NtUnmapViewOfSection : To clear the existing memory of the target process. VirtualAllocEx : To reserve memory for the new payload.

End Sub

: The process's thread context is modified so that the entry point points to the injected payload.

VarPtr requires VBA 7 (Office 2010+) and Allow bypass key reference → usually you must enable "Trust access to the VBA project object model" or use other tricks.

Since VBA macros are stored as plain text inside the Office document ( .docm , .xlsm ), embedding raw binary would be messy and easily flagged. Attackers use :

: Adjusts the thread context (entry point) using NtSetContextThread to point to the new code.

is a sophisticated implementation of the (also known as Process Hollowing) technique written entirely in Visual Basic for Applications. It allows an attacker or security researcher to execute a Portable Executable (PE) file directly from the memory of a Microsoft Office application like Word or Excel, making it a powerful tool for bypassing application whitelisting and traditional security controls. Palo Alto Networks Core Concept: Process Hollowing

Defending against VBA-RunPE requires a multi-layered approach, as no single control is foolproof.

Note: PtrSafe is required for 64-bit versions of Office.

' Step 4: Execute CreateThread 0, 0, ptr, 0, 0, 0

VBA does not natively have process injection functions. However, it can call Win32 API functions using the Declare keyword. A typical VBA-RunPE script will declare a series of low-level functions: