Shulou(Shulou.com)06/01 Report--

This article shows you how the basic use of Office macros is, the content is concise and easy to understand, and it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Preface

Office macro, translated from the English word Macro. Macros are an advanced scripting feature that comes with Office. Through VBA code, you can complete a specific task in Office without having to repeat the same actions, in order to automate some tasks in user documents. A macro virus is a computer virus that is stored in a macro of a document or template. Once such a document is opened, the macro is executed, and the macro virus is activated, transferred to the computer, and resides on the Normal template.

Visual Basic for Applications (VBA), a macro language of Visual Basic, is a programming language developed by Microsoft to perform general automation (OLE) tasks in its desktop applications. It can mainly be used to expand the application functions of Windows, especially Microsoft Office software, and it can also be said to be a kind of Basic script for application visualization.

Environmental preparation

Windows 7 x64 Ultimate Edition

Microsoft Office 2016

CobaltStrike 3.14

CobaltStrike generates macros

First use CobaltStrike to generate macro payload, and then just put in word, excel or ppt.

Create a macro Word

Open the Word document and click "Word options-Custom Ribbon-developer tools (checked)-OK".

After writing the main content, click "Development tools-Visual Basic".

Double-click "ThisDocument" to empty all the original contents, then paste all the CobaltStrike generation macro payload into it, save and close the VBA editor.

Save as the Word type must select "Word 97-2003 documents (* .doc)", that is, doc files, to ensure that the lower version can be opened. Then turn it off and open it to execute the macro code.

Rebound Beacon shell

By default, Office has disabled all macros, but still notifies you when you open an Word document.

Induce the target to manually click the "enable content" macro.

Once the target is enabled, the Beacon of CobaltStrike will be online, that is, the Shell will be successfully received.

Macro code analysis

The default VBA generated by CobaltStrike imports four Windows API functions, the common ShellCode loader code:

CreateRemoteThread creates a thread that runs in another process address space (also known as creating a remote thread).

VirtualAllocEx specifies the virtual space reserved or committed memory area of the process

WriteProcessMemory writes to the memory area of a process

CreateProcess creates a new process and its main thread that runs the specified executable

Among them, Array (- 4 people talk 24 minutes, 119 minutes 0, 0 minutes 0, 96 minutes, 119 minutes, 27... It is ShellCode, and there are many ways to get confused.

ShellCode can decode itself in VBA or, for example, increase each element by 1, run time-1, and achieve kill-free.

The above is what the basic use of Office macros is. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.