3. Malicious XLL using Golang
#golang #maldev #malwaredevelopment #persistence #shellcoderunner #excelplugin #xll
Introduction
The primary reason for writing Microsoft Excel XLLs and using the C API is to create high-performance worksheet functions. The applications of high-performance functions—and, starting in Excel 2007, the ability to write multithreaded interfaces to powerful server resources—make it a very important part of Excel extensibility. The performance of XLLs was further enhanced in Excel 2007 by the addition of new data types and, most important, support for multithreading.
To create an XLL (from a DLL) we need to have as a minimum an to export the xlAutoOpen function. Excel calls the xlAutoOpen function whenever the XLL is activated. The add-in will be activated at the start of an Excel session if it was active in the last Excel session that ended normally. The add-in is activated if it is loaded during an Excel session. The add-in can be deactivated and reactivated during an Excel session, and the function is called on reactivation.
That's a good place to add our shellcode running code, although we don't have to. We might be able to bypass anti-malware engines by inserting our code in the xlAutoClose function.
We take the code from the Malicious dll and modify the shrun function to xlAutoOpen and rename the compiled dll to xll.
So we execute the code using
go build -buildmode=c-shared -o maliciousxll.xll
Double clicking on the xll opens excel:
We then see the calculator pop up
If we are targeting the 32-bit version of office we should use a 32-bit shellcode and compile the dll as a 32-bit dll.
Complete Code
Last updated