DispCallFunc


Author: David Zimmer
Date: 01.17.23 - 7:12pm



Finally getting around to playing with DispCallFunc to call class methods on VB objects (including private functions in the vtable).

I was having problems getting return values and some weirdness when trying to use it from VB. Using it from VB directly adds an extra layer of confusion because of the VB6 Api Declare translation of things.

So I ditched that and went to using a vb6 class called from C where you have explicit control of the arguments without any translation layer involved.

Now I can take another run at doing it from VB or devise an alternative strategy with more explicit control.

I have created a github gist with the code.

This coupled with the ability to enumerate all live class instances in a running vb6 executable will be pretty interesting.

For public methods you dont need this, you can use the remote scripting trick

Coupled with the data output from vbdec it will be a cake walk.

I would still like to implement a thing in vbdec to enum all live class instances, and then show all the public variables values with option to call public and private methods with user args. We are almost there.

There is also some embedded information about private variables held at the class and module level. It may only be for variable types which require cleanup such as objects, arrays, and strings. Not fully sure yet. Way nicer than having to scan teh disasm for references though. Still studying these. They can be found below ObjInfo.PublicBytes and ObjInfo.ModulePublic. Static bytes does the same thing, talked about it somewhere. Anyway one of them holds type information, the other the actual data I Believe.

Update: the live classes/ref count/pub vars UI is already out. This could actually be a handy profiling tool for any VB6 developer.








Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 83 + 91 = ? followed by the letter: Z 



About Me
More Blogs
Main Site
Posts: (year)
2023 (4)
     Yara Workbench Automation
     VS linker versions
     IDA decompiler comments
     DispCallFunc
2022 (5)
     VB6 Implements
     VB6 Stubs BS
     VB6 TypeInfo
     VB6 VTable Layout
     Yara isPCode rule
2021 (2)
     rtcTypeName
     VB6 Gosub
2020 (5)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Yara Corrupt Imports
     Yara Undefined values
2019 (6)
     Yara WorkBench
     SafeArrayGetVartype
     vb6 API and call backs
     PrintFile
     ImpAdCallNonVirt
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 (4)
     KANAL Mod
     Decoders again
     CDO.Message Breakpoints
     SysAnalyzer Updates
2015 (5)
     SysAnalyzer and Site Updates
     crazy decoder
     ida js w/dbg
     flash patching #2
     JS Graphing
2014 (5)
     Delphi IDA Plugin
     scdbg IDA integration
     API Hash Database
     Winmerge plugin
     IDACompare Updates
2013 (9)
     Guest Post @ hexblog
     TCP Stream Reassembly
     SysAnalyzer Updates
     Apilogger Video
     Shellcode2Exe trainer
     scdbg updates
     IDA Javascript w/IDE
     Rop Analysis II
     scdbg vrs ROP
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     findDll
     Java Hacking
     Windows 8
     Win7 x64
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     BootLoaders
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation