MalwareSourceCode/MSIL/Virus/Win32/E/Virus.Win32.Expiro.w-1f15ee7e9f7da02b6bfb4c5a5e6484eb9fa71b82d3699c54bcc7a31794b4a66d/Microsoft/InfoCards/AccessibilityHelperForXpWin2k3.cs

// Decompiled with JetBrains decompiler
// Type: Microsoft.InfoCards.AccessibilityHelperForXpWin2k3
// Assembly: infocard, Version=3.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
// MVID: ADE0A079-11DB-4A46-8BDE-D2A592CA8DEA
// Assembly location: C:\Users\Administrateur\Downloads\Virusshare-00001-msil\Virus.Win32.Expiro.w-1f15ee7e9f7da02b6bfb4c5a5e6484eb9fa71b82d3699c54bcc7a31794b4a66d.exe

using Microsoft.InfoCards.Diagnostics;
using Microsoft.Win32;
using System;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Security.Principal;

namespace Microsoft.InfoCards
{
  internal class AccessibilityHelperForXpWin2k3 : IAccessibilityHelper, IDisposable
  {
    private const int OSKIndex = 0;
    private static readonly string systemPath = Environment.GetFolderPath(Environment.SpecialFolder.System);
    private static readonly string baseRegistryPath = "\\SOFTWARE\\Microsoft\\Utility Manager\\";
    private static readonly string keyName = "Start on locked desktop";
    internal static AccessibilityHelperForXpWin2k3.DownlevelAtData[] atApplications = new AccessibilityHelperForXpWin2k3.DownlevelAtData[3]
    {
      new AccessibilityHelperForXpWin2k3.DownlevelAtData("On-Screen Keyboard", "osk.exe", "msswchx"),
      new AccessibilityHelperForXpWin2k3.DownlevelAtData("Magnifier", "magnify.exe", (string) null),
      new AccessibilityHelperForXpWin2k3.DownlevelAtData("Narrator", "narrator.exe", (string) null)
    };
    private List<int> m_restartList = new List<int>();
    private ProcessManager m_manager;
    private bool m_fTabletPC;

    public AccessibilityHelperForXpWin2k3(bool fTabletPC) => this.m_fTabletPC = fTabletPC;

    void IAccessibilityHelper.Stop()
    {
      if (this.m_manager == null)
        return;
      this.m_manager.Dispose();
      this.m_manager = (ProcessManager) null;
    }

    bool IAccessibilityHelper.RestartOnUsersDesktop(
      uint userProcessId,
      string userDesktop,
      WindowsIdentity userIdentity)
    {
      InfoCardTrace.Assert(null == this.m_manager, "The AT applications must be terminated before they can be restarted");
      using (new SystemIdentity(false))
      {
        foreach (int restart in this.m_restartList)
        {
          string application = Path.Combine(AccessibilityHelperForXpWin2k3.systemPath, AccessibilityHelperForXpWin2k3.atApplications[restart].Image);
          int pid = 0;
          int userHelperWrapper = (int) NativeMcppMethods.CreateProcessAsUserHelperWrapper(application, "", userProcessId, userDesktop, userIdentity.Name, ref pid);
        }
      }
      this.m_restartList.Clear();
      return false;
    }

    void IAccessibilityHelper.RestartOnInfoCardDesktop(
      uint ATApplicationFlags,
      SafeNativeHandle hTrustedUserToken,
      ref string trustedUserSid,
      string infocardDesktop,
      int userSessionId,
      uint userProcessId,
      WindowsIdentity userIdentity)
    {
      using (new SystemIdentity(false))
      {
        InfoCardTrace.Assert(null == this.m_manager, "The AT applications are already started");
        this.m_restartList.Clear();
        bool flag1 = false;
        string str = userIdentity.User.Value;
        for (int index = 0; index < AccessibilityHelperForXpWin2k3.atApplications.Length; ++index)
        {
          using (RegistryKey registryKey = Registry.Users.OpenSubKey(str + AccessibilityHelperForXpWin2k3.baseRegistryPath + AccessibilityHelperForXpWin2k3.atApplications[index].RegistryPath))
          {
            bool flag2 = false;
            int? nullable1 = new int?();
            if (registryKey != null && RegistryValueKind.DWord == registryKey.GetValueKind(AccessibilityHelperForXpWin2k3.keyName))
              nullable1 = new int?((int) registryKey.GetValue(AccessibilityHelperForXpWin2k3.keyName));
            if (nullable1.HasValue)
            {
              int? nullable2 = nullable1;
              if ((1 != nullable2.GetValueOrDefault() ? 0 : (nullable2.HasValue ? 1 : 0)) != 0)
                goto label_9;
            }
            if (this.m_fTabletPC)
            {
              if (index != 0)
                continue;
            }
            else
              continue;
label_9:
            foreach (Process p in Process.GetProcessesByName(AccessibilityHelperForXpWin2k3.atApplications[index].Image.Substring(0, AccessibilityHelperForXpWin2k3.atApplications[index].Image.LastIndexOf('.'))))
            {
              flag2 = false;
              if (userSessionId == p.SessionId)
              {
                flag2 = true;
                this.m_restartList.Add(index);
                if (!Utility.KillHelper(p))
                  break;
                break;
              }
            }
            if (flag2 && AccessibilityHelperForXpWin2k3.atApplications[index].AdditionalImage != null)
            {
              foreach (Process p in Process.GetProcessesByName(AccessibilityHelperForXpWin2k3.atApplications[index].AdditionalImage))
              {
                if (userSessionId == p.SessionId && Utility.KillHelper(p))
                  break;
              }
            }
            if (nullable1.HasValue)
            {
              int? nullable3 = nullable1;
              if ((1 != nullable3.GetValueOrDefault() ? 0 : (nullable3.HasValue ? 1 : 0)) != 0)
              {
                if (ATApplicationFlags != 0U)
                {
                  string fullPath = Path.Combine(AccessibilityHelperForXpWin2k3.systemPath, AccessibilityHelperForXpWin2k3.atApplications[index].Image);
                  if (this.m_manager == null)
                    this.m_manager = new ProcessManager(userSessionId, trustedUserSid);
                  bool fUseElevatedToken = false;
                  this.m_manager.AddProcess(hTrustedUserToken, ref trustedUserSid, infocardDesktop, userProcessId, userIdentity, fullPath, "", fUseElevatedToken);
                  if (index == 0)
                    flag1 = true;
                }
              }
            }
          }
        }
        if (!this.m_fTabletPC || flag1)
          return;
        if (this.m_manager == null)
          this.m_manager = new ProcessManager(userSessionId, trustedUserSid);
        bool fUseElevatedToken1 = false;
        this.m_manager.AddProcess(hTrustedUserToken, ref trustedUserSid, infocardDesktop, userProcessId, userIdentity, Path.Combine(AccessibilityHelperForXpWin2k3.systemPath, AccessibilityHelperForXpWin2k3.atApplications[0].Image), "", fUseElevatedToken1);
      }
    }

    public void Dispose()
    {
      if (this.m_manager == null)
        return;
      this.m_manager.Dispose();
      this.m_manager = (ProcessManager) null;
    }

    internal struct DownlevelAtData
    {
      public string RegistryPath;
      public string Image;
      public string AdditionalImage;

      public DownlevelAtData(string path, string image, string additional)
      {
        this.RegistryPath = path;
        this.Image = image;
        this.AdditionalImage = additional;
      }
    }
  }
}