VBA monitor?

Hello all tops,

I want to know whether there is a way to monitor VBA of MS Office
documents.

I want to build a driver to do this job for me just like Regmon which
monitor the registry.

Any hints?

Anthony

Umm no, these sort of requests don’t pass through kernel-mode (at least
not in any identifiable form). You can do a lot in user-mode with an
Office plug-in, however; this will give you access to the entire COM
object model for an Office application and its open documents.

Anthony wrote:

Hello all tops,

I want to know whether there is a way to monitor VBA of MS Office
documents.

I want to build a driver to do this job for me just like Regmon which
monitor the registry.

Any hints?

Anthony


Nick Ryan (MVP for DDK)

Hello Nick,

The following is the remark of a commercial software(Tiny Firewall
www.tinysoftware.com):

//Remark
VBA
MS Office documents (e.g. *.doc, *.xls) may contain some VBA macros which
are often misused by various viruses and trojans. Without VBA Macro guard
these macros could replace or delete the important files just by running
*.doc attachment .

VBA Macro guard allows to following restrictions on VBA macros:

a… Do not run - Running of VBA macro will be prevented
b… Use Custom VBA Settings - VBA macro would be allowed to run with the
security settings set for the custom application ‘VBA Macro’. The rule set
for such application would be applied for every macro process.
c… Inherit from Parent - VBA Macro would be allowed to run in the
security context of the parent application (e.g. MS Word - whichever access
would MS Word has the macro would have it too).
One of the more important features of VBA macro guard is the capability to
run apply various restrictions based on the macro itself.

//!Remark

I want to know how to achieve this function. Any hints?

Anthony

“Nick Ryan” ??? news:xxxxx@ntdev…
>
> Umm no, these sort of requests don’t pass through kernel-mode (at least
> not in any identifiable form). You can do a lot in user-mode with an
> Office plug-in, however; this will give you access to the entire COM
> object model for an Office application and its open documents.
>
> Anthony wrote:
>
> > Hello all tops,
> >
> > I want to know whether there is a way to monitor VBA of MS Office
> > documents.
> >
> > I want to build a driver to do this job for me just like Regmon which
> > monitor the registry.
> >
> > Any hints?
> >
> >
> > Anthony
> >
> >
> >
> >
>
> –
> Nick Ryan (MVP for DDK)
>
>
>

Hmm, so they claim to be able to control VBA macro execution and in
addition filter access to COM/OLE functionality. Certainly they are
doing this with user-mode hooks of some sort. I can’t imagine that the
methods they are using are 100% reliable (Detours-style redirection
maybe, perhaps replacement of CLSID/Interface registry entries), but
customers will have to weigh the disadvantages of such intrusiveness
with the advantages gained from the claimed increase in security. You
can always install their software and inspect what it’s doing, but in
this day and age such reverse-engineering is almost always prohibited by
the click-wrap agreement so you’ll just have to experiment yourself.

Anthony wrote:

Hello Nick,

The following is the remark of a commercial software(Tiny Firewall
www.tinysoftware.com):

//Remark
VBA
MS Office documents (e.g. *.doc, *.xls) may contain some VBA macros which
are often misused by various viruses and trojans. Without VBA Macro guard
these macros could replace or delete the important files just by running
*.doc attachment .

VBA Macro guard allows to following restrictions on VBA macros:

a… Do not run - Running of VBA macro will be prevented
b… Use Custom VBA Settings - VBA macro would be allowed to run with the
security settings set for the custom application ‘VBA Macro’. The rule set
for such application would be applied for every macro process.
c… Inherit from Parent - VBA Macro would be allowed to run in the
security context of the parent application (e.g. MS Word - whichever access
would MS Word has the macro would have it too).
One of the more important features of VBA macro guard is the capability to
run apply various restrictions based on the macro itself.

//!Remark

I want to know how to achieve this function. Any hints?

Anthony

“Nick Ryan” ??? news:xxxxx@ntdev…
>
>>Umm no, these sort of requests don’t pass through kernel-mode (at least
>>not in any identifiable form). You can do a lot in user-mode with an
>>Office plug-in, however; this will give you access to the entire COM
>>object model for an Office application and its open documents.
>>
>>Anthony wrote:
>>
>>
>>>Hello all tops,
>>>
>>> I want to know whether there is a way to monitor VBA of MS Office
>>>documents.
>>>
>>> I want to build a driver to do this job for me just like Regmon which
>>>monitor the registry.
>>>
>>> Any hints?
>>>
>>>
>>>Anthony
>>>
>>>
>>>
>>>
>>
>>–
>>Nick Ryan (MVP for DDK)
>>
>>
>>
>
>
>
>
>


Nick Ryan (MVP for DDK)

“Nick Ryan” ???:xxxxx@ntdev…
>
> Hmm, so they claim to be able to control VBA macro execution and in
> addition filter access to COM/OLE functionality. Certainly they are
> doing this with user-mode hooks of some sort.

Yep, what they hook? Could you explain more? I want to know some
background info about this technology! Thanks!

>I can’t imagine that the methods they are using are 100% reliable
(Detours-style redirection
> maybe, perhaps replacement of CLSID/Interface registry entries), but
> customers will have to weigh the disadvantages of such intrusiveness
> with the advantages gained from the claimed increase in security. You
> can always install their software and inspect what it’s doing, but in
> this day and age such reverse-engineering is almost always prohibited by
> the click-wrap agreement so you’ll just have to experiment yourself.
>
> Anthony wrote:
>
> > Hello Nick,
> >
> > The following is the remark of a commercial software(Tiny Firewall
> > www.tinysoftware.com):
> >
> > //Remark
> > VBA
> > MS Office documents (e.g. *.doc, *.xls) may contain some VBA macros
which
> > are often misused by various viruses and trojans. Without VBA Macro
guard
> > these macros could replace or delete the important files just by running
> > *.doc attachment .
> >
> > VBA Macro guard allows to following restrictions on VBA macros:
> >
> > a… Do not run - Running of VBA macro will be prevented
> > b… Use Custom VBA Settings - VBA macro would be allowed to run with
the
> > security settings set for the custom application ‘VBA Macro’. The rule
set
> > for such application would be applied for every macro process.
> > c… Inherit from Parent - VBA Macro would be allowed to run in the
> > security context of the parent application (e.g. MS Word - whichever
access
> > would MS Word has the macro would have it too).
> > One of the more important features of VBA macro guard is the capability
to
> > run apply various restrictions based on the macro itself.
> >
> > //!Remark
> >
> > I want to know how to achieve this function. Any hints?
> >
> >
> >
> > Anthony
> >
> >
> >
> > “Nick Ryan” ??? news:xxxxx@ntdev…
> >
> >>Umm no, these sort of requests don’t pass through kernel-mode (at least
> >>not in any identifiable form). You can do a lot in user-mode with an
> >>Office plug-in, however; this will give you access to the entire COM
> >>object model for an Office application and its open documents.
> >>
> >>Anthony wrote:
> >>
> >>
> >>>Hello all tops,
> >>>
> >>> I want to know whether there is a way to monitor VBA of MS Office
> >>>documents.
> >>>
> >>> I want to build a driver to do this job for me just like Regmon which
> >>>monitor the registry.
> >>>
> >>> Any hints?
> >>>
> >>>
> >>>Anthony
> >>>
> >>>
> >>>
> >>>
> >>
> >>–
> >>Nick Ryan (MVP for DDK)
> >>
> >>
> >>
> >
> >
> >
> >
> >
>
> –
> Nick Ryan (MVP for DDK)
>
>
>