This script is designed to convert a Windows executable file (.exe) into a VBA (Visual Basic for Applications) macro that can be embedded into a Word document (.docm). This allows the execution of arbitrary code when the document is opened. The script is Windows-specific and uses various Windows APIs and libraries like winreg, win32com.client, and os.
The script begins by importing several modules: os, sys: For file and system operations. winreg: For interacting with the Windows registry. contextlib: Provides utilities for working with context managers. win32api, win32com.client: Windows APIs for interacting with applications like Word. argparse: For parsing command-line arguments (though not fully utilized here). The script then checks if it's running on a Windows system. If not, it exits.
A custom context manager, suppress, is defined to suppress specific exceptions. This is useful when you want to ignore certain errors and continue execution.
This function creates or modifies specific registry keys to enable macros in Microsoft Office applications (Word, Excel, PowerPoint). It checks the installed version of these applications and sets the necessary registry keys to enable VBA macros.
This function generates a unique folder name by appending a counter to the folder name. It's used to avoid overwriting existing folders when exporting files.
This class represents a Word document and provides methods to export the document to different formats (.doc or .docm). init: Initializes the class with the document path and sets up the registry keys. _export: Handles the actual export process using Word's COM interface. It opens the document, exports it in the desired format, and then closes it. _validateArgs: Validates the arguments passed to the export methods (like export folder and file name) and ensures that they are in the correct format. toDocm and toDoc: These methods export the document to .docm and .doc formats, respectively. enableVbomWord and disableVbomWord Functions:
These functions enable and disable the "Access to VBA project object model" setting in Word. This setting allows the script to programmatically add VBA code to the document.
This function embeds a VBA macro into a Word document. It reads the macro from a file, adds it to the document, removes personal information from the document, and then saves and closes the document.
is_printable: Checks if a character is printable and not a double quote ("). pe_to_vba: Converts a PE (Portable Executable) file to a VBA macro. It reads the binary content of the PE file and converts it into a string format that can be embedded into VBA code. apply_template: Applies the generated VBA code to a template VBA file (RunPE.vba), which is used to execute the PE file when the Word document is opened.
The main function ties everything together: Prompts the user for the input .exe file. Converts the .exe file to a VBA macro. Saves the generated VBA code to a file. Prompts the user for the input .doc file. Converts the .doc file to .docm. Embeds the generated VBA macro into the .docm file. Converts the final .docm file back to .doc, completing the process. Execution:
The script is executed by calling the main function when the script is run directly.
This VBA script implements the RunPE technique, which is used to execute a Portable Executable (PE) file within the memory space of another process on a Windows system. It does so by leveraging several Windows API functions to manipulate process memory and execution contexts.
- Windows API Integration: Utilizes low-level Windows API functions to interact with system processes.
- 64-bit Compatibility: The script is designed to be compatible with 64-bit Windows systems using the
PtrSafekeyword for pointer operations.
This script demonstrates advanced process injection techniques and should be used responsibly. It is intended for educational purposes and legal, ethical use cases only. Unauthorized use of this script for malicious activities is strictly prohibited.
Note: The RunPE technique is often associated with malware development. Please ensure you have the proper authorization before using or sharing this code.
Run the script on a Windows machine. Follow the prompts to provide the necessary input files. The script will generate a Word document with an embedded VBA macro that executes the provided executable file when opened. Important Notes: This script is designed for Windows only and leverages the Windows COM API to interact with Microsoft Word. The script requires administrative privileges to modify the Windows registry and enable VBA macros. The use of this script for malicious purposes is illegal and unethical. It should only be used for educational purposes or in a controlled, legal environment. Final Thoughts: This script demonstrates the power and potential risks of combining Python with the Windows API and Microsoft Office's COM interface. It highlights how seemingly benign documents can be weaponized to execute arbitrary code, emphasizing the importance of security practices like disabling macros and being cautious with unknown files.