Having written a few posts and demonstrated some different methods of bypassing AMSI using VBA, here’s another small post demonstrating another technique which I found is possible as a result of some Advanced Googling…

I was studying the courses by Sektor7 (all of which I recommend) and one of the topics covered is run time dynamic linking of DLL libraries as opposed to load time dynamic linking

The default behaviour of VBA is that we have to use load time linking, i.e. when we want to use a function which is provided by a DLL we have to declare the function and the library which it belongs to as part of our code in order to be able to use it.

A downside to this is that it allows any antivirus or endpoint detection solution to see which functions we’re going to use and block any which it believes are bad. The declarations cannot be obfuscated, the only thing we can do to confuse AV a little is to use ordinal values instead of function names and get creative with Alias names as I detailed in a previous post.

However in C, it’s possible use DLL functions without having to make these declarations. It is possible to use LoadLibrary to load the DLL, GetProcAddress to get the address of the function in memory and then call the function using the returned address with the various parameters it needs.

This got me thinking, can this be done in VBA…

Time for some Advanced Googling….

After reading quite a few posts etc I stumbled upon this post and a couple of links which branch off from it.

As it turns out there is a function called DispCallFunc which will allow us to do what we want.

Amongst the various forum posts I found a pre written function as part of a larger module which I’ve stripped out.

Calling it is pretty straight forward and it appears to work with most functions. He’s a quick example of how we can use the MessageBoxA function.

Now to make it do interesting stuff…

I wanted to see how AMSI would treat this technique so generated a payload with msfvenom and added the rest of the required code which would copy the shellcode into memory and execute it.

msfvenom -p windows/exec CMD=calc.exe -b “x00” -f c

The shellcode has to be formatted to work with VBA due to line length restrictions, it’s a simple task and can be automated.

In addition to the gist below, my Git can be found here

As it turns out, the payload is executed quite happily and in this instance AMSI doesn’t trigger.

The example above is based on x32, however this will work on x64 with some small changes.

If you’ve got this far, well done! – any errors, etc let me know and I’ll update.

Leave a Reply

Your email address will not be published. Required fields are marked *