mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2024-12-25 21:05:28 +00:00
436 lines
12 KiB
C#
436 lines
12 KiB
C#
// Decompiled with JetBrains decompiler
|
|
// Type: ai
|
|
// Assembly: SpeechGridService, Version=1.0.0.81, Culture=neutral, PublicKeyToken=0b1522110151bc44
|
|
// MVID: EC73F2A1-74C8-4B65-87F0-244E72253AC2
|
|
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00000-msil\Trojan.Win32.Patched.mf-e8127d5ac262f8a18c98990240938f5b10bb0eb14e19d9b9912199b94bd711a1.exe
|
|
|
|
using Microsoft.Win32;
|
|
using System;
|
|
using System.ComponentModel;
|
|
using System.Diagnostics;
|
|
using System.IO;
|
|
using System.Reflection;
|
|
using System.Runtime.InteropServices;
|
|
using System.Security.AccessControl;
|
|
using System.Security.Principal;
|
|
using System.ServiceProcess;
|
|
using System.Threading;
|
|
|
|
public class ai : ServiceBase
|
|
{
|
|
private IContainer a;
|
|
private Timer b;
|
|
private static readonly TimeSpan c = TimeSpan.FromMinutes(5.0);
|
|
private EventWaitHandle d;
|
|
private EventWaitHandle e;
|
|
|
|
protected override void Dispose(bool disposing)
|
|
{
|
|
if (disposing && this.a != null)
|
|
this.a.Dispose();
|
|
base.Dispose(disposing);
|
|
}
|
|
|
|
private void i()
|
|
{
|
|
this.a = (IContainer) new Container();
|
|
this.ServiceName = "Service1";
|
|
}
|
|
|
|
public ai() => this.i();
|
|
|
|
protected override void OnStart(string[] args)
|
|
{
|
|
this.RequestAdditionalTime(120000);
|
|
ThreadPool.QueueUserWorkItem(new WaitCallback(this.c), (object) null);
|
|
}
|
|
|
|
protected override void OnStop() => ai.a("SpeechGridService stopped");
|
|
|
|
private void c(object A_0)
|
|
{
|
|
ai.a("SpeechGridService started");
|
|
try
|
|
{
|
|
global::e A_0_1 = new global::e();
|
|
A_0_1.b(ai.d());
|
|
A_0_1.a(new k(this.c));
|
|
A_0_1.a(ai.b());
|
|
A_0_1.a(true);
|
|
A_0_1.a(new ah(ai.a));
|
|
A_0_1.a(new a3(ai.a));
|
|
A_0_1.b(new a3(ai.b));
|
|
@as.b(A_0_1);
|
|
this.g();
|
|
this.f();
|
|
this.h();
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ai.a("Exception during service startup", ex);
|
|
}
|
|
}
|
|
|
|
private void h()
|
|
{
|
|
try
|
|
{
|
|
this.d = this.b("Global\\SpeechGrid-EnableAutomaticUpdates");
|
|
this.e = this.b("Global\\SpeechGrid-DisableAutomaticUpdates");
|
|
ThreadPool.QueueUserWorkItem(new WaitCallback(this.b), (object) this.d);
|
|
ThreadPool.QueueUserWorkItem(new WaitCallback(this.b), (object) this.e);
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ai.a("Error starting listening for automatic update signaling events", ex);
|
|
}
|
|
}
|
|
|
|
private void b(object A_0)
|
|
{
|
|
try
|
|
{
|
|
EventWaitHandle eventWaitHandle = (EventWaitHandle) A_0;
|
|
while (true)
|
|
{
|
|
eventWaitHandle.WaitOne();
|
|
bool flag = eventWaitHandle == this.d;
|
|
using (RegistryKey subKey = Registry.LocalMachine.CreateSubKey("Software\\SpeechGrid\\AppData"))
|
|
subKey?.SetValue("AutomaticUpdatesEnabled", (object) (flag ? 1L : 0L), RegistryValueKind.QWord);
|
