VB App objectAuthor: David Zimmer Date: 02.08.21 - 1:56pm Below is a sample on how VB6 access the App. object and what its vtable looks like. You will notice from the disasm that it first loads the app object from the globals.app
'compile an exe with the following code
'put a copy of the vbruntime with the debug symbols in the same directory
'start in ollydbg and start exploring.
Source:
MsgBox App.EXEName
so essentially what its doing
objApp = globals.App
msgbox objApp.ExeName
00401F78 . 3BC3 CMP EAX,EBX ; do we already have a live instance of the object?
00401F7A . 75 10 JNZ SHORT 00401F8C ; jmp if yes, load new if no
00401F7C . 68 F0324000 PUSH 4032F0 ; address to put live instance
00401F81 . 68 301A4000 PUSH 401A30 ; COMDEF structure defining clsid and iid of COM object
00401F86 . FF15 9C104000 CALL DWORD PTR DS:[40109C] ; MSVBVM60.__vbaNew2
00401F8C > 8B35 F0324000 MOV ESI,DWORD PTR DS:[4032F0] ; same address as above see
...
00401F97 . 8B16 MOV EDX,DWORD PTR DS:[ESI]
00401F99 . FF52 14 CALL DWORD PTR DS:[EDX+14] ; edx = 660130D0 MSVBVM60.CVBApplication::get_App (see below)
...
00401FC3 . 8B08 MOV ECX,DWORD PTR DS:[EAX] ; COM object returned from get_APP (App object)
00401FC5 . 8BF0 MOV ESI,EAX
00401FC7 . FF51 58 CALL DWORD PTR DS:[ECX+58] ; ecx = 021A41F0 MSVBVM60._CAPP_vtbl::get__ipropEXENameAPP (see below)
COMDEF structure
00401A30 00000002
00401A34 00401A10 Project1.00401A10
00401A38 00401A20 Project1.00401A20
00401A3C 00000000
VB Globals object: (CVBApplication)
00401A10 23 3D FB FC FA A0 68 10 A7 38 08 00 2B 33 71 B5 -> {FCFB3D23-A0FA-1068-A738-08002B3371B5}
00401A20 22 3D FB FC FA A0 68 10 A7 38 08 00 2B 33 71 B5 -> {FCFB3D22-A0FA-1068-A738-08002B3371B5}
660130D0 >660E2074 MSVBVM60.CVBApplication::QueryInterface
$+4 >6601808A MSVBVM60.CVBApplication::AddRef
$+8 >66028553 MSVBVM60.CVBApplication::Release
$+C >6605CE6B MSVBVM60.CVBApplication::Load
$+10 >6605CEE2 MSVBVM60.CVBApplication::Unload
$+14 >66026F9D MSVBVM60.CVBApplication::get_App
$+18 >6603D750 MSVBVM60.CVBApplication::get_Screen
$+1C >660489C7 MSVBVM60.CVBApplication::get_Clipboard
$+20 >660E1EC6 MSVBVM60.CVBApplication::get_Printer
$+24 >660E1EF8 MSVBVM60.CVBApplication::putref_Printer
$+28 >66048EAE MSVBVM60.CVBApplication::get_Forms
$+2C >660E1EE0 MSVBVM60.CVBApplication::get_Printers
$+30 >660E1FA0 MSVBVM60.CVBApplication::LoadResStringOld
$+34 >6604A7C3 MSVBVM60.CVBApplication::LoadResPicture
$+38 >6604AB06 MSVBVM60.CVBApplication::LoadResData
$+3C >660E1FD9 MSVBVM60.CVBApplication::LoadPictureOld
$+40 >6604776E MSVBVM60.CVBApplication::SavePicture
