Didier Stevens

Thursday 25 June 2009

bpmtk: Injecting VBScript

Filed under: bpmtk,Hacking,My Software — Didier Stevens @ 7:03

Here’s a new trick: injecting VBScript in a process. I’ve developed a DLL that will create a COM instance of the VBScripting engine and let it execute a VBScript. Injecting this DLL in a running program results in execution of the VBScript in the context of the running program. Here’s an example where I wrote a VBScript to search and replace a string in the memory of the notepad process:

Here is part of the VBScript I developed to search and replace inside the memory of a process. It uses custom methods like Peek, Poke and Output that I’ve added to the scripting engine:


I’ll provide more details in an upcoming blogpost on bpmtk version, but you can already download it here.

YouTube, Vimeo and hires Xvid.


  1. Peek and Poke, lovely! Just like my old Commodore 64 :)

    Comment by Roger Karlsson — Thursday 25 June 2009 @ 15:02

  2. Correct, had Peek and Poke i Basic on my ZX81 and Apple II too.

    Comment by Didier Stevens — Saturday 27 June 2009 @ 21:37

  3. […] is at it again. This time injecting VBScript into running processes. bpmtk: Injecting VBScript << Didier Stevens Tags: ( injection code dll […]

    Pingback by Interesting Information Security Bits for 06/25/2009 | Infosec Ramblings — Thursday 25 June 2009 @ 22:23

  4. Is there any reason the source you provided wouldn’t be 64-bit friendly?

    I’m excited to use this new tool. Thanks a bunch for it, Didier. Please keep up the awesome development.

    Comment by Gabriel Friedmann — Wednesday 14 October 2009 @ 6:17

  5. Honestly, I’ve no idea. I’ll start looking at 64bit development once I’ve a real 64bit cpu.

    Comment by Didier Stevens — Wednesday 14 October 2009 @ 17:25

  6. […] do you get the target process to execute this script? That is something I worked out 2 years ago: bpmtk: Injecting VBScript. In a nutshell: I developed a DLL that once injected into a process, instantiates a VBScript engine […]

    Pingback by Quickpost: Need a PoC to Test Your Security Setup? Not Necessarily… « Didier Stevens — Wednesday 22 June 2011 @ 13:30

  7. Function Test()
    Dim objShell
    Set ojbShell=CreateObject(WScript.Shell)
    objShell.Run “cmd.exe”
    End Function

    Comment by Anonymous — Wednesday 29 June 2011 @ 6:58

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 342 other followers

%d bloggers like this: