Just a simple script to generate JScript code for calling Win32 API functions using XLM/Excel 4.0 macros via Excel.Application COM object and "ExecuteExcel4Macro" method.
The script will generate a simple payload for performing a very basic shellcode injection by calling VirtualAlloc -> WriteProcessMemory -> CreateThread (just a poc, better options can be considered.)
-o string output payload filename
-sh string Shellcode file path, ex: go run genXLM.go -sh shellcode.bin
-wsh string payload template js/hta, ex: go run genXLM.go -sh shellcode.bin -wsh js
Currently not detected on VT;
-
XLM macros are not being covered by AMSI scans
-
Instantiating Excel.Application COM objects from JS/VBS and calling ExecuteExcel4Macro is not flagged by WinDefender/AMSI
Generate a simple JS using go run genXLM.go -sh shellcode.bin -wsh js
and have a look at the generated js code "self-descriptive".
Check calc.hta, calc.js for examples. shellcode was generated using msfvenom.
Use it for authorized red teaming and/or nonprofit educational purposes only. Any misuse of this script will not be the responsibility of the author. Use it at your own networks and/or with the network owner's permission.