$+44 >6602C9D8 MSVBVM60.CVBApplication::LoadPicture
$+48 >6604A683 MSVBVM60.CVBApplication::LoadResString
$+4C >660E1F71 MSVBVM60.CVBApplication::get_Licenses
$+50 >53EC8B55
VB App object: (CAPP)
021A41F0 >6600905A MSVBVM60.CTL::QueryInterface
$+4 >66001BB2 MSVBVM60.CTL::AddRef
$+8 >66001C09 MSVBVM60.CTL::Release
$+C >660E26F7 MSVBVM60.BASIC_DISPINTERFACE_GetTICount
$+10 >660B3693 MSVBVM60.CTL::GetTypeInfo
$+14 >66008858 MSVBVM60.CTL::GetIDsOfNames
$+18 >6600887B MSVBVM60.CTL::Invoke
$+1C >66046624 MSVBVM60.CTL::HctlDemandLoad
$+20 >660C0FB2 MSVBVM60.APP::ChkProp
$+24 >6602E532 MSVBVM60.APP::SetPropA
$+28 >66027139 MSVBVM60.APP::GetPropA
$+2C >6609CF0C MSVBVM60.CTLMENU::GetPropHsz
$+30 >66066269 MSVBVM60.CTL::LoadProp
$+34 >660C4C6C MSVBVM60.CConnectionEnumerator::Skip
$+38 >660637C8 MSVBVM60.ExecMod::PrepareForExec
$+3C >660C0FA1 MSVBVM60.APP::Reset
$+40 >6609D823 MSVBVM60._CAPP_vtbl::get_DefaultProp
$+44 >6609D833 MSVBVM60._CAPP_vtbl::put_DefaultProp
$+48 >6609D850 MSVBVM60._CAPP_vtbl::get_000x
$+4C >6609D862 MSVBVM60._CAPP_vtbl::put_000x
$+50 >660272FD MSVBVM60._CAPP_vtbl::get__ipropPathAPP
$+54 >6609D876 MSVBVM60._CAPP_vtbl::put__ipropPathAPP
$+58 >660557CB MSVBVM60._CAPP_vtbl::get__ipropEXENameAPP
$+5C >6609D88A MSVBVM60._CAPP_vtbl::put__ipropEXENameAPP
$+60 >66043A3F MSVBVM60._CAPP_vtbl::get__ipropTitleAPP
$+64 >66043AB8 MSVBVM60._CAPP_vtbl::put__ipropTitleAPP
$+68 >6604896B MSVBVM60._CAPP_vtbl::get__ipropPrevInstanceAPP
$+6C >6609D89E MSVBVM60._CAPP_vtbl::put__ipropPrevInstanceAPP
$+70 >6609D8B2 MSVBVM60._CAPP_vtbl::get__ipropStartModeAPP
$+74 >6609D8C4 MSVBVM60._CAPP_vtbl::put__ipropStartModeAPP
$+78 >6609D8D8 MSVBVM60._CAPP_vtbl::get__ipropTaskVisibleAPP
$+7C >6609D8EA MSVBVM60._CAPP_vtbl::put__ipropTaskVisibleAPP
$+80 >6609D8FE MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyTimeoutAPP
$+84 >6609D910 MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyTimeoutAPP
$+88 >6609D924 MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyMsgTitleAPP
$+8C >6609D936 MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyMsgTitleAPP
$+90 >6609D94A MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyMsgTextAPP
$+94 >6609D95C MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyMsgTextAPP
$+98 >6609D970 MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyRaiseErrorAPP
$+9C >6609D982 MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyRaiseErrorAPP
$+A0 >6609D996 MSVBVM60._CAPP_vtbl::get__ipropOleRequestPendingTimeoutAPP
$+A4 >6609D9A8 MSVBVM60._CAPP_vtbl::put__ipropOleRequestPendingTimeoutAPP
$+A8 >6609D9BC MSVBVM60._CAPP_vtbl::get__ipropOleRequestPendingMsgTitleAPP
