ISC Stormcast For Tuesday, September 27th 2016 https://isc.sans.edu/podcastdetail.html?id=5183
ISC Stormcast For Monday, September 26th 2016 https://isc.sans.edu/podcastdetail.html?id=5181
VBA and P-code
I want to draw your attention to some great work Dr. Bontchev did.
pcodedmp.py is a VBA P-code disassembler. Microsoft Office documents contain VBA macros in several forms. They contain the source code, but also compiled P-code. Dr. Bontchev created a proof-of-concept document that executes P-code and does not contain the corresponding source code. Here is the output from his pcodedmp.py tool for his PoC document:
python pcodedmp.py -d poc2b.doc Processing file: poc2b.doc =============================================================================== Module streams: Macros/VBA/ThisDocument - 1949 bytes Line #0: FuncDefn (Sub / Property Set) func_00000078 Line #1: LitStr 0x001D "This could have been a virus!" Ld vbInformation Ld vbOKOnly Add LitStr 0x0006 "Virus!" ArgsCall MsgBox 0x0003 Line #2: LitStr 0x0008 "calc.exe" Paren ArgsCall Shell 0x0001 Line #3: EndSub
Dr. Bontchev also coded a plugin for oledump.
Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
×
Diary Archives
Comments