Introduction

Why can’t I pwn my friends anymore? It seems like all my Metasploit magic is getting caught—even my modified, secret-sauce payloads. DEP. ASLR. EDRs. Sandboxes. Whitelists. It’s no fun anymore!

So, you thought you were a 1337 h4x0r? You thought you had mad ‘sploit-writing, shell-popping skillz? First, you learned Python (so easy), then C (a little deeper in the weeds), then assembly (down the rabbit hole), and finally straight binary (cuz programming languages are for muggles). But now your ‘sploits are getting flagged and your obfuscation Kung Fu isn’t saving you from the big bad EDRs out there. What to do? You can’t follow the rabbit any further down the rabbit hole, right? Maybe you should just go back, take the blue pill, and live a life of blissful ignorance in the land of macros. Yes, let’s party like it’s 1999. ILOVEYOU, Melissa! You may have thought that macro viruses went the way of 56K modems, but they’re back baby!

Macro-based malware was all the rage back in the 90s, but then Microsoft got smart and disabled a lot of the automatic script execution by default. This forced hackers into an arms race with a race to the bottom. Who could dive deeper? But now these older attacks are making a comeback. However, these are not the simple macro attacks of your grandpa’s generation. They are getting more sophisticated. They are utilizing encryption, social engineering, and abusing objects in ways we haven’t seen before. Default security policies have disabled most macros, but it only takes one user to be convinced to enable the macros, and we all know users are always the weak point. Reverting to these old macro-based attacks can provide a useful alternative when modern security measures got you down.

VBA

What are these macro things anyway? I heard my dad mention them once when he was showing off his new-fangled Word automation and claiming to be an Excel guru, but then I ignored him and went back to pwning n00bs.

Well, “macros” are really just the entry point into the world of yesterday…I mean the world of Visual Basic for Applications (VBA), which is a simple programming language. VBA is an offshoot of Visual Basic, a computer language that Microsoft developed in the 90s. You may have encountered VBScript before, but while it's vaguely familiar, it's also frustratingly different. This programming language is exposed to advanced Office users to help automate tasks and accomplish complex tasks. The Office suite exposes a variety of events, features and objects that can be used to manipulate documents, databases, forms, spreadsheets, presentations, and ultimately the computer itself. VBA really allows a programmer to perform nearly any operation by a user, like mouse clicks, key presses, opening dialog boxes, saving files, inputting data, etc. And, as an added perk, VBA is built into Office. So, while the version and features may have changed slightly, the core functionality and capabilities have been there waiting to be used and abused since Office 97 and up to and including Office 365.

VBA might look like other programming languages, but at the same time, it can be a little challenging. VBA is, at its heart, an object-based language, like Python, C++, or other scripting languages. Microsoft Office applications expose various objects, methods, properties, etc., which the programming language can use. VBA interacts with the application by taking advantage of these objects and sending instructions or calling methods. This object model not only exposes Microsoft Office objects but underlying operating system objects as well as other libraries and components. I’m assuming you have some basic programming knowledge, but just so we are all on the same page: objects represent different parts of the document or application itself, e.g., the current document, page, workbook, worksheet, cell, and slide. Methods are functions associated with a specific object, e.g., Save and Select. Properties are data or variables associated with specific objects, e.g., Value and Content. In addition to the general object model, there are other generic functions that can take arguments and return values. These arguments can be objects or more simple types.

Macros

OK, OK, I get it. VBA is an old-school, object-oriented programming language that interacts with Microsoft Office applications through exposed objects, methods, properties, and functions. But what are macros, really?

Now that you have a basic understanding of VBA, you probably want to start calling methods and messing with properties. VBA is a programming language after all, and you probably want to get your hands dirty and start programming. But first, let’s look at how most users take advantage of this powerful scripting engine via the macro. Macros are really just procedures. They are a group of commands that perform a specific task. You can think of them as functions or subroutines. They contain the code that most users use to automate routine tasks. You can write macros the programmer way, or you can do what joe user does and “record” a macro. Once a macro has been created, or recorded, it can then be run within the current application.

Developer tab

First things first. It used to be a lot easier to access and run macros, but then early virus writers started taking advantage of them, remember? So, Microsoft made it slightly more difficult to access and utilize macros. Now you have to enable the Developer tab so you can actually access the macro features as well as the Visual Basic Editor (which will become your friend).

