VB6 PCode Debugger
Author: David Zimmer
Date: 07.15.19 - 5:01am
Note: Vbdec is now available and has its own product page
Since VB6 PCode analysis is a specialty and a weak spot in corporate IT security I have been researching the subject extensively.
Its a long slow road and intricate subject. Structure parsing and pcode disassembly engines are complete and I have been pouring through the 908 opcodes adding argument decodings and object resolvers for the 524 that require it.
I have also implemented a p-code debugging engine complete with breakpoints and memory inspection.
Below is a demo of where I am so far. More super cool and powerful features are in the works, but I am not going to reveal them quite yet :)
Knowing what the argument byte streams means and accurately decoding it is a non-trivial task but mandatory to get right if you are relying on a tools results for malware analysis.
If you see results that dont make sense in pcode disassembly tools, it is probably a bad interpretation/resolution of the arguments or the tool is not showing you that there are arguments to that opcode. If you see a jump in va > displayed opcode length..there was an argument bytestream to that opcode.
I will be working on opcode documentation as well with this project. Some good news, only about 1/3 of the opcodes appear to be commonly used and there are a fair number of duplicates for some reason (that even point to the same native handler routines).
I have included an opcode profiler. Pdfstreamdumper which is a large project only uses 343 unique opcodes. myaut2exe only uses 373. At this point in the project it is now efficient to target opcodes and be able to break at a specific use of them. This allows us to watch how it is actually used by the runtime. Basic procedure is to set a pcode breakpoint, attach a native debugger and step the pcode.
Its awesome to be able to exert this level of control over what was once chaos.
For those uninitiated into vb reversing I have setup a portion of the site with some materials I have accumulated on it. I also worked with Mr Unleaded to rebuild the old vb-decompiler.theautomaters.com message board into flat html files.
Comments: (2)On 08.13.19 - 11:15am Dave wrote:
On 08.19.19 - 12:54pm Dave wrote: