Building an Office macro to spoof parent processes and command line arguments

I’m trying to test this against our enterprise EDR that is supposed to protect against this kind of attack (and I would love to PM you the results), but I am having some trouble setting it up (I’m a noob at vba).

Whenever I try and insert the code as a macro into excel/word I get the Compile error “Only comments may appear after End Sub, End Function, or End Property” for this portion of the code:

Private Declare Function NtQueryInformationProcess Lib “ntdll.dll” ( _ ByVal processHandle As LongPtr, _ ByVal processInformationClass As Long, _ ByRef processInformation As PROCESS_BASIC_INFORMATION, _ ByVal processInformationLength As Long, _ ByRef returnLength As Long _ ) As Integer

Leave a Reply