HackDig : Dig high-quality web security articles for hacker

VBA Shellcode and Windows 10, (Fri, Nov 18th)

2016-11-20 01:20

I tested the process replacement maldoc (Hancitor Maldoc Bypasses Application Whitelisting) on Windows 10 and Word 2016. Its not blocked.

However, its not stable. The shellcode is executed and the embedded malware is launched (9 times out of 10 successfully), but then the Word process crashes.
To be 100% sure, I made my own PoC Word document that injects shellcode and then starts calculator. This PoC is always successful on Windows 10 without EMET, and doesnt crash the Word process. As expected, when EMET is installed on Windows 10, execution of the shellcode is blocked and calc.exe cant be launched.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: ssr;pma&92712=diyrots?lmth.yraid/ude.snas.csi

Read:3086 | Comments:0 | Tags:No Tag

“VBA Shellcode and Windows 10, (Fri, Nov 18th)”0 Comments

Submit A Comment



Blog :

Verification Code:


Share high-quality web security related articles with you:)


Tag Cloud