VB6 PCode Debugger


Author: David Zimmer
Date: 07.15.19 - 5:01am





Note: Vbdec is now available and has its own product page

Since VB6 PCode analysis is a specialty and a weak spot in corporate IT security I have been researching the subject extensively.

Its a long slow road and intricate subject. Structure parsing and pcode disassembly engines are complete and I have been pouring through the 908 opcodes adding argument decodings and object resolvers for the 524 that require it.

I have also implemented a p-code debugging engine complete with breakpoints and memory inspection.

Below is a demo of where I am so far. More super cool and powerful features are in the works, but I am not going to reveal them quite yet :)





Knowing what the argument byte streams means and accurately decoding it is a non-trivial task but mandatory to get right if you are relying on a tools results for malware analysis.

If you see results that dont make sense in pcode disassembly tools, it is probably a bad interpretation/resolution of the arguments or the tool is not showing you that there are arguments to that opcode. If you see a jump in va > displayed opcode length..there was an argument bytestream to that opcode.

I will be working on opcode documentation as well with this project. Some good news, only about 1/3 of the opcodes appear to be commonly used and there are a fair number of duplicates for some reason (that even point to the same native handler routines).

I have included an opcode profiler. Pdfstreamdumper which is a large project only uses 343 unique opcodes. myaut2exe only uses 373. At this point in the project it is now efficient to target opcodes and be able to break at a specific use of them. This allows us to watch how it is actually used by the runtime. Basic procedure is to set a pcode breakpoint, attach a native debugger and step the pcode.

Its awesome to be able to exert this level of control over what was once chaos.

For those uninitiated into vb reversing I have setup a portion of the site with some materials I have accumulated on it. I also worked with Mr Unleaded to rebuild the old vb-decompiler.theautomaters.com message board into flat html files.






Comments: (2)

On 08.13.19 - 11:15am Dave wrote:
So its becoming apparent I am going to need a data interpreter form. Stack view is nice, memdump with various expected data representations is nice, but there is still one more level required, how to view memory and have it decoded as a SafeArray or Variant, Date, Currency, or object type.

This project is a rich problem set, lots of cool stuff to explore.


On 08.19.19 - 12:54pm Dave wrote:
Also needed a const pool viewer/intrepreter form with auto detection of pool entry type:


 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 17 + 67 = ? followed by the letter: Y 



About Me
More Blogs
Main Site
Posts:
SafeArrayGetVartype
vbdec dbg updates
vb6 PCode NOP
vb6 API and call backs
how pcode works Pt1
PrintFile
ImpAdCallNonVirt
Reversing PCode Args
VB6 PCode Disassembly
VB6 PCode Debugger
UConnect Disable Cell Modem
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
anterior lines
misc news/updates
KANAL Mod
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
findDll
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
BootLoaders
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation