0x01 undermine macro flag
when parsing OLE files, we introduced the Directory, which represents its offset DirectoryEntry of 0x42H this byte type Type. 0 is illegal, a directory (storage), 2 node (Stream), 5 as the root node. We can locate macro Directory Project used, modify the Type bit is 0, that is illegal Directory, so O ffi ce office software when parsing VBA projects, because illegal Directory and cause parsing errors. As shown, the type byte indicates that the sector recorded at offset 0x42, where the value 1, indicates that the sector is a directory sector, the sector address recorded Macros file. 0x42 value at offset changed to 0, indicates that the sector is illegal sector, o ffi ce office software will parse the document is to ignore the sector, it can not locate a sector of the storage Macros.
In the figure above, we modify the value of the name "macro" in this directory. In fact, there are two guidelines for macros, are named "VBA", and "_VAB_PROJECT_CUR", namely, macro, VBA and the VBAProject sector,
0x02 manual clean-up macro (for * .DOCM and * .XLSM documents)
First copy the file, a copy of the generated files, modify the file extension to ZIP
Open the zipper case file (do not extract), the following two figures, the figure is the case .DOCM *, and the figure is * .XLSM
· Open the word (xl) folder, delete files vbaProject.bin
· The ZIP file extension is .DOC or modify the .xls. Files can be used normally.
0x03 replace the macro code
above modification flag in a document macro code data does not do the slightest change, after this treatment antivirus software will still be killing.
We have resolved the macro can, then we can modify the code and replace the macro, such as the use of character 'a' macro code replacing each character. For example MsgBox "hello", will be modified to aaaaaaaaaaaa. After this modification the entire macro have been modified and destroyed, kill the soft would not be killing, the document can be used normally.