
{
|
|
str = "C:\\Acer\\Empowering Technology\\eRecovery";
|
|
}
|
|
string lpCommandLine = str + "\\eRAgent.exe -s";
|
|
if (ImpersonateUser.StartToImpersonateCurrentUser())
|
|
{
|
|
WIN32.STARTUPINFO lpStartupInfo = new WIN32.STARTUPINFO();
|
|
lpStartupInfo.cb = Marshal.SizeOf((object) lpStartupInfo);
|
|
if (WIN32.CreateProcessAsUser(ImpersonateUser.nToken, (string) null, lpCommandLine, IntPtr.Zero, IntPtr.Zero, false, 48U, IntPtr.Zero, (string) null, ref lpStartupInfo, out WIN32.PROCESS_INFORMATION _))
|
|
createProcessSilent = true;
|
|
ImpersonateUser.StopToImpersonateCurrentUser();
|
|
}
|
|
return createProcessSilent;
|
|
}
|
|
|
|
public static bool ImpersonateUserToCreateProcess()
|
|
{
|
|
bool createProcess = false;
|
|
RegistryKey registryKey1 = Registry.LocalMachine.OpenSubKey("Software\\acer\\eRecovery", false);
|
|
string str1;
|
|
try
|
|
{
|
|
registryKey1.GetValue("InstallPath");
|
|
str1 = registryKey1.GetValue("InstallPath").ToString();
|
|
}
|
|
catch
|
|
{
|
|
str1 = "C:\\Acer\\Empowering Technology\\eRecovery";
|
|
}
|
|
string lpCommandLine = str1 + "\\eRAgent.exe -init";
|
|
registryKey1.Close();
|
|
RegistryKey registryKey2 = Registry.LocalMachine.OpenSubKey("Software\\acer\\Empowering Technology 2.5\\Framework", false);
|
|
string str2;
|
|
try
|
|
{
|
|
registryKey2.GetValue("BaseFolder");
|
|
str2 = registryKey2.GetValue("BaseFolder").ToString();
|
|
}
|
|
catch
|
|
{
|
|
str2 = "C:\\Acer\\Empowering Technology";
|
|
}
|
|
string lpApplicationName = str2 + "\\Acer.Empowering.Framework.Supervisor.exe";
|
|
registryKey2.Close();
|
|
if (ImpersonateUser.StartToImpersonateCurrentUser())
|
|
{
|
|
WIN32.STARTUPINFO lpStartupInfo1 = new WIN32.STARTUPINFO();
|
|
lpStartupInfo1.cb = Marshal.SizeOf((object) lpStartupInfo1);
|
|
WIN32.STARTUPINFO lpStartupInfo2 = new WIN32.STARTUPINFO();
|
|
lpStartupInfo2.cb = Marshal.SizeOf((object) lpStartupInfo2);
|
|
WIN32.PROCESS_INFORMATION lpProcessInformation;
|
|
if (WIN32.CreateProcessAsUser(ImpersonateUser.nToken, lpApplicationName, (string) null, IntPtr.Zero, IntPtr.Zero, false, 48U, IntPtr.Zero, (string) null, ref lpStartupInfo2, out lpProcessInformation))
|
|
createProcess = true;
|
|
if (WIN32.CreateProcessAsUser(ImpersonateUser.nToken, (string) null, lpCommandLine, IntPtr.Zero, IntPtr.Zero, false, 48U, IntPtr.Zero, (string) null, ref lpStartupInfo1, out lpProcessInformation))
|
|
createProcess = true;
|
|
ImpersonateUser.StopToImpersonateCurrentUser();
|
|
}
|
|
return createProcess;
|
|
}
|
|
}
|
|
}
|