Decodes shellcode from Lazarus Macro Docs
from oletools.olevba import VBA_Parser | |
import uuid | |
import re | |
import sys | |
import os | |
X64_CHUNKS_REG = re.compile(r'\#If\s+Win64(.*?)\#Else', re.S | re.I) | |
X86_CHUNKS_REG = re.compile(r'\#Else\s+?Dim(.*?)\#End', re.S | re.I) | |
UUID_REG = re.compile(r'[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}', re.I) | |
def dump_shellcode(filename, buf, arch): | |
out = b'' | |
if arch == 'x64': | |
reg = X64_CHUNKS_REG | |
else: | |
reg = X86_CHUNKS_REG | |
for chunk in re.findall(reg, buf): | |
for u in re.findall(UUID_REG, chunk): | |
out += uuid.UUID(u).bytes_le | |
outfile = 'shellcode_{}_{}.bin'.format(filename, arch) | |
with open(outfile, 'wb') as f: | |
f.write(out) | |
print("Wrote {} shellcode to: {}".format(arch, outfile)) | |
if (len(sys.argv) != 2): | |
print(' Usage: dump.py <file.doc>') | |
sys.exit(1) | |
vbaparser = VBA_Parser(sys.argv[1]) | |
basename = os.path.basename(sys.argv[1]) | |
for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros(): | |
print(vba_code) | |
dump_shellcode(basename, vba_code, 'x86') | |
dump_shellcode(basename, vba_code, 'x64') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment