Because
the executable which the macro downloads maybe flagged by network monitoring protocols
we are storing the executable on the hard drive may be detected by antivirus software's
But we will modify our attack to execute the staged payload directly from the word memory
the win32 APIs are located in dynamic link libraries and run as unmanaged code
we will use declare keyword to link to this APIs providing the name of the function and the name of the DLL it’s in and we will use private declare which mean that the function will be in the local code
as we see the type of the function is BOOL and it’s located in the Advapi32.dll
now let’s try to code the Win32 API
Private Declare PtrSafe Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal ipBuffer As String, ByRef nSize As Long) As Long
Sub MyMacro()
Dim res As Long
Dim MyBuff As String * 256
Dim MySize As Long
Dim StrLen As Long
MySize = 265
res = GetUserName(MyBuff, MySize)
StrLen = InStr(1, MyBuff, vbNullChar) - 1
MsgBox Left$(MyBuff, StrLen)
End Sub
as we see we used the word declare to declare the function GetUserName From the library advapi32.dll as an alias for the the function GetUserNameA from the Win32 APIs
as we see now we call the function GetUserName and gave it the buffer and the size and then we calculate the length of the string that returned to print out the actual name of the user