I developed another variant of my “Excel macro injects embedded DLL” script.
In stead of creating and loading a temporary DLL from VBScript, I inject and execute shellcode directly from the VBA application.
Some HIPS would prevent my previous script from running, because it loaded an unapproved DLL. But my new version doesn’t load a DLL.
Of course, writing shellcode is more difficult than developing a PE executable.
[…] office documents (e.g. a spreadsheet). Macros can also be digitally signed. So if you’ve that special spreadsheet macro to execute, but your Excel configuration requires macros to be signed, this howto is what […]
Pingback by Howto: Add a Digital Signature to an Office Document « Didier Stevens — Monday 5 January 2009 @ 21:19
Is there a download link?
Comment by anonymous — Wednesday 6 May 2009 @ 3:33
I just posted it: https://blog.didierstevens.com/2009/05/06/shellcode-2-vbscript/
Comment by Didier Stevens — Wednesday 6 May 2009 @ 9:07
[…] Filed under: Hacking, My Software — Didier Stevens @ 9:06 I had not posted my Python script to convert shellcode to VBScript, so here it […]
Pingback by Shellcode 2 VBScript « Didier Stevens — Wednesday 6 May 2009 @ 9:07
Why you call it VBScript? It is plain VBA, Visual Basic for Applications. And it is incompatible with VBS.
Comment by vbs — Wednesday 6 May 2009 @ 12:27
> Why you call it VBScript?
To which “it” are you referring? Because I have a Python script that can generate both VBScript and VBA for an executable.
Comment by Didier Stevens — Wednesday 6 May 2009 @ 12:56
[…] — Didier Stevens @ 5:40 Per request, I release my assembly code I’ve used in my previous blogposts to display a message box when the injected shellcode gets executed. It’s nothing special, but […]
Pingback by MessageBox Shellcode « Didier Stevens — Tuesday 30 June 2009 @ 6:33
[…] previous posts, I showed how to load a DLL or shellcode with VBA in Excel. This is a combination of both techniques: a VBA macro loads and executes […]
Pingback by Quickpost: Shellcode to Load a DLL From Memory « Didier Stevens — Thursday 28 January 2010 @ 3:09
[…] to “inject” shellcode (stored inside macros) into the Excel process itself. Details here and source code […]
Pingback by Excel with cmd.dll & regedit.dll « Didier Stevens — Monday 8 February 2010 @ 21:18
[…] found a really old blog post from 2008 by a guy called didier stevens, which seemed to be showing shellcode being executed from vbscript. there was also a really cool companion script (dated 2015) that takes shellcode and generates […]
Pingback by playing with the regsrv32 applocker bypass – atropineal — Friday 19 May 2017 @ 22:43