Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

44CON 2014 - Advanced Excel Hacking, Didier Stevens


Published on

44CON 2014 - Advanced Excel Hacking, Didier Stevens

This is a workshop on hacking Excel on Windows without exploits.

Visual Basic for Applications (VBA) is a powerful programming language, more powerful than VBScript, because it has access to the Windows API. What I teach in this workshop is applicable to all applications with VBA support (Word, Powerpoint, AutoCAD, …), but I choose Excel because of its prevalence and its tabular GUI that is particularly suited for inputting and outputting data.

I illustrate 2 major hacking techniques on Excel: pure VBA and VBA mixed with with special shellcode and DLLs.

Published in: Technology
  • Be the first to comment

44CON 2014 - Advanced Excel Hacking, Didier Stevens

  1. 1. Advanced Excel Hacking Workshop Didier Stevens
  2. 2. No Exploits Just Features
  3. 3. Unzip to c:excel Password: Workshop
  4. 4. VBA (Visual Basic for Applications) is a complete Windows programming language
  5. 5. VBS (Visual Basic Script) is NOT a complete Windows programming language
  6. 6. VBA has access to the Windows API
  7. 7. VBA: MS Office (Word, Excel Powerpoint, …), AutoCAD, ...
  8. 8. Excel: what I prefer as a User Interface
  9. 9. Exercise 1: “Hello World” message box with VBA
  10. 10. VBA7 Introduced with Office 2010 Support for 64-bit
  11. 11. 32-bit Excel or 64-bit Excel?
  12. 12. Excel 2007 or earlier: 32-bit
  13. 13. Excel 2010 or 2013: Check File/Help
  14. 14. 3 new VBA7 keywords: PtrSafe LongLong LongPtr
  15. 15. 2 new VBA7 compilation constants VBA7 Win64
  16. 16. I use Win64 If Win64 is defined, I know that I'm using VBA7 on a 64-bit application Thus I use the new keywords (PtrSafe, LongLong, LongPtr)
  17. 17. If Win64 is not defined, I know that I am on 32-bit application. And then I DO NOT use the new keywords.
  18. 18. Exercise 2: “Hello World” message box with API 32-bit, 64-bit & both
  19. 19. API functions: not only basic types as arguments, but also structures
  20. 20. Private Declare PtrSafe Sub GetSystemTime Lib "kernel32.dll" (st As SYSTEMTIME)
  21. 21. Private Type SYSTEMTIME wYear As Integer wMonth As Integer wDayOfWeek As Integer wDay As Integer wHour As Integer wMinute As Integer wSecond As Integer wMilliseconds As Integer End Type
  22. 22. Exercise 3: GetSystemTime 32-bit, 64-bit & both
  23. 23. InstalledPrograms
  24. 24. NetworkMashup-32
  25. 25. TaskManager.xls / TaskManagerSC.xls
  26. 26. Problem: writing a lot of VBA code
  27. 27. Datapipe
  28. 28. Modify C source code datapipe datapipe.exe → datapipe.dll
  29. 29. DLL to shellcode datapipe-dll. dll datapipe-dll.dll.bin
  30. 30. Shellcode to VBA datapipe-dll.dll.bin datapipe-dll. dll.bin.base64.vba
  31. 31. ReactOS cmd and regedit
  32. 32. Putty
  33. 33. 20% discount sale for Brucon: PDF Analysis workshop videos on CD: €20 White Hat Shellcode workshop videos on CD: €20 x64 workshop videos on CD: €20 All videos on CD: €50