Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: VBA and P-code SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
VBA and P-code

I want to draw your attention to some great work Dr. Bontchev did.

pcodedmp.py is a VBA P-code disassembler. Microsoft Office documents contain VBA macros in several forms. They contain the source code, but also compiled P-code. Dr. Bontchev created a proof-of-concept document that executes P-code and does not contain the corresponding source code. Here is the output from his pcodedmp.py tool for his PoC document:

python pcodedmp.py -d poc2b.doc

Processing file: poc2b.doc
===============================================================================
Module streams:
Macros/VBA/ThisDocument - 1949 bytes
Line #0:
        FuncDefn (Sub / Property Set) func_00000078
Line #1:
        LitStr 0x001D "This could have been a virus!"
        Ld vbInformation
        Ld vbOKOnly
        Add
        LitStr 0x0006 "Virus!"
        ArgsCall MsgBox 0x0003
Line #2:
        LitStr 0x0008 "calc.exe"
        Paren
        ArgsCall Shell 0x0001
Line #3:
        EndSub

 

Dr. Bontchev also coded a plugin for oledump.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

 DidierStevens

429 Posts
ISC Handler
Subscribe Sep 26th 2016
3 years ago
Do you know if the AV vendors tend to scan for Malware/Viruses based on Source of P-code content ?
 Anonymous
Quote Sep 27th 2016
3 years ago
sorry, should have been "Source OR P-Code content ?"
 Anonymous
Quote Sep 27th 2016
3 years ago
From the few tests that I did, I say source code.
 DidierStevens

429 Posts
ISC Handler
Quote Sep 27th 2016
3 years ago

Sign Up for Free or Log In to start participating in the conversation!