Skip to content
🐟 PoC of a VBA macro spawning a process with a spoofed parent and command line.
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
README.md
macro.vba Initial commit Mar 11, 2019

README.md

This repository contains an example of a VBA macro spawning a process with a spoofed parent and command line. Companion blog post: Building an Office macro to spoof parent processes and command line arguments

Demo

Click for full size.

Demo

Notes

This PoC was tested on Windows 10 with Office Professional Plus 2016, version 1902. It will only work on 32-bit Office versions (on a 32 or 64-bit Windows version). If you have access to a 64-bit Office version and would like to contribute, please do!

The size of the original command line stored in originalCli needs to be greater than the size of the real one stored in cmdStr

Acknowledgments & inspiration

Disclaimer

You are solely responsible for the use you make of this PoC. I assume no liability for any misuse or damage caused by this program.

You can’t perform that action at this time.