1. On the File tab, choose Options to open the Options dialog box.
2. Choose Customize Ribbon on the left side of the dialog box.
3. Under Choose commands from on the left side of the dialog box, select Popular Commands.
4. Under Customize the Ribbon on the right side of the dialog box, select Main Tabs in the drop-down list box, and then select the Developer check box.
5. Choose OK.

Great, now you should have the Developer tab along the top. Once you select the Developer tab, you should see some fun new buttons including the Visual Basic editor and Macros. You should also have the Record Macro button and Macro Security buttons.

Macro Security

Besides the annoying pop-up asking, if you want to enable macros, there are several other macro security features and gotchas. First, to protect/alert users against documents containing possibly dangerous macros, you cannot save macros into a standard Office document with the standard file extension. Documents with macros enabled have a special extension that typically swaps out the x (for XML) with an m (for macro-enabled), e.g., .docm instead of .docx.

Second, as mentioned before, the default setting for Office disables macros from running. Instead, you receive the golden drop-down bar asking you to enable macros. However, there are a couple of exceptions to this rule: trusted documents, trusted locations, and trusted publishers. These can all be established under the macro security settings. There are a few default trusted locations.

Recording a Macro

Yeah, yeah. So what’s this macro recording?

Now that we have covered some of the basics on macros, let’s look at the way most users create them: recording a macro. The Record Macro button is located on the Developer tab. When you record a macro, the Office application automatically generates the VBA code to replicate the actions that you record. This is an easy way to get started and see some of the underlying code behind specific actions you want to perform. It is the first and final step for most Office users. However, as with most generated code, it can be convoluted and inefficient.

1. Open an Office application (Word or Excel—apparently PowerPoint was too tricky) and choose the Developer tab in the ribbon.
2. Choose Record Macro and fill in the properties in the Record Macro dialog box, including the name of the macro, shortcut, description, and location. Accepting the defaults is just fine to start.
3. Once you click OK, all of your actions will be recorded: every click, data entry, selection, everything.
4. If you noticed, the button text changes from Record Macro to Stop Recording. Press that button when you complete the actions that you want to record.
5. Optional. Now you can choose Macros on the Developer tab and select the macro you just created. You can then Edit the macro to view the code that was automatically generated in the Visual Basic Editor.

As a quick side note, the macro recording may miss some things and capture other things (like scrolling and every little click), so it definitely pays to review the macro code and try to optimize and add anything that was missed.

Visual Basic Editor

Sure, I can create these basic automations, but I want to play with actual code. How do I get my hands dirty and actually play with functions and objects? What is this Visual Basic Editor you speak of?

Recording a macro can only get you so far, so now let’s look under the hood. The Visual Basic Editor is your go-to tool for creating and modifying code. You can open the editor using the Visual Basic button under the Developer tab or by using the shortcut Alt+F11. The editor opens in a completely separate window from the Office application. Each Office application has an application-specific editor with application-specific support. The Visual Basic Editor should look like most IDEs that you’ve used before, like Visual Studio, Eclipse, or PyCharm. It has a Project frame, Properties frame, Immediate frame, Watches frame, and your main code writing area.

The Project frame displays a tree structure of your current VBA project. This lists the objects (workbooks, documents, etc.), forms, and modules. The modules are what contains your macro and function code. If you don’t see a module folder, then you probably haven’t added any VBA code or macros to the project yet. You can do that using the by selecting Insert, then Module.

The Immediate frame is used primarily during testing and debugging. You will probably use this most as the output window for your Debug.Print statements. This can be useful when debugging your code. The Immediate frame is hidden by default, so you’ll want to enable it under the View menu.

The Watch frame is similar to other debugger watch windows. It lets you observe variable values when your code is running/being debugged. In order to watch a variable, you need to select your variable’s text in the code frame and click the Add Watch button. The variable should then be visible in the Watch frame and should be populated as the VBA code runs.

Finally, the main coding frame is the big one in the center where you will do most of your actual coding. This is where you write and edit your Visual Basic. We will cover the programming language later, but this editor is similar to most coding editors: keywords are highlighted, tab completion exists for most methods, objects, etc., and help and suggestions are readily available. The language itself is not case-dependent nor are indentations mandatory, but both can help.

Stay tuned for Basic VBA for Script Kiddies…