Skip to content

noderaven/solid-macro

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
macro.vba
macro.vba
 
 

Repository files navigation

solid-macro

VB macro for Word exploit

In-Memory AMSI/ETW Patching

  • Directly modifies critical security functions in RAM.
  • Uses string obfuscation ("AmsiScan" & "Buffer") to bypass static detection.

Environmental Keying

  • Requires specific domain name (LAB-DOMAIN).
  • Checks for VMware tools process (vmtoolsd.exe).
  • Validates mouse movement and uptime.

Polymorphic Self-Destruction

  • Overwrites macro code after execution to hinder forensics.

Indirect Shellcode Loading

  • Uses XOR-free shellcode encoded with Shikata ga-nai.
  • Allocates RX memory only when needed.

Shellcode Generation & Usage

Generate EDR-Evasive Shellcode:

msfvenom -p windows/x64/exec CMD="calc.exe" EXITFUNC=thread -f raw | sgn -a 64 -c 2 -o payload.raw

Convert to VBA-Compatible Hex:

xxd -p payload.raw | tr -d '\n' > payload.hex

Insert into Macro:

payload = DeobfuscateHex("fc4883e4...") ' Paste payload.hex contents

About

VB macro for Word exploit

Topics

microsoft exploit poc vba shellcode offensive-security red-team offsec microsoft-office red-teaming amsi vba-word shellcode-injection amsi-bypass amsi-evasion

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages