Reversing Basic C++ Objects with Ghidra: Inheritance and Polymorphism (Part 2)

In this video we’ll take a look at several sample programs that use C++ objects, compile them from source and then reverse engineer them with Ghidra. Our goals will be to identify the size/structure of the memory allocation and how it’s used by the object and explore the use of virtual functions and virtual function tables, inheritance and polymorphic behavior. Recognizing the use of C++ objects is helpful a variety of reverse engineering activities, to include malware analysis and software exploitation. This is the second video in a series exploring the reverse engineering of object-oriented languages. Source code can be…

Read more

Excel 4 Macros – Get.Workspace Reference

With the recent resurgence of the use of Excel 4 macros in malicious excel documents, I’ve found myself scouring the internet looking for language references. One such function that was particularly difficult to find documentation for was Get.Workspace, which takes a integer value as an argument and returns information about the environment. Since it appears that it is all but impossible to find Excel 4 macro documentation from Microsoft, I thought I’d create a few posts in the hopes of the content getting indexed and thus easier to find. The source of this information came from this PDF, which used…

Read more

Removing Passwords from VBA Projects

Occasionally I’ll encounter a maldoc that has a password-protected VBA project. While tools such as oledump may still extract the macros, the password protection is typically encountered when accessing the project through the Office/VBA IDE (which I typically use for dynamic analysis). This happens rare enough that I often forget the steps of removing the password so thought I’d start collecting possible solutions. Word – 2007+ Sample MD5: dc989fa836fa93fe1f158fa490382686Any.Run: https://app.any.run/tasks/dd8ae979-4afc-44ac-99d2-3b57f9d6e2b1Hybrid-Analysis: https://www.hybrid-analysis.com/sample/4bb275b253db05bfa23a677d3db8f78cef0d633bbef19d05e37780f61577153c?environmentId=100 With this type of document, you can rename the original file with a .zip extension, this will allow you to explore the contents. This type of file uses the…

Read more

Maldoc drops DLL and executes via ExecuteExcel4Macro

Behavioral information is a key indicator used to determine if an office document is malicious or not. I’ve recently seen a series of malicious office documents that lacked any observable process behavior – such as the execution of Powershell or JavaScript via cscript/wscript. As I began looking into this document, it became apparent why – it was using ExecuteExcel4Macro to load and execute a hidden DLL. Looking at the Macros Using Oledump, several macro streams where identified in this document (17 – 20, 23 – 24). Additionally, it contains a stream OLE 1.0 embedded data (see stream 4 above). This…

Read more

Maldoc uses Windows API to perform process hollowing

A favorite technique by malware authors is to use macros in their office documents to utilize a normal system executable and replace the code inside, a technique known as “process hollowing”. The primary goal of this post is to identify this technique and understand how it is employed. I’ve also posted a video that walks through shellcode analysis using Ghidra on YouTube Starting with the Macros To get started, inspect the macros and see where the code begins execution. For this document, this begins with the Document_Open function – which can be found in the ThisDocument stream. As is often…

Read more