VB6 PCode Debugger


Author: David Zimmer
Date: 07.15.19 - 5:01am




Note: Vbdec is now available and has its own product page

Since VB6 PCode analysis is a specialty and a weak spot in corporate IT security I have been researching the subject extensively.

Its a long slow road and intricate subject. Structure parsing and pcode disassembly engines are complete and I have been pouring through the 908 opcodes adding argument decodings and object resolvers for the 524 that require it.

I have also implemented a p-code debugging engine complete with breakpoints and memory inspection.

Below is a demo of where I am so far. More super cool and powerful features are in the works, but I am not going to reveal them quite yet :)





Knowing what the argument byte streams means and accurately decoding it is a non-trivial task but mandatory to get right if you are relying on a tools results for malware analysis.

If you see results that dont make sense in pcode disassembly tools, it is probably a bad interpretation/resolution of the arguments or the tool is not showing you that there are arguments to that opcode. If you see a jump in va > displayed opcode length..there was an argument bytestream to that opcode.

I will be working on opcode documentation as well with this project. Some good news, only about 1/3 of the opcodes appear to be commonly used and there are a fair number of duplicates for some reason (that even point to the same native handler routines).

I have included an opcode profiler. Pdfstreamdumper which is a large project only uses 343 unique opcodes. myaut2exe only uses 373. At this point in the project it is now efficient to target opcodes and be able to break at a specific use of them. This allows us to watch how it is actually used by the runtime. Basic procedure is to set a pcode breakpoint, attach a native debugger and step the pcode.

Its awesome to be able to exert this level of control over what was once chaos.

For those uninitiated into vb reversing I have setup a portion of the site with some materials I have accumulated on it. I also worked with Mr Unleaded to rebuild the old vb-decompiler.theautomaters.com message board into flat html files.





Comments: (2)

On 08.13.19 - 11:15am Dave wrote:
So its becoming apparent I am going to need a data interpreter form. Stack view is nice, memdump with various expected data representations is nice, but there is still one more level required, how to view memory and have it decoded as a SafeArray or Variant, Date, Currency, or object type.

This project is a rich problem set, lots of cool stuff to explore.


On 08.19.19 - 12:54pm Dave wrote:
Also needed a const pool viewer/intrepreter form with auto detection of pool entry type:


 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 9 + 29 = ? followed by the letter: Z 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (All)
2020 ( 5 )
2019 (12)
     Yara WorkBench
     SafeArrayGetVartype
     vbdec dbg updates
     vb6 PCode NOP
     vb6 API and call backs
     how pcode works Pt1
     PrintFile
     ImpAdCallNonVirt
     Reversing PCode Args
     VB6 PCode Disassembly
     VB6 PCode Debugger
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 ( 4 )
2015 ( 6 )
2014 ( 5 )
2013 ( 9 )
2012 ( 13 )
2011 ( 19 )
2010 ( 11 )
2009 ( 1 )