|
ai.a(string.Format("Set LocalMachine automatic updates flag to {0}", (object) flag));
|
|
}
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ai.a("Error listening for automatic update signaling event", ex);
|
|
}
|
|
}
|
|
|
|
private EventWaitHandle b(string A_0)
|
|
{
|
|
EventWaitHandleAccessRule rule = new EventWaitHandleAccessRule((IdentityReference) new SecurityIdentifier(WellKnownSidType.AuthenticatedUserSid, (SecurityIdentifier) null), EventWaitHandleRights.Modify | EventWaitHandleRights.Synchronize, AccessControlType.Allow);
|
|
EventWaitHandleSecurity eventSecurity = new EventWaitHandleSecurity();
|
|
eventSecurity.AddAccessRule(rule);
|
|
bool createdNew;
|
|
return new EventWaitHandle(false, EventResetMode.AutoReset, A_0, out createdNew, eventSecurity);
|
|
}
|
|
|
|
private void g() => this.b = new Timer(new TimerCallback(this.a), (object) null, ai.c, ai.c);
|
|
|
|
private void a(object A_0)
|
|
{
|
|
try
|
|
{
|
|
using (RegistryKey subKey = Registry.LocalMachine.CreateSubKey("Software\\SpeechGrid\\AppData"))
|
|
{
|
|
object obj1 = subKey.GetValue("AliveTime", (object) 0L);
|
|
if (obj1 == null || !(obj1 is long))
|
|
obj1 = (object) 0L;
|
|
object obj2 = (object) ((long) obj1 + ai.c.Ticks);
|
|
subKey.SetValue("AliveTime", obj2, RegistryValueKind.QWord);
|
|
}
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ai.a("Exception trying to update the service alive timer", ex);
|
|
}
|
|
}
|
|
|
|
[DllImport("kernel32.dll")]
|
|
private static extern bool ProcessIdToSessionId(uint A_0, out uint A_1);
|
|
|
|
[DllImport("wtsapi32.dll", SetLastError = true)]
|
|
private static extern bool WTSQueryUserToken(uint A_0, out IntPtr A_1);
|
|
|
|
[DllImport("advapi32.dll", CharSet = CharSet.Auto, SetLastError = true)]
|
|
private static extern bool CreateProcessAsUser(
|
|
IntPtr A_0,
|
|
string A_1,
|
|
string A_2,
|
|
IntPtr A_3,
|
|
IntPtr A_4,
|
|
bool A_5,
|
|
uint A_6,
|
|
IntPtr A_7,
|
|
string A_8,
|
|
ref ai.b A_9,
|
|
out ai.a A_10);
|
|
|
|
[DllImport("userenv.dll", SetLastError = true)]
|
|
private static extern bool CreateEnvironmentBlock(out IntPtr A_0, IntPtr A_1, bool A_2);
|
|
|
|
[DllImport("userenv.dll", SetLastError = true)]
|
|
[return: MarshalAs(UnmanagedType.Bool)]
|
|
private static extern bool DestroyEnvironmentBlock(IntPtr A_0);
|
|
|
|
[DllImport("kernel32.dll", SetLastError = true)]
|
|
private static extern bool CloseHandle(IntPtr A_0);
|
|
|
|
private void a(Process A_0)
|
|
{
|
|
try
|
|
{
|
|
uint A_1;
|
|
if (!ai.ProcessIdToSessionId((uint) A_0.Id, out A_1))
|
|
return;
|
|
ai.a(string.Format("Remembering client app session information for relaunch after update. (Session {0})", (object) A_1));
|
|
using (RegistryKey subKey = Registry.LocalMachine.CreateSubKey("Software\\SpeechGrid\\AppData"))
|
|
{
|
|
subKey.SetValue("UpdateUserSessionID", (object) (long) A_1, RegistryValueKind.QWord);
|
|
subKey.SetValue("UpdateUserSessionIDTimestamp", (object) DateTime.UtcNow.Ticks, RegistryValueKind.QWord);
