Share this page!

Malwrologist Profile picture
Twitter logo
Jul 6 6 tweets 2 min read
#VBA declare statement: from libname #obfuscation to remote dll loading 🧵

Declare is used to declare a ref to an external proc in a DLL

Syntax:
[Public | Private] Declare Function name Lib "libname" [Alias "aliasname"] [ ( [arglist] ) ] [As type]

ref: docs.microsoft.com/en-us/office/v…
0⃣ both "kernel32" and "kernel32.dll" are acceptable libnames
1⃣ padding with space chars " kernel32 "
2⃣ adding arbitrary . to the mix " kernel32 .. .. . "
Is libname actually a file path? yes
3⃣ "c:\Windows\System32\kernel32.dll"
can we use relative addressing?
4⃣ "..\..\..\..\../\..\\.\windows\system32\kernel32"
can we use file protocol?
5⃣ " file:///../../../../\/./windows/system32/Kernel32.dll ... "
can we load from a shared folder? absolutely
6⃣"\\127.0.0.1\c$\windows\system32\Kernel32.dll"

can we load our dll? yup
7⃣ "\\127.0.0.1\c$\users\poc-calc.dll"
Lesson learned:
You can heavily obfuscate libname
You can load a dll into office from a remote location🔹

🔷 Reported to MSRC: by design
PoC:
xlsm: github.com/DissectMalware…

poc-calc.dll: github.com/DissectMalware…

or compile: github.com/CuckooEXE/PopC…

place the dll in c:\users if you don't want to change the xlsm file

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Malwrologist

Malwrologist Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @DissectMalware

Malwrologist Profile picture
Oct 9, 2018
#linux #bash #obfuscation #technique #bashfuscation
padding commands with history expansion characters (#exclamation mark (!))
! ! ! ! echo this is test
(removed the previous tweet as I revealed too much info !)
#linux #bash #obfuscation #bashfuscation

using history expansion character -> !! (i.e. last command)

ca
!!t really

is equivalent to
cat really

(only 4 interactive shell)
#linux #bash #obfuscation #bashfuscation

padding commands with empty commands (: ;)

: -> true (do nothing)
; -> command separator

: : ; : ; cat really
! ! ! : : ; : ; cat really
Read 8 tweets
Malwrologist Profile picture
Aug 4, 2018
#linux #bash #path #obfuscation
goal: obfuscate /etc/passwd
1) #directorytraversal: /mnt/././../etc/././passwd
2) escape characher: /etc/.\/\/\/\/\/passwd /etc/.\/.\/.\/.\/passwd /\e\t\c/passwd
3) null character /et$'c/pa\u0000/notexist/path'sswd
....
#path #obfuscation using #symbolic #link
ln -s / anything
head -n 2 anything////../etc/passwd

ln -s ../../ wow
head -n 2 ././wow/../etc/passwd

* ../ after a sym link applies to the sym link not the current path
filename expansion #globbing

cat /et*/pa**wd

command expansion
$(echo /e)tc$(echo /pa*)wd

+ other string obfuscation techniques
Read 5 tweets
Malwrologist Profile picture
Jul 30, 2018
#linux #bash #obfuscation using shell parameter expansion:

alphabet=abcdefghijklmnopqrstuvwxyz
${alphabet:2:1}at really
${alphabet: -24:-23}at really
${alphabet: -24:1}at really
${alphabet:2:-23}at really

gnu.org/software/bash/…
similar #bat #windows (ss64.com/nt/syntax-subs…)
The goal is to obfuscate the following command:
cat really
in which, really is a file.
Using arithmetic (add, sub, mul, div, mod, and pow) for calculating index or lenght
${alphabet: 2:(-20-3)}at really
Read 6 tweets
Malwrologist Profile picture
Jul 29, 2018
#linux #bash #obfuscation using octal vals
$'\143\141\164' really

gnu.org/software/bash/…
"Words of the form $'string' are treated specially. The word expands to string, with backslash-escaped characters replaced as specified by the ANSI C standard."

Image
Variations
$'\143'$'\141'$'\164' really
$'\143'''$'\141'''''''''''''$'\164' really
$'\143'''$'\141'''""''''""''$'\164' really

Explanation:
'' -> empty string
""-> empty string
'a''b' -> 'ab' (concatenation)

(deleted the previous one, as the picture had a problem) Image
To give you a headache

t=
$'\143'''$'\141'$t''"$t"''`$t`''$'\164' really Image
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(