VB6 PCode Debugger
Author: David Zimmer
Date: 07.15.19 - 5:01am
Since VB6 PCode analysis is a specialty and a weak spot in corporate IT security I have been researching the subject extensively.
Its a long slow road and intricate subject. Structure parsing and pcode disassembly engines are complete and I have been pouring through the 908 opcodes adding argument decodings and object resolvers for the 524 that require it.
I have also implemented a p-code debugging engine complete with breakpoints and memory inspection.
Below is a demo of where I am so far. More super cool and powerful features are in the works, but I am not going to reveal them quite yet :)
Knowing what the argument byte streams means and accurately decoding it is a non-trivial task but mandatory to get right if you are relying on a tools results for malware analysis.
If you see results that dont make sense in pcode disassembly tools, it is probably a bad interpretation/resolution of the arguments or the tool is not showing you that there are arguments to that opcode. If you see a jump in va > displayed opcode length..there was an argument bytestream to that opcode.
I will be working on opcode documentation as well with this project. Some good news, only about 1/3 of the opcodes appear to be commonly used and there are a fair number of duplicates for some reason (that even point to the same native handler routines).
I have included an opcode profiler. Pdfstreamdumper which is a large project only uses 343 unique opcodes. myaut2exe only uses 373. At this point in the project it is now efficient to target opcodes and be able to break at a specific use of them. This allows us to watch how it is actually used by the runtime. Basic procedure is to set a pcode breakpoint, attach a native debugger and step the pcode.
Its awesome to be able to exert this level of control over what was once chaos.
For those uninitiated into vb reversing I have setup a portion of the site with some materials I have accumulated on it. I also worked with Mr Unleaded to rebuild the old vb-decompiler.theautomaters.com message board into flat html files.
I have not decided on a release model for this yet, my preference is for everything to be free open source, but a project of this size and complexity requires a lot of highly skilled labor.
If you are a company who is interested in helping sponsor development on this feel free to contact me
I am also currently available on contract for helping out with specialized research, analysis, and tool development tasks.
Comments: (1)On 08.13.19 - 11:15am Dave wrote: