Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rileymxyz/solid-macro
VB macro for Word exploit
https://github.com/rileymxyz/solid-macro
amsi amsi-bypass amsi-evasion exploit microsoft microsoft-office offensive-security offsec poc red-team red-teaming shellcode shellcode-injection vba vba-word
Last synced: 1 day ago
JSON representation
VB macro for Word exploit
- Host: GitHub
- URL: https://github.com/rileymxyz/solid-macro
- Owner: rileymxyz
- Created: 2025-01-28T04:12:59.000Z (2 days ago)
- Default Branch: main
- Last Pushed: 2025-01-28T04:22:00.000Z (2 days ago)
- Last Synced: 2025-01-28T05:22:32.182Z (2 days ago)
- Topics: amsi, amsi-bypass, amsi-evasion, exploit, microsoft, microsoft-office, offensive-security, offsec, poc, red-team, red-teaming, shellcode, shellcode-injection, vba, vba-word
- Homepage:
- Size: 4.88 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# solid-macro
VB macro for Word exploit
### In-Memory AMSI/ETW Patching
- Directly modifies critical security functions in RAM.
- Uses string obfuscation ("AmsiScan" & "Buffer") to bypass static detection.
### Environmental Keying
- Requires specific domain name (LAB-DOMAIN).
- Checks for VMware tools process (vmtoolsd.exe).
- Validates mouse movement and uptime.
### Polymorphic Self-Destruction
- Overwrites macro code after execution to hinder forensics.
### Indirect Shellcode Loading
- Uses XOR-free shellcode encoded with Shikata ga-nai.
- Allocates RX memory only when needed.
## Shellcode Generation & Usage
Generate EDR-Evasive Shellcode:
```
msfvenom -p windows/x64/exec CMD="calc.exe" EXITFUNC=thread -f raw | sgn -a 64 -c 2 -o payload.raw
```
Convert to VBA-Compatible Hex:
```
xxd -p payload.raw | tr -d '\n' > payload.hex
```
Insert into Macro:
```
payload = DeobfuscateHex("fc4883e4...") ' Paste payload.hex contents
```