|
|
}
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ai.a("Exception trying to record client app session ID", ex);
|
|
}
|
|
}
|
|
|
|
private void f()
|
|
{
|
|
try
|
|
{
|
|
using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\SpeechGrid\\AppData", true))
|
|
{
|
|
if (registryKey == null)
|
|
return;
|
|
long valueOrDefault1 = (registryKey.GetValue("UpdateUserSessionID") as long?).GetValueOrDefault(0L);
|
|
long valueOrDefault2 = (registryKey.GetValue("UpdateUserSessionIDTimestamp") as long?).GetValueOrDefault(0L);
|
|
registryKey.DeleteValue("UpdateUserSessionID", false);
|
|
registryKey.DeleteValue("UpdateUserSessionIDTimestamp", false);
|
|
bool flag = true;
|
|
if (valueOrDefault1 < 0L)
|
|
flag = false;
|
|
if (valueOrDefault2 <= 0L || DateTime.UtcNow.Subtract(new DateTime(valueOrDefault2)) > TimeSpan.FromMinutes(5.0))
|
|
flag = false;
|
|
if (!flag)
|
|
{
|
|
ai.a(string.Format("Not relaunching client app after an update (sessionID = {0}, timestamp = {1}).", (object) valueOrDefault1, (object) valueOrDefault2));
|
|
}
|
|
else
|
|
{
|
|
ai.a("Trying to relaunch client app after an update...");
|
|
if (this.a().Length > 0)
|
|
{
|
|
ai.a("Client app is already running.");
|
|
}
|
|
else
|
|
{
|
|
string str = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "SpeechGrid.exe");
|
|
if (!File.Exists(str))
|
|
{
|
|
ai.a("Client app could not be found.");
|
|
}
|
|
else
|
|
{
|
|
IntPtr A_1;
|
|
if (!ai.WTSQueryUserToken((uint) valueOrDefault1, out A_1))
|
|
{
|
|
ai.a("Query user token failed");
|
|
}
|
|
else
|
|
{
|
|
try
|
|
{
|
|
IntPtr A_0;
|
|
if (!ai.CreateEnvironmentBlock(out A_0, A_1, false))
|
|
{
|
|
ai.a("Creating environment block failed");
|
|
return;
|
|
}
|
|
try
|
|
{
|
|
ai.b A_9 = new ai.b()
|
|
{
|
|
c = "winsta0\\default"
|
|
};
|
|
A_9.a = Marshal.SizeOf((object) A_9);
|
|
ai.a A_10;
|
|
if (ai.CreateProcessAsUser(A_1, str, (string) null, IntPtr.Zero, IntPtr.Zero, false, 1024U, A_0, Path.GetDirectoryName(str), ref A_9, out A_10))
|
|
{
|
|
ai.CloseHandle(A_10.a);
|
|
ai.CloseHandle(A_10.b);
|
|
}
|
|
else
|
|
{
|
|
ai.a("Creating process as user failed");
|
|
return;
|
|
}
|
|
}
|
|
finally
|
|
{
|
|
ai.DestroyEnvironmentBlock(A_0);
|
|
}
|
|
}
|
|
finally
|
|
{
|
|
ai.CloseHandle(A_1);
|
|
}
|
|
ai.a("Client app restarted successfully.");
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ai.a("Exception trying to record client app session ID", ex);
|
|
}
|
|
}
|
|
|
|
private static bool e()
|
|
{
|
|
try
|
|
{
|
|
using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\SpeechGrid", false))
|
|
{
|
|
if (registryKey == null)
|
|
return false;
|
|
if (!(registryKey.GetValue("IsDebug") is string empty))
|
|
empty = string.Empty;
|
|
return empty.ToLowerInvariant() == "true";
|
|
}
|
|
}
|
|
catch
|
|
{
|
|
return false;
|
|
}
|
|
}
|
|
|
|
private static bool d() => ai.e();
|
|
|
|
private void c()
|
|
{
|
|
Process[] processArray = this.a();
|
|
if (processArray.Length != 1)
