Skip to content

Instantly share code, notes, and snippets.

@rxwx

rxwx/decode.py Secret

Created Jan 22, 2021
Embed
What would you like to do?
Decodes shellcode from Lazarus Macro Docs
from oletools.olevba import VBA_Parser
import uuid
import re
import sys
import os
X64_CHUNKS_REG = re.compile(r'\#If\s+Win64(.*?)\#Else', re.S | re.I)
X86_CHUNKS_REG = re.compile(r'\#Else\s+?Dim(.*?)\#End', re.S | re.I)
UUID_REG = re.compile(r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}', re.I)
def dump_shellcode(filename, buf, arch):
out = b''
if arch == 'x64':
reg = X64_CHUNKS_REG
else:
reg = X86_CHUNKS_REG
for chunk in re.findall(reg, buf):
for u in re.findall(UUID_REG, chunk):
out += uuid.UUID(u).bytes_le
outfile = 'shellcode_{}_{}.bin'.format(filename, arch)
with open(outfile, 'wb') as f:
f.write(out)
print("Wrote {} shellcode to: {}".format(arch, outfile))
if (len(sys.argv) != 2):
print(' Usage: dump.py <file.doc>')
sys.exit(1)
vbaparser = VBA_Parser(sys.argv[1])
basename = os.path.basename(sys.argv[1])
for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
print(vba_code)
dump_shellcode(basename, vba_code, 'x86')
dump_shellcode(basename, vba_code, 'x64')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment