![]() ![]() This abuses ambiguity in the MODULESTREAMNAME records - most analyst tools use the ASCII module names specified here, while MS Office used the Unicode variant. Set random ASCII module names in the dir stream. Set/reset random module names (fool analyst tools) ĮvilClippy.exe -s fakecode.vba -t 2016x86 macrofile.doc Achieved by setting the appropriate version bytes in the _VBA_PROJECT stream. This means that Word 2016 on x86 will execute the P-code, while other versions of Word wil execute the code from fakecode.vba instead. Same as the above, but now explicitly targeting Word 2016 on x86. Set target Office version for VBA stomping ![]() Note: VBA Stomping does not work for files saved in the Excel 97-2003 Workbook (.xls) format Note that the VBA project version must match the host program in order for the P-code to be executed (see next example for version matching).ĮvilClippy.exe -s fakecode.vba macrofile.doc This abuses an undocumented feature of module streams. Put fake VBA code from text file fakecode.vba in all modules, while leaving P-code intact. Undo the changes done by the hide option (-g) so that we can debug the macro in the VBA IDE. This is achieved by removing module lines from the project stream. Hide all macro modules (except the default "ThisDocument" module) from the VBA GUI editor. Then execute the following command from a Visual Studio developer command prompt:Ĭsc /reference:OpenMcdf.dll,System.IO. /out:EvilClippy.exe *.cs Make sure you have Visual Studio installed. Now run Evil Clippy from the command line: ![]() Mcs /reference:OpenMcdf.dll,System.IO. /out:EvilClippy.exe *.cs Then execute the following command from the command line: We do not provide a binary release for EvilClippy. It reuses code from to implement the compression algorithm that is used in dir and module streams (see MS-OVBA for relevant specifications).Įvil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows. TechnologyĮvil Clippy uses the OpenMCDF library to manipulate MS Office Compound File Binary Format (CFBF) files, and hereto abuses MS-OVBA specifications and features. VBA stomping resources by the Walmart security teamĪt the time of writing, this tool is capable of getting a default Cobalt Strike macro to bypass most major antivirus products and various maldoc analysis tools (by using VBA stomping in combination with random module names).Our MS Office Magic Show presentation at Derbycon 2018.If you have no idea what all of this is, check out the following resources first: Set/Remove VBA Project Locked/Unviewable Protection.This project should be used for authorized testing or educational purposes only. If you're new to this tool, you might want to start by reading our blog post on Evil Clippy: Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Evil ClippyĪ cross-platform assistant for creating malicious MS Office documents. A video recording of this talk is available at. You can always ask an expert in the Excel Tech Community or get support in the Answers community.This tool was released during our BlackHat Asia talk (March 28, 2019). To edit a macro, in the Developer tab, click Macros, select the name of the macro, and click Edit. On the Developer tab, in the Code group, click Stop Recording. On the Developer tab, click Record Macro. In the Customize the Ribbon category, in the Main Tabs list, select the Developer check box, and then click Save. Go to Excel > Preferences… > Ribbon & Toolbar. ![]() By default, the Developer tab is not visible, so do the following: Make sure the Developer tab is visible on the ribbon. To learn about how to run a macro, see Run a macro. To learn more about creating macros, see Create or delete a macro. This time, see if anything different happens! Some of the code will probably be clear to you, and some of it may be a little mysterious.Įxperiment with the code, close the Visual Basic Editor, and run your macro again. See how the actions that you recorded appear as code. To edit a macro, in the Code group on the Developer tab, click Macros, select the name of the macro, and click Edit. You can learn a little about the Visual Basic programming language by editing a macro. On the Developer tab, click Stop Recording. Perform the actions you want to automate, such as entering boilerplate text or filling down a column of data. Optionally, enter a name for the macro in the Macro name box, enter a shortcut key in the Shortcut key box, and a description in the Description box, and then click OK to start recording. In the Code group on the Developer tab, click Record Macro. For more information, see Show the Developer tab. Macros and VBA tools can be found on the Developer tab, which is hidden by default, so the first step is to enable it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |