Using VB6 Obj files from C

Author: David Zimmer
Date: 05.22.20 - 5:32am

So yesterday i spent the whole day on a curosity just to help understand its limits and structure. What you are about to read is an experiment and me being a bit of an asshole to the compiler (and myself).

In previous articles we have seen how we can swap out vb native obj files at link time and replace them with C obj files to produced mixed language binaries. (ie. include the C sqllite library in a VB6 activeX dll with no external dependancies)

References include: So in todays scenario, we want the reverse. To use a vb compiled native obj file from a C host and get everything to link up right. Looks like we have to use VC6 because of libc single thread and same era. maybe can modify lib to remove this. We compile the following:

Sub Main()
    'we must call the funcs or optimized out in native compile..
    add 1, 1
End Sub

Function add(ByVal a As Long, ByVal b As Long) As Long
    add = a + b
End Function

Function msg(Optional ByVal x As String) As String
    msg = "test: " & x
End Function

we use linktool to save the obj file so not deleted. saved as native.obj
SAVE Module1.obj native.obj
Then we turn the obj into a lib
lib /out:simple.lib native.obj
Now the name mangles in the lib file are for a private class function with no args
We need them to be public so we have to hexedit the lib file to be QAGXXZ so that it matches the following class prototype that is usable for us.

class Module1 
   void __stdcall Module1::add();  
   void __stdcall Module1::msg();  

We also had to build a lib for msvbvm60.dll
dumpbin /EXPORTS msvbvm60.dll > msvbvm60.exports
parse outfile and manually build def file from it
lib /def:msvbvm60.def /out:msvbvm60.lib
Now we try to compile and see what shakes loose. Bunch of missing externals. some imports needed fixed up:
   __imp_@__vbaStrMove -> __imp____vbaStrMove
some imports need to be recreated with another temp lib we create

   #define  DllExport __declspec(dllexport)
   __int64 DllExport saFlags = 0x000200920001;      -> saFlags@@3_JA
   BSTR DllExport mTxt = SysAllocString(L"test:");  -> ?mTxt@@3PAGA
Some of these numeric symbols are:
  • BSTRs
  • imports by ordinal (rtcMsgBox or really the full _imp__rtcMsgBox name)
  • const or flags values like used in array construction..
To see what these extra mystery symbols are you have to disasm the compiled exe (with symbols) to see what the data is and where used. Still not sure where the data is coming from when the IDE compiles. Link.exe is run externally, and I have the command line, I done see any extra lib files passed to it, and some of the names and values are unique like user strings. I need to explore this more.

To get the mangled names of your new symbols you have to grab them from the new lib, and then patch them into the vb lib.

You can directly patch the vb lib to change the names of these extra imports so long as you dont exceed their original length. Their start offsets must be held elsewhere in teh file. You can shorten them and null out the rest of the buffer and the next one will still load ok so its not just a simple read till null to read the sequential list (thankfully for us)

So with all of that done, and now we actually linking correctly! We still need to initilize the runtime to use it. See previous paper Reusing Pcode Functions Also our prototypes are wrong. Our add function is not void void. We need a usable function pointer to a class member function in an external lib :-

    //Public Function add(ByVal a As Long, ByVal b As Long) As Long
    typedef int (__stdcall *VBADD)(int, int);
    VBADD vbadd;

    typedef  void (__stdcall Module1::*tmp)(); 
    tmp p = &Module1::add;

         mov eax, p
         mov vbadd, eax

So now we can call at least basic functions in a VB obj file from a C host.

Totally not worth it!

As with all first stabs, they are likley way overly complex. Maybe there is some elegant solution to all of this and I am a moron. I kinda hope so! I will poke some more at it if I get bored, I dont see this being useful, but it was an interesting learning curve in manual object file manipulation to make name mangles align. That crowbar could come in useful latter on in life anyway.

We can also generate VB6 PCode Obj files to play with, that will have to be a different day.

If your a masochist you can download the samples and play with it yourself.

Comments: (0)

Leave Comment:
Email: (not shown)
Message: (Required)
Math Question: 94 + 93 = ? followed by the letter: N 

About Me
More Blogs
Main Site
Posts: (year)
2024 (1)
     vbdec backstory
2023 (4)
     Yara Workbench Automation
     VS linker versions
     IDA decompiler comments
2022 (5)
     VB6 Implements
     VB6 Stubs BS
     VB6 TypeInfo
     VB6 VTable Layout
     Yara isPCode rule
2021 (2)
     VB6 Gosub
2020 (5)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Yara Corrupt Imports
     Yara Undefined values
2019 (6)
     Yara WorkBench
     vb6 API and call backs
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 (4)
     KANAL Mod
     Decoders again
     CDO.Message Breakpoints
     SysAnalyzer Updates
2015 (5)
     SysAnalyzer and Site Updates
     crazy decoder
     ida js w/dbg
     flash patching #2
     JS Graphing
2014 (5)
     Delphi IDA Plugin
     scdbg IDA integration
     API Hash Database
     Winmerge plugin
     IDACompare Updates
2013 (9)
     Guest Post @ hexblog
     TCP Stream Reassembly
     SysAnalyzer Updates
     Apilogger Video
     Shellcode2Exe trainer
     scdbg updates
     IDA Javascript w/IDE
     Rop Analysis II
     scdbg vrs ROP
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     Java Hacking
     Windows 8
     Win7 x64
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation