Didier Stevens

Thursday 23 October 2008

Excel Exercises in Style

Filed under: Hacking — Didier Stevens @ 10:34

I developed another variant of my “Excel macro injects embedded DLL” script.

In stead of creating and loading a temporary DLL from VBScript, I inject and execute shellcode directly from the VBA application.

Some HIPS would prevent my previous script from running, because it loaded an unapproved DLL. But my new version doesn’t load a DLL.

Of course, writing shellcode is more difficult than developing a PE executable.


  1. […] office documents (e.g. a spreadsheet). Macros can also be digitally signed. So if you’ve that special spreadsheet macro to execute, but your Excel configuration requires macros to be signed, this howto is what […]

    Pingback by Howto: Add a Digital Signature to an Office Document « Didier Stevens — Monday 5 January 2009 @ 21:19

  2. Is there a download link?

    Comment by anonymous — Wednesday 6 May 2009 @ 3:33

  3. I just posted it: https://blog.didierstevens.com/2009/05/06/shellcode-2-vbscript/

    Comment by Didier Stevens — Wednesday 6 May 2009 @ 9:07

  4. […] Filed under: Hacking, My Software — Didier Stevens @ 9:06 I had not posted my Python script to convert shellcode to VBScript, so here it […]

    Pingback by Shellcode 2 VBScript « Didier Stevens — Wednesday 6 May 2009 @ 9:07

  5. Why you call it VBScript? It is plain VBA, Visual Basic for Applications. And it is incompatible with VBS.

    Comment by vbs — Wednesday 6 May 2009 @ 12:27

  6. > Why you call it VBScript?

    To which “it” are you referring? Because I have a Python script that can generate both VBScript and VBA for an executable.

    Comment by Didier Stevens — Wednesday 6 May 2009 @ 12:56

  7. […] — Didier Stevens @ 5:40 Per request, I release my assembly code I’ve used in my previous blogposts to display a message box when the injected shellcode gets executed. It’s nothing special, but […]

    Pingback by MessageBox Shellcode « Didier Stevens — Tuesday 30 June 2009 @ 6:33

  8. […] previous posts, I showed how to load a DLL or shellcode with VBA in Excel. This is a combination of both techniques: a VBA macro loads and executes […]

    Pingback by Quickpost: Shellcode to Load a DLL From Memory « Didier Stevens — Thursday 28 January 2010 @ 3:09

  9. […] to “inject” shellcode (stored inside macros) into the Excel process itself. Details here and source code […]

    Pingback by Excel with cmd.dll & regedit.dll « Didier Stevens — Monday 8 February 2010 @ 21:18

  10. […] found a really old blog post from 2008 by a guy called didier stevens, which seemed to be showing shellcode being executed from vbscript.  there was also a really cool companion script (dated 2015) that takes shellcode and generates […]

    Pingback by playing with the regsrv32 applocker bypass – atropineal — Friday 19 May 2017 @ 22:43

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.