{"id":14065214,"url":"https://github.com/eset/vba-dynamic-hook","last_synced_at":"2025-10-10T23:15:06.796Z","repository":{"id":54198238,"uuid":"54120985","full_name":"eset/vba-dynamic-hook","owner":"eset","description":"VBA Dynamic Hook dynamically analyzes VBA macros inside Office documents by hooking function calls","archived":false,"fork":false,"pushed_at":"2016-03-17T13:45:23.000Z","size":11,"stargazers_count":145,"open_issues_count":0,"forks_count":39,"subscribers_count":23,"default_branch":"master","last_synced_at":"2024-08-13T07:08:26.107Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eset.png","metadata":{"files":{"readme":"README.adoc","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-03-17T13:42:43.000Z","updated_at":"2024-06-19T17:15:04.000Z","dependencies_parsed_at":"2022-08-13T09:00:43.411Z","dependency_job_id":null,"html_url":"https://github.com/eset/vba-dynamic-hook","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2Fvba-dynamic-hook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2Fvba-dynamic-hook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2Fvba-dynamic-hook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eset%2Fvba-dynamic-hook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eset","download_url":"https://codeload.github.com/eset/vba-dynamic-hook/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223888519,"owners_count":17220074,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-13T07:04:22.336Z","updated_at":"2025-10-10T23:15:01.771Z","avatar_url":"https://github.com/eset.png","language":"Python","funding_links":[],"categories":["Python"],"sub_categories":[],"readme":"= VBA Dynamic Hook - vhook\n\nCopyright (C) 2016 ESET\n\n== References\n\n* Conference talk: http://www.computerworld.pl/konferencja/semafor2016/\n\n== Description\n\nThis is our approach to dynamic VBA analysis.\n\nWe use idea similar to Windows API Hooking techniques.\n\nBasically, we are trying to find\n\n* the most popular internal VBA functions used inside malicious files (like `Shell`),\n* user defined functions which return string,\n* external function declarations (like `URLDownloadToFileA`),\n* method calls (like `http.Open`)\n\nand log their usage.\n\nThis information can be used to decide if macro behaves in a suspicious way.\n\n== Content of this repository\n\n`vhook.bat`:: Start `vhook.vbs` using `cscript` so `Echo` is printed to the console\n`vhook.vbs`:: Main script which runs `unprotect.py`, `parser.py` and `starter.py`, add `class.vba` content to file as another macro\n`unprotect.py`:: Try to remove VBA password protection from `.doc` file\n`parser.py`:: Parse macro content, extract function usage and add logging code to them\n`starter.py`:: Open malicious `.doc` document and close it after timeout\n`class.vba` :: Contain function wrappers and helpers\n\n== Usage\n\n[WARNING]\nOnly use VBA Dynamic Hook inside a sandboxed virtual machine!\n\nBefore using VBA Dynamic Hook, enable macro support inside Word:\n\n----\nFile -\u003e Options -\u003e Trust Center -\u003e Trust Center Settings -\u003e Enable all macros\n----\n\nStart script using:\n\n----\nvhook.bat word_document.doc\n----\n\nThree files will be created after a successful execution:\n\n----\nword_document_without.doc \u003c-- file without VBA macro password protection\nword_document_output.doc \u003c-- file with added hooks\nvhook_%date%.txt \u003c-- script output\n----\n\n== Example\n\nHere is example VBA module.\n\n----\n#If Win32 Then\n Public Declare Sub MessageBeep Lib \"User32\" (ByVal N As Long)\n#Else\n Public Declare Sub MessageBeep Lib \"User\" (ByVal N As Integer)\n#End If\n\nPublic Function hex2ascii(ByVal hextext As String) As String\nFor y = 1 To Len(hextext)\n Num = Mid(hextext, y, 2)\n Value = Value \u0026 Chr(Val(\"\u0026h\" \u0026 Num))\n y = y + 1\nNext y\nhex2ascii = Value\nEnd Function\n\nSub test_function()\n a = StrReverse(\"gnitset\")\n b = Mid(\"abcexampledef\", 4, 7)\n c = Environ(\"Temp\")\n d = hex2ascii(\"656e636f6465645f6865785f737472696e67\")\n MsgBox (d)\n Shell (Chr(99) \u0026 Chr(97) \u0026 Chr(108) \u0026 Chr(99) \u0026 Chr(46) \u0026 Chr(101) \u0026 Chr(120) \u0026 Chr(101))\n\n Set http = CreateObject(\"Microsoft.XmlHttp\")\n http.Open \"GET\", \"http://example.com\", False\n http.Send\n E = http.responseText\n\n MessageBeep (100)\nEnd Sub\n----\n\nOutput of VBA Dynamic Hook will look like this:\n\n----\nStrReverse testing\nMID example\nEnviron Temp\nMID 65\nMID 6e\nMID 63\nMID 6f\nMID 64\nMID 65\nMID 64\nMID 5f\nMID 68\nMID 65\nMID 78\nMID 5f\nMID 73\nMID 74\nMID 72\nMID 69\nMID 6e\nMID 67\nhex2ascii : encoded_hex_string\nMessagebox encoded_hex_string\nShell calc.exe\nCreateObject Microsoft.XmlHttp\nhttp.Open, GET, http://example.com, False\n----\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feset%2Fvba-dynamic-hook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feset%2Fvba-dynamic-hook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feset%2Fvba-dynamic-hook/lists"}