Using VB6 Obj files from C


Author: David Zimmer
Date: 05.22.20 - 5:32am



So yesterday i spent the whole day on a curosity just to help understand its limits and structure. What you are about to read is an experiment and me being a bit of an asshole to the compiler (and myself).

In previous articles we have seen how we can swap out vb native obj files at link time and replace them with C obj files to produced mixed language binaries. (ie. include the C sqllite library in a VB6 activeX dll with no external dependancies)

References include: So in todays scenario, we want the reverse. To use a vb compiled native obj file from a C host and get everything to link up right. Looks like we have to use VC6 because of libc single thread and same era. maybe can modify lib to remove this. We compile the following:


Sub Main()
    'we must call the funcs or optimized out in native compile..
    add 1, 1
    msg
End Sub

Function add(ByVal a As Long, ByVal b As Long) As Long
    add = a + b
End Function

Function msg(Optional ByVal x As String) As String
    msg = "test: " & x
End Function


we use linktool to save the obj file so not deleted. saved as native.obj
SAVE Module1.obj native.obj
Then we turn the obj into a lib
vcvars32.bat
lib /out:simple.lib native.obj
Now the name mangles in the lib file are for a private class function with no args
?add@Module1@@AAGXXZ
We need them to be public so we have to hexedit the lib file to be QAGXXZ so that it matches the following class prototype that is usable for us.

class Module1 
{
public:
   void __stdcall Module1::add();  
   void __stdcall Module1::msg();  
};

We also had to build a lib for msvbvm60.dll
vcvars32.bat
dumpbin /EXPORTS msvbvm60.dll > msvbvm60.exports
parse outfile and manually build def file from it
lib /def:msvbvm60.def /out:msvbvm60.lib
Now we try to compile and see what shakes loose. Bunch of missing externals. some imports needed fixed up:
   __imp_@__vbaStrMove -> __imp____vbaStrMove
some imports need to be recreated with another temp lib we create
   ___vba@0851F380

   #define  DllExport __declspec(dllexport)
   __int64 DllExport saFlags = 0x000200920001;      -> saFlags@@3_JA
   BSTR DllExport mTxt = SysAllocString(L"test:");  -> ?mTxt@@3PAGA
Some of these numeric symbols are:
  • BSTRs
  • imports by ordinal (rtcMsgBox or really the full _imp__rtcMsgBox name)
  • const or flags values like used in array construction..
To see what these extra mystery symbols are you have to disasm the compiled exe (with symbols) to see what the data is and where used. Still not sure where the data is coming from when the IDE compiles. Link.exe is run externally, and I have the command line, I done see any extra lib files passed to it, and some of the names and values are unique like user strings. I need to explore this more.

To get the mangled names of your new symbols you have to grab them from the new lib, and then patch them into the vb lib.

You can directly patch the vb lib to change the names of these extra imports so long as you dont exceed their original length. Their start offsets must be held elsewhere in teh file. You can shorten them and null out the rest of the buffer and the next one will still load ok so its not just a simple read till null to read the sequential list (thankfully for us)

So with all of that done, and now we actually linking correctly! We still need to initilize the runtime to use it. See previous paper Reusing Pcode Functions Also our prototypes are wrong. Our add function is not void void. We need a usable function pointer to a class member function in an external lib :-

    //Public Function add(ByVal a As Long, ByVal b As Long) As Long
    typedef int (__stdcall *VBADD)(int, int);
    VBADD vbadd;

    typedef  void (__stdcall Module1::*tmp)(); 
    tmp p = &Module1::add;

   _asm{
         mov eax, p
         mov vbadd, eax
   }

So now we can call at least basic functions in a VB obj file from a C host.

Totally not worth it!

As with all first stabs, they are likley way overly complex. Maybe there is some elegant solution to all of this and I am a moron. I kinda hope so! I will poke some more at it if I get bored, I dont see this being useful, but it was an interesting learning curve in manual object file manipulation to make name mangles align. That crowbar could come in useful latter on in life anyway.

We can also generate VB6 PCode Obj files to play with, that will have to be a different day.

If your a masochist you can download the samples and play with it yourself.




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 4 + 81 = ? followed by the letter: D 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (All)
2020 (6)
     Using VB6 Obj files from C
     Vb6 PCode Internals
     Vb6 Runtime ForLoop Disasm
     VB6 Pcode - For Loops
     Yara Corrupt Imports
     Yara Undefined values
2019 ( 12 )
2017 ( 5 )
2016 ( 4 )
2015 ( 6 )
2014 ( 5 )
2013 ( 9 )
2012 ( 13 )
2011 ( 19 )
2010 ( 11 )
2009 ( 1 )