macro->[]macros; excel-xlm->excel-macro

bryanmcnulty · bryanmcnulty · commit 7fb082830812 · 2025-10-01T05:02:08.000-05:00
diff --git a/cmd/dcom.go b/cmd/dcom.go
@@ -120,7 +120,7 @@ func dcomHtafileCmdInit() {
 
 func dcomExcelMacroCmdInit() {
   dcomExcelMacroExecFlags := newFlagSet("Execution")
-  dcomExcelMacroExecFlags.Flags.StringVarP(&dcomExcelMacro.Macro, "macro", "M", "", "XLM macro")
+  dcomExcelMacroExecFlags.Flags.StringArrayVarP(&dcomExcelMacro.Macros, "macro", "M", nil, "XLM macro `code`")
   dcomExcelMacroExecFlags.Flags.StringVar(&dcomExcelMacro.MacroFile, "macro-file", "", "XLM macro `file`")
   registerExecutionFlags(dcomExcelMacroExecFlags.Flags)
   registerExecutionOutputFlags(dcomExcelMacroExecFlags.Flags)
@@ -135,6 +135,7 @@ func dcomExcelMacroCmdInit() {
 
   // Constraints
   dcomExcelMacroCmd.MarkFlagsOneRequired("command", "exec", "macro", "macro-file")
+  dcomExcelMacroCmd.MarkFlagsMutuallyExclusive("command", "exec", "macro", "macro-file")
   dcomExcelMacroCmd.MarkFlagsMutuallyExclusive("macro", "macro-file", "out")
 }
 
@@ -283,10 +284,10 @@ var (
   }
 
   dcomExcelMacroCmd = &cobra.Command{
-    Use:   "excel-xlm [target]",
+    Use:   "excel-macro [target]",
     Short: "Execute with the Excel.Application DCOM object by executing an Excel macro",
     Long: `Description:
-  The excel-xlm method uses the exposed Excel.Application DCOM object to call ExecuteExcel4Macro, thus executing
+  The excel-macro method uses the exposed Excel.Application DCOM object to call ExecuteExcel4Macro, thus executing
   XLM macros at will. This method requires that the remote host has Microsoft Excel installed.`,
     Args: args(argsRpcClient("host", ""), argsOutput("smb"),
       func(*cobra.Command, []string) error {
@@ -300,7 +301,7 @@ var (
           if err != nil {
             return fmt.Errorf("read macro file: %w", err)
           }
-          dcomExcelMacro.Macro = string(b)
+          dcomExcelMacro.Macros = strings.Split(string(b), "\n")
         }
         return nil
       },
diff --git a/pkg/goexec/dcom/excel.go b/pkg/goexec/dcom/excel.go
@@ -1,118 +1,120 @@
 package dcomexec
 
 import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-	"syscall"
+  "context"
+  "errors"
+  "fmt"
+  "strings"
+  "syscall"
 
-	"github.com/FalconOpsLLC/goexec/internal/util"
-	"github.com/FalconOpsLLC/goexec/pkg/goexec"
-	"github.com/oiweiwei/go-msrpc/midl/uuid"
-	"github.com/oiweiwei/go-msrpc/msrpc/erref/hresult"
-	"github.com/rs/zerolog"
+  "github.com/FalconOpsLLC/goexec/internal/util"
+  "github.com/FalconOpsLLC/goexec/pkg/goexec"
+  "github.com/oiweiwei/go-msrpc/midl/uuid"
+  "github.com/oiweiwei/go-msrpc/msrpc/erref/hresult"
+  "github.com/rs/zerolog"
 )
 
 const (
-	MethodExcelMacro     = "Excel:ExecuteExcel4Macro"
-	MethodExcelXLL       = "Excel:RegisterXLL"
-	ExcelApplicationUuid = "00020812-0000-0000-C000-000000000046"
+  MethodExcelMacro     = "Excel:ExecuteExcel4Macro"
+  MethodExcelXLL       = "Excel:RegisterXLL"
+  ExcelApplicationUuid = "00020812-0000-0000-C000-000000000046"
 )
 
 type DcomExcel struct {
-	Dispatch
+  Dispatch
 }
 
 type DcomExcelMacro struct {
-	DcomExcel
-	Macro       string
-	MacroFile   string
-	NoTerminate bool
+  DcomExcel
+  Macros      []string
+  MacroFile   string
+  NoTerminate bool
 }
 
 type DcomExcelXll struct {
-	DcomExcel
-	XllLocation string
-	NoTerminate bool
+  DcomExcel
+  XllLocation string
+  NoTerminate bool
 }
 
 // Init will initialize the ShellBrowserWindow instance
 func (m *DcomExcel) Init(ctx context.Context) (err error) {
-	if err = m.Dcom.Init(ctx); err == nil {
-		return m.getDispatch(ctx, uuid.MustParse(ExcelApplicationUuid))
-	}
-	return
+  if err = m.Dcom.Init(ctx); err == nil {
+    return m.getDispatch(ctx, uuid.MustParse(ExcelApplicationUuid))
+  }
+  return
 }
 
