macros are not being hidden or replaced #21
Comments
|
With "visible" do you mean visible in the VBA editor GUI or visible with tools such as olevba? In which module did you copy the macro, ThisDocument or NewMacros? |
|
Visible in the VBA editor. The macro is in the 'NewMacros' module. The 'ThisDocument' module has this code: Private Sub Document_New() End Sub |
|
Can you provide a sample (after treatment with EvilClippy)? |
|
I can. Where should I send or upload it? |
|
Feel free to mail it (stan at outflank nl) or upload it anywhere. Preferably in encrypted zip with password "infected". |
|
I sent it your way in an encrypted rar file. |
|
Unfortunately the email did not come through. Can you upload it via WeTransfer or any other means? Thanks! |
|
I received your sample. The sample did not have module "NewMacros" removed from the dir stream (which hides the module from the GUI). I executed the following steps to successfully remove this module from the dir stream and thereby hide it from the GUI:
Feel free to reopen this issue if your problem persists after these steps. |
I've created a new document, added macro vba from msfvenom, and attempted both of the commands below.
No errors from the commands, but in both cases, the msfvenom macro is still visible in both docs.
Any suggestions?
EvilClippy.exe -g doc32.doc
Hiding module: NewMacros
EvilClippy.exe -s fake.vbs -g -r doc32f.doc
Hiding module: NewMacros
Now stomping VBA code in module: ThisDocument
Now stomping VBA code in module: NewMacros
Setting random ASCII names for VBA modules in dir stream (while leaving unicode names intact).
The text was updated successfully, but these errors were encountered: