A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #4335  by STRELiTZIA
 Fri Jan 07, 2011 6:18 pm
Hello,
Just for fun... :mrgreen:

Tests:
1- Uses fake "vba32w.dll" to Hijacking "Vba32Arkit.exe".
2- Uncheck Use AntiVirus kernel before testing.

User-mode hook (WinVerifyTrust proc) performed to returns valid value for no signed application.


Attached fake "vba32w.dll"

Regards.
Attachments
(7.67 KiB) Downloaded 35 times
 #4336  by EP_X0FF
 Fri Jan 07, 2011 6:20 pm
Hi,

Does it not check it's own dlls before working?

Regards.
 #4338  by EP_X0FF
 Fri Jan 07, 2011 6:26 pm
So as in fact you can put any malicious code inside this dll and VBA app will execute it. I suppose it runs only with admin privileges.