Didier Stevens

Thursday 25 June 2009

bpmtk: Injecting VBScript

Filed under: bpmtk,Hacking,My Software — Didier Stevens @ 7:03

Here’s a new trick: injecting VBScript in a process. I’ve developed a DLL that will create a COM instance of the VBScripting engine and let it execute a VBScript. Injecting this DLL in a running program results in execution of the VBScript in the context of the running program. Here’s an example where I wrote a VBScript to search and replace a string in the memory of the notepad process:

Here is part of the VBScript I developed to search and replace inside the memory of a process. It uses custom methods like Peek, Poke and Output that I’ve added to the scripting engine:

20090609-205420

I’ll provide more details in an upcoming blogpost on bpmtk version 0.1.5.0, but you can already download it here.

YouTube, Vimeo and hires Xvid.

7 Comments »

  1. Peek and Poke, lovely! Just like my old Commodore 64 🙂

    Comment by Roger Karlsson — Thursday 25 June 2009 @ 15:02

  2. […] is at it again. This time injecting VBScript into running processes. bpmtk: Injecting VBScript << Didier Stevens Tags: ( injection code dll […]

    Pingback by Interesting Information Security Bits for 06/25/2009 | Infosec Ramblings — Thursday 25 June 2009 @ 22:23

  3. Correct, had Peek and Poke i Basic on my ZX81 and Apple II too.

    Comment by Didier Stevens — Saturday 27 June 2009 @ 21:37

  4. Is there any reason the source you provided wouldn’t be 64-bit friendly?

    I’m excited to use this new tool. Thanks a bunch for it, Didier. Please keep up the awesome development.

    Comment by Gabriel Friedmann — Wednesday 14 October 2009 @ 6:17

  5. Honestly, I’ve no idea. I’ll start looking at 64bit development once I’ve a real 64bit cpu.

    Comment by Didier Stevens — Wednesday 14 October 2009 @ 17:25

  6. […] do you get the target process to execute this script? That is something I worked out 2 years ago: bpmtk: Injecting VBScript. In a nutshell: I developed a DLL that once injected into a process, instantiates a VBScript engine […]

    Pingback by Quickpost: Need a PoC to Test Your Security Setup? Not Necessarily… « Didier Stevens — Wednesday 22 June 2011 @ 13:30

  7. Function Test()
    Dim objShell
    Set ojbShell=CreateObject(WScript.Shell)
    objShell.Run “cmd.exe”
    End Function

    Comment by Anonymous — Wednesday 29 June 2011 @ 6:58


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.