I modified the source code of ReactOS‘ cmd and regedit for the following trick:
Let me summarize how I did this, as this is the combined result of several techniques I blogged about before.
- The Excel spreadsheet contains macros that use VirtualAlloc, WriteProcessMemory and CreateThread to “inject” shellcode (stored inside macros) into the Excel process itself. Details here and source code here.
- The shellcode loads a DLL from memory into memory.
- I modified source code from ReactOS to transform cmd.exe into cmd.dll and regedit into a dll.
You can download regedit.dll here and the new version of cmd.dll with the DLL command here. The DLL command I added allows you to load a DLL with LoadLibrary or directly into memory (/m option). When loaded with LoadLibrary, the library will be unloaded with FreeLibrary unless you use option /k to keep it loaded.
The DLL command assumes that your DLLs execute via the DllMain entry-point when they get loaded.
[…] Excel with cmd.dll & regedit.dll – didierstevens.com Stevens modified source code from ReactOS to transform cmd.exe into cmd.dll and regedit into a dll. […]
Pingback by Week 6 in Review – 2010 | Infosec Events — Monday 15 February 2010 @ 6:04
[…] My Software, Shellcode — Didier Stevens @ 0:40 The DLL-loading shellcode I used in my cmd.xls spreadsheet was generated with a method I worked out to generate WIN32 shellcode with a C-compiler. You can […]
Pingback by MemoryLoadLibrary: From C Program to Shellcode « Didier Stevens — Tuesday 16 February 2010 @ 0:41
That is pretty neat – an attacker can hide processes. Can you launch programs with admin privileges?
Comment by Tom — Thursday 18 February 2010 @ 13:33
Assuming you run under a LUA? No, you need to exploit an elevation vulnerability to achieve this.
Comment by Didier Stevens — Thursday 18 February 2010 @ 16:55
[…] a DLL and embedded it with my memory loading shellcode into Excel macros (the same technique as I developed for cmd.dll and regedit.dll). I imagine that a simple game like Solitaire in Excel can go viral inside a company, when you know […]
Pingback by Frisky Solitaire – Another Info Stealer « Didier Stevens — Tuesday 9 March 2010 @ 0:01
cool stuff. Is the regedit in godmode (admin)?
Comment by sgt Pepper — Friday 19 March 2010 @ 16:17
@sgt Pepper Regedit.dll and cmd.dll run inside the Excel process with new threads. Provided Excel runs under the (elevated) Admin account, regedit will too.
Comment by Didier Stevens — Friday 19 March 2010 @ 16:36
[…] and wscript.exe? It's also worth mentioning that even after you have done the above, it is still very easy to bypass these restrictions via process injection. I reckon a student could easily do this if they […]
Pingback by Prevent Files With These Extensions Running From These Locations... — Sunday 11 July 2010 @ 10:20
[…] to block this DLL with SRP or AppLocker. But now I found out it’s also easy to bypass this, much easier than what I’ve done before. I just have to replace a call to LoadLibrary with a call to LoadLibraryEx, and pass it argument […]
Pingback by Circumventing SRP and AppLocker, By Design « Didier Stevens — Monday 24 January 2011 @ 0:04
[…] Remember my Excel with cmd.dll & regedit.dll? […]
Pingback by Signed Spreadsheet with cmd.dll & regedit.dll « Didier Stevens — Tuesday 19 April 2011 @ 14:05
Can u pls give me an example where I could use this thing? Apart from demonstrating all these techniques. In what situation would that this be useful? Keep “wow-ing” us Didier.
Comment by teo — Thursday 21 April 2011 @ 18:30
@teo I’ve used it in 2 situations:
1) you administer LUA users, you’ve restricted them from using cmd.exe and/or regedit, and now you need to debug an issue in a LUA context.
2) cleaning up an infected PC where the malware prevents you from running tools like cmd.exe and regedit.
Comment by Didier Stevens — Friday 22 April 2011 @ 8:10
Hi There, will you be making your completed spreadsheet with all the macro configuration in it available for download? Great work by the way 🙂
Comment by danielweis — Thursday 15 December 2011 @ 22:28
@danielweis A Kiwi neighbor of yours has done that 😉 https://blog.didierstevens.com/2011/04/19/signed-spreadsheet-with-cmd-dll-regedit-dll/
Comment by Didier Stevens — Thursday 15 December 2011 @ 22:34
[…] Excel with cmd.dll & regedit.dll […]
Pingback by Exploit writing tutorial part 11 : Heap Spraying Demystified | Corelan Team — Sunday 1 January 2012 @ 6:53
[…] added a new option to my cmd.dll’s DLL command: DLL […]
Pingback by CMD.DLL: DLL /A | Didier Stevens Videos — Tuesday 22 September 2015 @ 10:10
[…] For several years now I’ve been using my modified cmd.exe from Excel. […]
Pingback by Create Your Own CMD.XLS | Didier Stevens — Wednesday 10 February 2016 @ 0:00