import "pe"
//ywbPath: ./ -r
rule isVB6_PCode
{
condition:
pe.is_32bit() and pe.imports("msvbvm60.dll") and
uint32( //vbheader.projectInfo.isNativeCode
uint32(
uint32(pe.entry_point+1)-pe.image_base+0x30
)-pe.image_base+0x20
) == 0
}
rule test
{
condition:
pe.is_32bit() and pe.imports("msvbvm60.dll") and
(
pe.dbg(pe.image_base) and
pe.dbg("vbheader struct va:", uint32(pe.entry_point+1)) and
pe.dbg("project info struct:", uint32((uint32(pe.entry_point+1)-pe.image_base)+0x30)) and
pe.dbg("isNativeCode:",
uint32(uint32((uint32(pe.entry_point+1)-pe.image_base)+0x30)-pe.image_base+0x20)
)
)
}