Here’s a new trick: injecting VBScript in a process. I’ve developed a DLL that will create a COM instance of the VBScripting engine and let it execute a VBScript. Injecting this DLL in a running program results in execution of the VBScript in the context of the running program. Here’s an example where I wrote a VBScript to search and replace a string in the memory of the notepad process:
Here is part of the VBScript I developed to search and replace inside the memory of a process. It uses custom methods like Peek, Poke and Output that I’ve added to the scripting engine:
I’ll provide more details in an upcoming blogpost on bpmtk version 0.1.5.0, but you can already download it here.
YouTube, Vimeo and hires Xvid.
Peek and Poke, lovely! Just like my old Commodore 64
Comment by Roger Karlsson — Thursday 25 June 2009 @ 15:02
[...] is at it again. This time injecting VBScript into running processes. bpmtk: Injecting VBScript << Didier Stevens Tags: ( injection code dll [...]
Pingback by Interesting Information Security Bits for 06/25/2009 | Infosec Ramblings — Thursday 25 June 2009 @ 22:23
Correct, had Peek and Poke i Basic on my ZX81 and Apple II too.
Comment by Didier Stevens — Saturday 27 June 2009 @ 21:37
Is there any reason the source you provided wouldn’t be 64-bit friendly?
I’m excited to use this new tool. Thanks a bunch for it, Didier. Please keep up the awesome development.
Comment by Gabriel Friedmann — Wednesday 14 October 2009 @ 6:17
Honestly, I’ve no idea. I’ll start looking at 64bit development once I’ve a real 64bit cpu.
Comment by Didier Stevens — Wednesday 14 October 2009 @ 17:25