I modified the source code of ReactOS‘ cmd and regedit for the following trick:
Let me summarize how I did this, as this is the combined result of several techniques I blogged about before.
- The Excel spreadsheet contains macros that use VirtualAlloc, WriteProcessMemory and CreateThread to “inject” shellcode (stored inside macros) into the Excel process itself. Details here and source code here.
- The shellcode loads a DLL from memory into memory.
- I modified source code from ReactOS to transform cmd.exe into cmd.dll and regedit into a dll.
You can download regedit.dll here and the new version of cmd.dll with the DLL command here. The DLL command I added allows you to load a DLL with LoadLibrary or directly into memory (/m option). When loaded with LoadLibrary, the library will be unloaded with FreeLibrary unless you use option /k to keep it loaded.
The DLL command assumes that your DLLs execute via the DllMain entry-point when they get loaded.
Didier Stevens 