Reusing Pcode Functions

Author: David Zimmer
Date: 05.17.20 - 8:18pm

One of my favorite things is binary re-engineering, specifically reusing code from malware as part of my solution to solving it. I have had several blog posts on this over the years.

For this installment we are going to look at how to rip functions from a vb6 pcode executable and call them from our own C loader.

This 10 page paper includes
  • 13 samples showcasing a wide variety of tests & scenarios
  • vbRip.exe – a tool to easily extract pcode functions and generate the necessary embedding data

This research is part of what came out of an 8 month long research project into the vb6 file format and pcode instruction set.


Downloads: Paper & Samples

Update: At reader request I have expanded vbRip's scope to load dlls and show multiple modules.

Below is the video that started me down this research path:

Comments: (1)

On 05.18.20 - 7:56pm Dave wrote:
One reason I still love VB6 and use it to this day is because of how well it integrates with C. As shown here its really seamless and does not have all of the massive bloat that the .NET runtime brings along with it. In fact most of the vb6 opcode handlers are written in hand optimized asm tracing back to its historic roots.

Vb6 was designed to run well in an era of limited hardware and written by a generation when developers were wizards.

I have been using Vb6 heavily for 20 years. My appreciation and understanding of it still deepens every day. It still has more to show me and I have yet to fully mastered it.

Leave Comment:
Email: (not shown)
Message: (Required)
Math Question: 45 + 2 = ? followed by the letter: V 

About Me
More Blogs
Main Site
Posts: (All)
2020 (7)
     Using VB6 Obj files from C
     Reusing Pcode Functions
     Vb6 PCode Internals
     Vb6 Runtime ForLoop Disasm
     VB6 Pcode - For Loops
     Yara Corrupt Imports
     Yara Undefined values
2019 ( 12 )
2017 ( 5 )
2016 ( 4 )
2015 ( 6 )
2014 ( 5 )
2013 ( 9 )
2012 ( 13 )
2011 ( 19 )
2010 ( 11 )
2009 ( 1 )