Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - VBA Shellcode and Windows 10 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

VBA Shellcode and Windows 10

Published: 2016-11-18
Last Updated: 2016-11-19 08:15:57 UTC
by Didier Stevens (Version: 1)
2 comment(s)

I tested the process replacement maldoc (Hancitor Maldoc Bypasses Application Whitelisting) on Windows 10 and Word 2016. It's not blocked.

However, it's not stable. The shellcode is executed and the embedded malware is launched (9 times out of 10 successfully), but then the Word process crashes.
 
To be 100% sure, I made my own PoC Word document that injects shellcode and then starts calculator. This PoC is always successful on Windows 10 without EMET, and doesn't crash the Word process. As expected, when EMET is installed on Windows 10, execution of the shellcode is blocked and calc.exe can't be launched. 
 

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
NVISO

2 comment(s)
Diary Archives