Exemplo n.º 1
0
        /// <summary>
        /// We use a few tricks here to obfuscate the Auto_Open Lbl BIFF records.
        /// 1) By default the Lbl Auto_Open record is marked as fBuiltin = true with a single byte 0x01 to represent AUTO_OPEN
        ///    We avoid this easily sig-able series of bytes by using a string instead - which Excel will also process.
        ///    We can use labels like AuTo_OpEn and Excel will still use it - some analyst tools are case sensitive and don't
        ///    detect this.
        /// 2) The string we use for the Lbl can be Unicode, which will further break signatures expecting an ASCII Auto_Open string
        /// 3) We can inject null bytes into the label name and Excel will ignore them when hunting for Auto_Open labels.
        ///    The name manager will only display up to the first null byte - and most excel label parsers will also break on this.
        /// 4) The Unicode BOM character (0xFEFF/0xFFEF) is also disregarded by Excel. We can use this to break detections that will drop
        ///    nulls and look for Auto_Open without being case sensitive. By injecting this with nulls we break most detection.
        /// </summary>
        /// <returns></returns>
        public WorkbookStream ObfuscateAutoOpen(string localizedLabel)
        {
            Random randomUnicodeChar = new Random();

            string[]   badUnicodeChars          = { "\ufefe", "\uffff", "\ufeff", "\ufffe", "\uffef", "\ufff0", "\ufff1", "\ufff6", "\ufefd", "\u0000", "\udddd" };
            int        indexLabel               = 0;
            string     unicodeLabelWithBadChars = "";
            List <Lbl> labels      = GetAllRecordsByType <Lbl>();
            Lbl        autoOpenLbl = labels.First(l => l.fBuiltin && l.Name.Value.Equals("\u0001") ||
                                                  l.Name.Value.ToLower().StartsWith(localizedLabel));
            Lbl replaceLabelStringLbl = ((BiffRecord)autoOpenLbl.Clone()).AsRecordType <Lbl>();

            //Characters that work
            //fefe, ffff, feff, fffe, ffef, fff0, fff1, fff6, fefd, 0000, dddd
            //Pretty much any character that is invalid unicode - though \ucccc doesn't seem to work - need better criteria for parsing

            foreach (char localizedLabelChar in localizedLabel)
            {
                indexLabel = randomUnicodeChar.Next(localizedLabel.Length);
                unicodeLabelWithBadChars += badUnicodeChars[indexLabel] + localizedLabelChar;
            }
            replaceLabelStringLbl.SetName(new XLUnicodeStringNoCch(unicodeLabelWithBadChars, true));
            replaceLabelStringLbl.fBuiltin = false;

            // Hidden removes from the label manager entirely, but doesn't seem to work if fBuiltin is false
            // replaceLabelStringLbl.fHidden = true;

            WorkbookStream obfuscatedStream = ReplaceRecord(autoOpenLbl, replaceLabelStringLbl);

            obfuscatedStream = obfuscatedStream.FixBoundSheetOffsets();
            return(obfuscatedStream);
        }
Exemplo n.º 2
0
        public void TestLabelSerialization()
        {
            WorkbookStream macroWorkbookStream = TestHelpers.GetMultiSheetMacroBytes();

            List <SupBook> supBooks = macroWorkbookStream.GetAllRecordsByType <SupBook>();
            List <Lbl>     labels   = macroWorkbookStream.GetAllRecordsByType <Lbl>();

            Lbl lastLabel  = labels.Last();
            Lbl cloneLabel = ((BiffRecord)lastLabel.Clone()).AsRecordType <Lbl>();

            byte[] labelBytes = lastLabel.GetBytes();
            byte[] cloneBytes = cloneLabel.GetBytes();

