MS Office macro analysis

Microsoft Office has a way for automating simple tasks such as creating formatted tables or inserting letterheads. This is called an MS office macro. MS Office macro makes use of the Visual Basic for Application language, which uses the same language as Visual Basic scripts. However, these can be abused to do more like download a file, create files, make registry entries, and even delete files. 

First off, we need static tools to read information and extract the macro source from a given Office file. To open MS Office documents, we need to have Microsoft Office installed. The other tool that we could use would be OLE tools, which can be downloaded from http://www.decalage.info/en/python/oletools. These set of tools are Python scripts, and will require Python 2.7 to be installed on your system. The Python installer can be downloaded from https://www.python.org/.

The file we are going to analyze first is https://github.com/PacktPublishing/Mastering-Reverse-Engineering/blob/master/ch13/demo_01.doc. Type in the following  code into the command line to use olevba.py on demo_01.doc:

python olevba.py demo_01.doc

This extracts information about the VBA source and the source itself:

We can see from the preceding screenshot that the source has two subroutines: autoopen() and autoclose(). olevba.py also describes these subroutines that are tied to events when the document is opened and closed.

The source contains code that pops up messages. Now, let's try to open the document in Microsoft Word. By doing this, we may end up with Microsoft Word showing us a security warning about the document containing code. Click on Enable Content so that we can see what the macro can do:

The first message immediately appears:

To debug the code, we need to open up the VBA editor. Select View->Macro. This opens up the Macro dialog box where you can select any Macro name and click on the Edit button:

We are currently using Microsoft Office 2013, so the user interface for the VBA Editor may be different for other versions. In the VBA Editor, we should now see the source code. Pressing F9 on a line of code enables or disables a breakpoint. Pressing F8 does step debugging. F5 is for continuing to run the code. We can start debugging from any of the subroutines. Select the Debug menu to view more debug features that are available:

Closing the document will bring up the following message box:

Now, try analyzing demo_02.doc. This will be quite a challenge since we will be looking at how the password can be derived.

Remember that the VBA Editor is the macro developer's console. This is where the macro program was developed and debugged. Thus, to reverse what we are looking for, we can manipulate the source code. 

The password for demo_02.doc can be found in the Summary section of this chapter.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.136.97.64