|
|
return;
|
|
this.a(processArray[0]);
|
|
}
|
|
|
|
private static void a(string A_0)
|
|
{
|
|
if (!ai.e())
|
|
return;
|
|
try
|
|
{
|
|
string source = "SpeechGridService";
|
|
if (!EventLog.SourceExists(source))
|
|
EventLog.CreateEventSource(source, "Application");
|
|
EventLog.WriteEntry(source, A_0);
|
|
}
|
|
catch
|
|
{
|
|
}
|
|
try
|
|
{
|
|
ai.OutputDebugString("SpeechGridService: " + A_0);
|
|
}
|
|
catch
|
|
{
|
|
}
|
|
}
|
|
|
|
private static void a(string A_0, Exception A_1, string A_2) => ai.a(string.Join(" -- ", new string[6]
|
|
{
|
|
A_0,
|
|
A_2,
|
|
"Message: " + A_1.Message,
|
|
"StackTrace: " + A_1.StackTrace,
|
|
"InnerMessage: " + (A_1.InnerException == null ? string.Empty : A_1.InnerException.Message),
|
|
"InnerStackTrace: " + (A_1.InnerException == null ? string.Empty : A_1.InnerException.StackTrace)
|
|
}));
|
|
|
|
private static void b(string A_0, Exception A_1) => ai.a(A_0, A_1, "Warning");
|
|
|
|
private static void a(string A_0, Exception A_1) => ai.a(A_0, A_1, "Error");
|
|
|
|
[DllImport("kernel32.dll", CharSet = CharSet.Unicode)]
|
|
private static extern void OutputDebugString(string A_0);
|
|
|
|
private static string b()
|
|
{
|
|
try
|
|
{
|
|
using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey("Software\\SpeechGrid", false))
|
|
{
|
|
if (registryKey == null)
|
|
return string.Empty;
|
|
if (registryKey.GetValue("ClientGuid") is string g)
|
|
{
|
|
try
|
|
{
|
|
return ai.a(new Guid(g));
|
|
}
|
|
catch (FormatException ex)
|
|
{
|
|
ai.b("Format exception while trying to read client guid from registry", (Exception) ex);
|
|
}
|
|
}
|
|
return string.Empty;
|
|
}
|
|
}
|
|
catch (Exception ex)
|
|
{
|
|
ai.a("Exception reading or building ClientGuid", ex);
|
|
return string.Empty;
|
|
}
|
|
}
|
|
|
|
private static string a(Guid A_0) => A_0.ToString().Replace("-", string.Empty).ToUpperInvariant();
|
|
|
|
private Process[] a() => Process.GetProcessesByName("SpeechGrid");
|
|
|
|
private struct a
|
|
{
|
|
public IntPtr a;
|
|
public IntPtr b;
|
|
public int c;
|
|
public int d;
|
|
}
|
|
|
|
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
|
|
private struct b
|
|
{
|
|
public int a;
|
|
public string b;
|
|
public string c;
|
|
public string d;
|
|
public int e;
|
|
public int f;
|
|
public int g;
|
|
public int h;
|
|
public int i;
|
|
public int j;
|
|
public int k;
|
|
public int l;
|
|
public short m;
|
|
public short n;
|
|
public IntPtr o;
|
|
public IntPtr p;
|
|
public IntPtr q;
|
|
public IntPtr r;
|
|
}
|
|
|
|
[System.Flags]
|
|
private enum c
|
|
{
|
|
a = 16777216, // 0x01000000
|
|
b = 67108864, // 0x04000000
|
|
c = 16, // 0x00000010
|
|
d = 512, // 0x00000200
|
|
e = 134217728, // 0x08000000
|
|
f = 262144, // 0x00040000
|
|
g = 33554432, // 0x02000000
|
|
h = 2048, // 0x00000800
|
|
i = 4096, // 0x00001000
|
|
j = 4,
|
|
k = 1024, // 0x00000400
|
|
l = 2,
|
|
m = 1,
|
|
n = 8,
|
|
o = 524288, // 0x00080000
|
|
p = 65536, // 0x00010000
|
|
}
|
|
}
|