From 43fc8a35163d2915d5b7f44615ca8f4594f9d0f4 Mon Sep 17 00:00:00 2001
From: Ama Smuggle Avocados
 <47680420+amasmuggleavocados@users.noreply.github.com>
Date: Fri, 11 Dec 2020 09:52:24 -0500
Subject: [PATCH] Extractmemory (#1318)

* initial push for T1005 (Extract Memory via VBA)

* updates

* updates

* update

* update

* moved to T1059.005

Co-authored-by: avocado <avocados@smuggler.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1059.005/T1059.005.yaml              | 34 +++++++++++
 atomics/T1059.005/src/T1059_005-macrocode.txt | 57 +++++++++++++++++++
 2 files changed, 91 insertions(+)
 create mode 100644 atomics/T1059.005/src/T1059_005-macrocode.txt

diff --git a/atomics/T1059.005/T1059.005.yaml b/atomics/T1059.005/T1059.005.yaml
index d4a38b2b..53b543be 100644
--- a/atomics/T1059.005/T1059.005.yaml
+++ b/atomics/T1059.005/T1059.005.yaml
@@ -28,6 +28,7 @@ atomic_tests:
       Remove-Item $env:TEMP\sys_info.vbs -ErrorAction Ignore
       Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore
     name: powershell
+
 - name: Encoded VBS code execution
   auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa
   description: |
@@ -59,3 +60,36 @@ atomic_tests:
       Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"}  | % { "$(Stop-Process $_.ProcessID)" } | Out-Null
     name: powershell
 
+- name: Extract Memory via VBA
+  auto_generated_guid: 
+  description: |
+    This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this
+    we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that
+    memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin.
+  supported_platforms:
+  - windows
+  input_arguments:
+    ms_product:
+      description: Maldoc application Word
+      type: String
+      default: Word
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Microsoft #{ms_product} must be installed
+    prereq_command: |
+      try {
+        New-Object -COMObject "#{ms_product}.Application" | Out-Null
+        $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"}
+        Stop-Process -Name $process
+        exit 0
+      } catch { exit 1 }
+    get_prereq_command: |
+      Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement"
+  executor:
+    command: |
+      IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1") 
+      Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"
+    cleanup_command: |
+      Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore
+    name: powershell
\ No newline at end of file
diff --git a/atomics/T1059.005/src/T1059_005-macrocode.txt b/atomics/T1059.005/src/T1059_005-macrocode.txt
new file mode 100644
index 00000000..fa5bcfa4
--- /dev/null
+++ b/atomics/T1059.005/src/T1059_005-macrocode.txt
@@ -0,0 +1,57 @@
+Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (var() As Any) As LongPtr
+   
+#If Win64 Then
+    Public Const PTR_LENGTH As Long = 8
+#Else
+    Public Const PTR_LENGTH As Long = 4
+#End If
+ 
+Public Declare PtrSafe Sub Mem_Copy Lib "kernel32" Alias "RtlMoveMemory" ( _
+    ByRef Destination As Any, _
+    ByRef Source As Any, _
+    ByVal Length As Long)
+ 
+Function HexPtr(ByVal Ptr As LongPtr) As String
+    HexPtr = Hex$(Ptr)
+    HexPtr = String$((PTR_LENGTH * 2) - Len(HexPtr), "0") & HexPtr
+End Function
+ 
+Public Function Mem_ReadHex(ByVal Ptr As LongPtr, ByVal Length As Long) As String
+    Dim bBuffer() As Byte, strBytes() As String, i As Long, ub As Long, b As Byte
+    ub = Length - 1
+    ReDim bBuffer(ub)
+    ReDim strBytes(ub)
+    Mem_Copy bBuffer(0), ByVal Ptr, Length
+    For i = 0 To ub
+        b = bBuffer(i)
+        strBytes(i) = IIf(b < 16, "0", "") & Hex$(b)
+    Next
+    Mem_ReadHex = Join(strBytes, "")
+End Function
+
+Sub Extract()
+    
+    Dim cnt As Integer
+    Dim memArray() As Variant
+    Dim strVar As String, ptrVar As LongPtr, ptrBSTR As LongPtr
+    
+    strVar = "Atomic T1005 test"
+    outDir = Environ("TEMP") + "\atomic_t1005_test_output.bin"
+    
+    ptrVar = VarPtr(strVar)
+    Mem_Copy ptrBSTR, ByVal ptrVar, PTR_LENGTH
+    
+    cnt = 0
+    Do
+        ReDim Preserve memArray(cnt)
+        memArray(cnt) = Mem_ReadHex(ptrBSTR + cnt, 1)
+        cnt = cnt + 1
+    Loop While cnt < (Len(strVar) * 2)
+    
+    Open (outDir) For Binary Lock Read Write As #1
+    For a = 0 To UBound(memArray)
+        Put #1, , CByte("&h" & memArray(a))
+    Next a
+    Close
+    
+End Sub
\ No newline at end of file