            Assert.AreEqual(labelBytes, cloneBytes);
        }
Exemplo n.º 3
0
        /// <summary>
        /// We use a few tricks here to obfuscate the Auto_Open Lbl BIFF records.
        /// 1) By default the Lbl Auto_Open record is marked as fBuiltin = true with a single byte 0x01 to represent AUTO_OPEN
        ///    We avoid this easily sig-able series of bytes by using a string instead - which Excel will also process.
        ///    We can use labels like AuTo_OpEn and Excel will still use it - some analyst tools are case sensitive and don't
        ///    detect this.
        /// 2) The string we use for the Lbl can be Unicode, which will further break signatures expecting an ASCII Auto_Open string
        /// 3) We can inject null bytes into the label name and Excel will ignore them when hunting for Auto_Open labels.
        ///    The name manager will only display up to the first null byte - and most excel label parsers will also break on this.
        /// 4) The Unicode BOM character (0xFEFF/0xFFEF) is also disregarded by Excel. We can use this to break detections that will drop
        ///    nulls and look for Auto_Open without being case sensitive. By injecting this with nulls we break most detection.
        /// </summary>
        /// <returns></returns>
        public WorkbookStream ObfuscateAutoOpen()
        {
            List <Lbl> labels      = GetAllRecordsByType <Lbl>();
            Lbl        autoOpenLbl = labels.First(l => l.fBuiltin && l.Name.Value.Equals("\u0001") ||
                                                  l.Name.Value.ToLower().StartsWith("auto_open"));
            Lbl replaceLabelStringLbl = ((BiffRecord)autoOpenLbl.Clone()).AsRecordType <Lbl>();

            //Characters that work
            //fefe, ffff, feff, fffe, ffef, fff0, fff1, fff6, fefd, 0000, dddd
            //Pretty much any character that is invalid unicode - though \ucccc doesn't seem to work - need better criteria for parsing
            //TODO [Stealth] Randomize which invalid unicode characters are injected into this string
            replaceLabelStringLbl.SetName(new XLUnicodeStringNoCch("\u0000A\uffffu\u0000\ufefft\ufffeo\uffef_\ufff0O\ufff1p\ufff6e\ufefdn\udddd", true));
            replaceLabelStringLbl.fBuiltin = false;

            // Hidden removes from the label manager entirely, but doesn't seem to work if fBuiltin is false
            // replaceLabelStringLbl.fHidden = true;

            WorkbookStream obfuscatedStream = ReplaceRecord(autoOpenLbl, replaceLabelStringLbl);

            obfuscatedStream = obfuscatedStream.FixBoundSheetOffsets();
            return(obfuscatedStream);
        }
Exemplo n.º 4
0
        public void TestChangeLabel()
        {
            WorkbookStream macroWorkbookStream = new WorkbookStream(TestHelpers.GetMacroTestBytes());
            List <Lbl>     labels = macroWorkbookStream.GetAllRecordsByType <Lbl>();

            Lbl autoOpenLbl = labels.First(l => l.fBuiltin && l.Name.Value.Equals("\u0001"));

            Lbl replaceLabelStringLbl = ((BiffRecord)autoOpenLbl.Clone()).AsRecordType <Lbl>();

            replaceLabelStringLbl.SetName(new XLUnicodeStringNoCch("Auto_Open", true));
            replaceLabelStringLbl.fBuiltin = false;

            var cloneLabel  = ((BiffRecord)replaceLabelStringLbl.Clone()).AsRecordType <Lbl>();
            var cBytes      = cloneLabel.GetBytes();
            var rLabelBytes = replaceLabelStringLbl.GetBytes();

            Assert.AreEqual(rLabelBytes, cBytes);
            macroWorkbookStream = macroWorkbookStream.ReplaceRecord(autoOpenLbl, replaceLabelStringLbl);
            macroWorkbookStream = macroWorkbookStream.FixBoundSheetOffsets();

            ExcelDocWriter writer = new ExcelDocWriter();

            writer.WriteDocument(TestHelpers.AssemblyDirectory + Path.DirectorySeparatorChar + "changedLabel.xls", macroWorkbookStream.ToBytes());
        }