$+AC >6609D9CE MSVBVM60._CAPP_vtbl::put__ipropOleRequestPendingMsgTitleAPP
$+B0 >6609D9E2 MSVBVM60._CAPP_vtbl::get__ipropOleRequestPendingMsgTextAPP
$+B4 >6609D9F4 MSVBVM60._CAPP_vtbl::put__ipropOleRequestPendingMsgTextAPP
$+B8 >6609DA08 MSVBVM60._CAPP_vtbl::get__ipropVerMajorAPP
$+BC >6609DA1A MSVBVM60._CAPP_vtbl::put__ipropVerMajorAPP
$+C0 >6609DA2E MSVBVM60._CAPP_vtbl::get__ipropVerMinorAPP
$+C4 >6609DA40 MSVBVM60._CAPP_vtbl::put__ipropVerMinorAPP
$+C8 >6609DA54 MSVBVM60._CAPP_vtbl::get__ipropVerRevisionAPP
$+CC >6609DA66 MSVBVM60._CAPP_vtbl::put__ipropVerRevisionAPP
$+D0 >6609DA7A MSVBVM60._CAPP_vtbl::get__ipropVerCommentsAPP
$+D4 >6609DA8C MSVBVM60._CAPP_vtbl::put__ipropVerCommentsAPP
$+D8 >6609DAA0 MSVBVM60._CAPP_vtbl::get__ipropVerCompanyNameAPP
$+DC >6609DAB2 MSVBVM60._CAPP_vtbl::put__ipropVerCompanyNameAPP
$+E0 >6609DAC6 MSVBVM60._CAPP_vtbl::get__ipropVerFileDescriptionAPP
$+E4 >6609DAD8 MSVBVM60._CAPP_vtbl::put__ipropVerFileDescriptionAPP
$+E8 >6609DAEC MSVBVM60._CAPP_vtbl::get__ipropVerLegalCopyrightAPP
$+EC >6609DAFE MSVBVM60._CAPP_vtbl::put__ipropVerLegalCopyrightAPP
$+F0 >6609DB12 MSVBVM60._CAPP_vtbl::get__ipropVerLegalTrademarksAPP
$+F4 >6609DB24 MSVBVM60._CAPP_vtbl::put__ipropVerLegalTrademarksAPP
$+F8 >6609DB38 MSVBVM60._CAPP_vtbl::get__ipropVerProductNameAPP
$+FC >6609DB4A MSVBVM60._CAPP_vtbl::put__ipropVerProductNameAPP
$+100 >660446D9 MSVBVM60._CAPP_vtbl::get__ipropHInstanceAPP
$+104 >6609DB5E MSVBVM60._CAPP_vtbl::put__ipropHInstanceAPP
$+108 >6609DB72 MSVBVM60._CAPP_vtbl::get__ipropNonModalAllowedAPP
$+10C >6609DB84 MSVBVM60._CAPP_vtbl::put__ipropNonModalAllowedAPP
$+110 >6609DB98 MSVBVM60._CAPP_vtbl::get__ipropLogPathAPP
$+114 >6609DBAA MSVBVM60._CAPP_vtbl::put__ipropLogPathAPP
$+118 >6609DBBE MSVBVM60._CAPP_vtbl::get__ipropLogModeAPP
$+11C >6609DBD0 MSVBVM60._CAPP_vtbl::put__ipropLogModeAPP
$+120 >6609DBE4 MSVBVM60._CAPP_vtbl::get__ipropUnattendedAppAPP
$+124 >6609DBF6 MSVBVM60._CAPP_vtbl::put__ipropUnattendedAppAPP
$+128 >6609DC0A MSVBVM60._CAPP_vtbl::get__ipropThreadAPP
$+12C >6609DC1C MSVBVM60._CAPP_vtbl::put__ipropThreadAPP
$+130 >6609DC30 MSVBVM60._CAPP_vtbl::get__ipropHelpFileAPP
$+134 >6602E585 MSVBVM60._CAPP_vtbl::put__ipropHelpFileAPP
$+138 >6609DC42 MSVBVM60._CAPP_vtbl::meth__methStartLogging
$+13C >6609DC55 MSVBVM60._CAPP_vtbl::meth__methLogEvent
$+140 >6609DC68 MSVBVM60._CAPP_vtbl::get__ipropRetainedProjAPP
$+144 >6609DC7A MSVBVM60._CAPP_vtbl::put__ipropRetainedProjAPP
$+148 >ABABABAB
$+14C >ABABABAB
$+150 >00000000
Comments: (0) |
About Me More Blogs Main Site
|
||||||||||||||||||||||||||||||