Monthly Archives: November 2016

Beyond good ol’ Run key, Part 51

Posted on by

There is a number of persistence mechanisms related to Office that I have already discussed in the past, but the most obvious one – one that is actually documented – has not been covered in my posts yet. I am fixing it now 😉

When Word starts, it looks for the items inside the STARTUP folder that it can load. The older version of Office would look for files with the following extensions: .lnk, .wll (Word Add-in DLLs), or .dot  f.ex.:

  • c:\Program Files\Microsoft Office\<version>\STARTUP\*.dot
  • c:\Program Files\Microsoft Office\<version>\STARTUP\*.lnk
  • c:\Program Files\Microsoft Office\<version>\STARTUP\*.wll

Newer versions look for additional files *.dotm and *.dotx.

The location above is a STARTUP folder common for all users (and it’s a WORD STARTUP persistence location #1).

The user-specific folder is located… well, this is where it gets interesting 🙂

So… Winword tries to find the following registry key:

  • HKCU\Software\Microsoft\Office\<version>\Word\Options\STARTUP-PATH

f.ex.

  • HKCU\Software\Microsoft\Office\15.0\Word\Options\STARTUP-PATH

If exists, it will read its value and treat it as a user-specific STARTUP folder. if we change it to our own, we can abuse it (WORD STARTUP persistence location #2):

regstartup1

Otherwise… if it doesn’t exist, Word will read another Registry entry:

  • HKCU\Software\Microsoft\Office\<version>\Common\General\Startup

The default value is ‘STARTUP’, but we can change it to anything we want.

So, if the value is ‘Common\General\Startup’ default and equal ‘STARTUP’, the path will be:

  • %APPDATA%\Microsoft\Word\STARTUP (WORD STARTUP persistence #3a)

But if we change it to f.ex. TEMP, the location will be

  • %APPDATA%\Microsoft\Word\TEMP (WORD STARTUP persistence #3b)

We can try to wrap it up as follows (Word/Office 15.0):

  • c:\Program Files\Microsoft Office\Office15\STARTUP
  • %APPDATA%\Microsoft\Word\STARTUP
    OR

    • HKCU\Software\Microsoft\Office\Office15\Common\General\Startup = FOOBAR
    • %APPDATA%\Microsoft\Word\FOOBAR

Excel behaves in a similar way, except the paths and keys are (for Office 15.0):

  • C:\Program Files\Microsoft Office\Office15\XLSTART
  • %APPDATA%\Microsoft\Excel\XLSTART
    OR

    • HKCU\Software\Microsoft\Office\Office15\Common\General\Xlstart = FOOBAR
    • %APPDATA%\Microsoft\Excel\FOOBAR

Here are the Word and Excel options that dictate what are the actual user-specific %APPDATA% startup folders for both programs:

regstartup2

That’s all!

The Archaeologologogology #1 – vbd6.dll and vbe7.dll MIDI file

Posted on by

With this post I start a new series that will talk about ancient code scrolls that are nothing, but a trivia related to some old software. Basically, a stuff of the past, re-visited without any other purpose, but the amusement…

I will kick it off by inviting you to explore the content of vbe6.dll or vbe7.dll inside your Microsoft Office installation. Using Resource Hacker you can quickly discover that it has a mysterious resource 5432:

vbe_midiUsing the very same Resource Hacker you can immediately play the music file that it recognizes. The md5 of the MIDI resource is 9b90e2e51483460501f711aa80508f7e.

I am not the first one to discover it, there are a number of posts online that discuss it, for example this German post says that:

In the PC Welt (German magazine PC World) 10/02, it is reported on page 252 that there is a musical Easter egg in the Office 97 or 2000 file vbe6.dll.

but I was curious what code I can find that is related to this resource – pretty sure that programmers didn’t leave it there as a result of an accident. After checking the usual suspects (vbe6.dll/vbe7.dll) and not being able to find any quick reference to the resource ID 5432, I assumed that it could be some legacy stuff and no longer present in the code. I then started looking at the older versions of the vbeX.dll .

That was a good idea and I soon discovered the sequence of code that actually loads and plays the MIDI file:

vbe_codeThe playMidi function uses mciSendCommandA API to play the extracted MIDI file.

vbe_code2The file created by the code is saved inside %TEMP%\VB16B.tmp (GetTempFileNameA used to create a temp file path receives the ‘VB’ prefix).

I also noticed that the code playing the MIDI creates a window (class ‘OfVbEg’, which I guess stands for Office Visual Basic Egg):

vbe_code3

So yeah… it has the Easter egg written all over it.

I forced the routine to execute and surely enough, it launched the VB credits – a known Easter Egg that can be watched after adding a menu item ‘Show VB Credits’ to Visual Basic IDE. You can follow the steps presented in the video in Office 97 VBA IDE as well and you will see the very same demo:

vbe_easteregg1

vbe_easteregg2I guess it just confirms how close VBA and VBE really are…