 // quit will terminate EXCEL.EXE via ExecuteExcel4Macro("QUIT()")
 func (m *DcomExcel) quit(ctx context.Context) (err error) {
-	log := zerolog.Ctx(ctx)
-	quit := "QUIT()"
-	log.Info().
-		Str("call", "ExecuteExcel4Macro").
-		Str("macro", quit).
-		Msg("terminating Excel process")
-	qr, err := m.callComMethod(ctx, nil, "ExecuteExcel4Macro", stringToVariant(quit))
-	_ = qr
-	if err != nil {
-		if errors.Is(err, syscall.ECONNRESET) {
-			log.Info().Msg("Excel process terminated")
-			return nil
-		}
-		log.Warn().Err(err).Msgf(`Call ExecuteExcel4Macro("%s") failed`, quit)
-	}
-	if qr.Return != 0 {
-		err = hresult.FromCode(uint32(qr.Return))
-		log.Warn().Err(err).Msgf(`Call ExecuteExcel4Macro("%s"): %d`, quit, qr.Return)
-	}
+  log := zerolog.Ctx(ctx)
+  quit := "QUIT()"
+  log.Info().
+    Str("call", "ExecuteExcel4Macro").
+    Str("macro", quit).
+    Msg("terminating Excel process")
+  qr, err := m.callComMethod(ctx, nil, "ExecuteExcel4Macro", stringToVariant(quit))
+  _ = qr
+  if err != nil {
+    if errors.Is(err, syscall.ECONNRESET) {
+      log.Info().Msg("Excel process terminated")
+      return nil
+    }
+    log.Warn().Err(err).Msgf(`Call ExecuteExcel4Macro("%s") failed`, quit)
+  }
+  if qr.Return != 0 {
+    err = hresult.FromCode(uint32(qr.Return))
+    log.Warn().Err(err).Msgf(`Call ExecuteExcel4Macro("%s"): %d`, quit, qr.Return)
+  }
 
-	return err
+  return err
 }
 
 func (m *DcomExcelMacro) Execute(ctx context.Context, execIO *goexec.ExecutionIO) (err error) {
-	log := zerolog.Ctx(ctx)
-	if m.Macro == "" {
-		m.Macro = fmt.Sprintf(`EXEC("%s")`, strings.ReplaceAll(execIO.String(), `"`, `""`))
-	}
-	if !m.NoTerminate { // Terminate EXCEL.EXE via ExecuteExcel4Macro("QUIT()")
-		defer func() {
-			_ = m.quit(ctx)
-		}()
-	}
-	// Call ExecuteExcel4Macro to execute macro
-	log.Info().
-		Str("call", "ExecuteExcel4Macro").
-		Str("macro", util.Truncate(m.Macro, 100)).
-		Msg("executing Excel macro")
-	ir, err := m.callComMethod(ctx, nil, "ExecuteExcel4Macro", stringToVariant(m.Macro))
-	if err != nil {
-		return err
-	}
-	if ir.Return != 0 {
-		return hresult.FromCode(uint32(ir.Return))
-	}
-	log.Info().Msg("ExecuteExcel4Macro call successful")
+  log := zerolog.Ctx(ctx)
+  if m.Macros == nil || len(m.Macros) == 0 {
+    m.Macros = []string{fmt.Sprintf(`EXEC("%s")`, strings.ReplaceAll(execIO.String(), `"`, `""`))}
+  }
+  if !m.NoTerminate { // Terminate EXCEL.EXE via ExecuteExcel4Macro("QUIT()")
+    defer func() {
+      _ = m.quit(ctx)
+    }()
+  }
+  for _, macro := range m.Macros {
+    // Call ExecuteExcel4Macro to execute macro
+    log.Info().
+      Str("call", "ExecuteExcel4Macro").
+      Str("macro", util.Truncate(macro, 100)).
+      Msg("executing Excel macro")
+    ir, err := m.callComMethod(ctx, nil, "ExecuteExcel4Macro", stringToVariant(macro))
+    if err != nil {
+      return err
+    }
+    if ir.Return != 0 {
+      return hresult.FromCode(uint32(ir.Return))
+    }
+    log.Info().Msg("ExecuteExcel4Macro call successful")
+  }
 
-	return
+  return
 }
 
 func (m *DcomExcelXll) Call(ctx context.Context) (err error) {
-	log := zerolog.Ctx(ctx)
-	if !m.NoTerminate {
-		defer func() {
-			_ = m.quit(ctx)
-		}()
-	}
-	qr, err := m.callComMethod(ctx, nil, "Application.RegisterXLL", stringToVariant(m.XllLocation))
-	if err != nil {
-		return fmt.Errorf("call RegisterXLL: %w", err)
-	}
-	log.Info().Msg("RegisterXLL call successful")
-	if stat, ok := qr.VarResult.VarUnion.GetValue().(bool); ok && stat {
-		log.Info().Bool("res", stat).Int32("return", qr.Return).Msg("XLL registered successfully")
-	} else {
-		log.Warn().Bool("res", stat).Int32("return", qr.Return).Msg("Execution may have failed")
-	}
-	return
+  log := zerolog.Ctx(ctx)
+  if !m.NoTerminate {
+    defer func() {
+      _ = m.quit(ctx)
+    }()
+  }
+  qr, err := m.callComMethod(ctx, nil, "Application.RegisterXLL", stringToVariant(m.XllLocation))
+  if err != nil {
+    return fmt.Errorf("call RegisterXLL: %w", err)
+  }
+  log.Info().Msg("RegisterXLL call successful")
+  if stat, ok := qr.VarResult.VarUnion.GetValue().(bool); ok && stat {
+    log.Info().Bool("res", stat).Int32("return", qr.Return).Msg("XLL registered successfully")
+  } else {
+    log.Warn().Bool("res", stat).Int32("return", qr.Return).Msg("Execution may have failed")
+  }
+  return
 }
