A simple yet effective implementation of the RunPE technique in VBA. This code can be used to run executables from the memory of Word or Excel. It is compatible with both 32 bits and 64 bits of Microsoft Office 2010 and above.
- In the Exploit procedure at the end of the code, set the path of the file you want to execute.
strSrcFile = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
/!\ If you're using a 32 bits version of Microsoft Office on a 64 bits OS, you must use 32 bits binaries.
strSrcFile = "C:\Windows\SysWOW64\cmd.exe"
strSrcFile = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
- Specify the command line arguments (optional).
strArguments = "-exec Bypass"
This will be used to form a command line equivalent to:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -exec Bypass
- Enable View > Immediate Window (Ctrl + G) (to check execution and error logs).
- Run the macro!
This code is mainly a VBA adaptation of the C++ implementation published by @Zer0Mem0ry (32 bits only). https://github.com/Zer0Mem0ry/RunPE
This code was tested on the following platforms:
- Windows 7 Pro 32 bits + Office 2010 32 bits
- Windows 7 Pro 64 bits + Office 2016 32 bits
- Windows 2008 R2 64 bits + Office 2010 64 bits
- Windows 10 Pro 64 bits + Office 2016 64 bits
Currently, this doesn't work with all Windows binaries. For example, it can't be used to run regedit.exe. I guess I need to do some manual imports of missing DLLs.
Here is a table of correspondence between some C++ and VBA types:
| C++ | VBA | Arch |
|---|---|---|
| BYTE | Byte | 32 & 64 |
| WORD | Integer | 32 & 64 |
| DWORD, ULONG, LONG | Long | 32 & 64 |
| DWORD64 | LongLong | 64 |
| HANDLE | LongPtr(*) | 32 & 64 |
| LPSTR | String | 32 & 64 |
| LPBYTE | LongPtr(*) | 32 & 64 |
(*) LongPtr is a "dynamic" type, it is 4 Bytes long in Office 32 bits and 8 Bytes long in Office 64 bits. https://msdn.microsoft.com/fr-fr/library/office/ee691831(v=office.14).aspx