ocsitespeed.blogg.se - Excel for mac vba break code

EXCEL FOR MAC VBA BREAK CODE CODE

EXCEL FOR MAC VBA BREAK CODE CODE

This means that Word 2016 on x86 will execute the P-code, while other versions of Word wil execute the code from fakecode.vba instead. Same as the above, but now explicitly targeting Word 2016 on x86. Set target Office version for VBA stomping Note: VBA Stomping does not work for files saved in the Excel 97-2003 Workbook (.xls) format Note that the VBA project version must match the host program in order for the P-code to be executed (see next example for version matching).ĮvilClippy.exe -s fakecode.vba macrofile.doc This abuses an undocumented feature of module streams. Put fake VBA code from text file fakecode.vba in all modules, while leaving P-code intact. Undo the changes done by the hide option (-g) so that we can debug the macro in the VBA IDE. This is achieved by removing module lines from the project stream. Hide all macro modules (except the default "ThisDocument" module) from the VBA GUI editor. Then execute the following command from a Visual Studio developer command prompt:Ĭsc /reference:OpenMcdf.dll,System.IO. /out:EvilClippy.exe *.cs

Make sure you have Visual Studio installed. Now run Evil Clippy from the command line: Mcs /reference:OpenMcdf.dll,System.IO. /out:EvilClippy.exe *.cs Then execute the following command from the command line: We do not provide a binary release for EvilClippy. It reuses code from to implement the compression algorithm that is used in dir and module streams (see MS-OVBA for relevant specifications).Įvil Clippy compiles perfectly fine with the Mono C# compiler and has been tested on Linux, OSX and Windows. TechnologyĮvil Clippy uses the OpenMCDF library to manipulate MS Office Compound File Binary Format (CFBF) files, and hereto abuses MS-OVBA specifications and features.

VBA stomping resources by the Walmart security teamĪt the time of writing, this tool is capable of getting a default Cobalt Strike macro to bypass most major antivirus products and various maldoc analysis tools (by using VBA stomping in combination with random module names).

Our MS Office Magic Show presentation at Derbycon 2018.

If you have no idea what all of this is, check out the following resources first:

Set/Remove VBA Project Locked/Unviewable Protection.

This project should be used for authorized testing or educational purposes only.

If you're new to this tool, you might want to start by reading our blog post on Evil Clippy: Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Evil ClippyĪ cross-platform assistant for creating malicious MS Office documents. A video recording of this talk is available at. This tool was released during our BlackHat Asia talk (March 28, 2019).