Skip to content

🐟 PoC of a VBA macro spawning a process with a spoofed parent and command line.

License

Notifications You must be signed in to change notification settings

christophetd/spoofing-office-macro

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 
 
 

Repository files navigation

This repository contains an example of a VBA macro spawning a process with a spoofed parent and command line. Companion blog post: Building an Office macro to spoof parent processes and command line arguments

Demo

Click for full size.

Demo

Notes

  • The 32-bit initial PoC was written and tested by myself, on Windows 10 with Office Professional Plus 2016, version 1902.

  • The 64-bit version is a contribution brought by @py7hagoras.

  • The size of the original command line stored in originalCli needs to be greater than the size of the real one stored in cmdStr

Acknowledgments & inspiration

Disclaimer

You are solely responsible for the use you make of this PoC. I assume no liability for any misuse or damage caused by this program.

About

🐟 PoC of a VBA macro spawning a process with a spoofed parent and command line.

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages