VBA RunPE

A simple yet effective implementation of the RunPE technique in VBA. This code can be used to run executables from the memory of Word or Excel. It is compatible with both 32 bits and 64 bits versions of Microsoft Office 2010 and above.

More info here:
https://itm4n.github.io/vba-runpe-part1/
https://itm4n.github.io/vba-runpe-part2/

Tests

This code was tested on the following platforms:

• Windows 7 Pro 32 bits + Office 2010 32 bits
• Windows 7 Pro 64 bits + Office 2016 32 bits
• Windows 2008 R2 64 bits + Office 2010 64 bits
• Windows 10 Pro 64 bits + Office 2016 64 bits

Currently, this doesn’t work with all Windows binaries. For example, it can’t be used to run regedit.exe. I guess I need to do some manual imports of missing DLLs.

Side notes

Here is a table of correspondence between some Win32 and VBA types:

(*) LongPtr is a “dynamic” type, it is 4 Bytes long in Office 32 bits and 8 Bytes long in Office 64 bits. https://msdn.microsoft.com/fr-fr/library/office/ee691831(v=office.14).aspx

What about older versions of Microsoft Office (<=2007)?

As mentionned in the description, this code only works with Office 2010 and above. The reason for this is that the LongPtr type is extensively used. It was first introduced in Office 2010 to help developers make architecture independant code. Indeed, as described above, its size will be automatically adapted depending on the architecture of the Office process (32-bits / 64-bits).

So, if you try to run this code in Office 2007, you will get a User-defined type not defined error message for each variable using the LongPtr type. To work around this issue, you can replace all the LongPtr occurences with Long (32-bits) or LongLong (64-bits). Use Ctrl+H in your favorite text editor! 😉

Note: the code could be updated to take this compatibility issue into account but it would require too much effort for relatively little gain.

Download && Use

Copyright (c) 2018 Clément LABRO