VB App object


Author: David Zimmer
Date: 02.08.21 - 1:56pm



Below is a sample on how VB6 access the App. object and what its vtable looks like. You will notice from the disasm that it first loads the app object from the globals.app
'compile an exe with the following code
'put a copy of the vbruntime with the debug symbols in the same directory
'start in ollydbg and start exploring.

Source:  
    MsgBox App.EXEName

so essentially what its doing
   objApp = globals.App 
   msgbox objApp.ExeName


00401F78   . 3BC3           CMP EAX,EBX                              ; do we already have a live instance of the object?
00401F7A   . 75 10          JNZ SHORT 00401F8C                       ; jmp if yes, load new if no
00401F7C   . 68 F0324000    PUSH 4032F0                              ; address to put live instance 
00401F81   . 68 301A4000    PUSH 401A30                              ; COMDEF structure defining clsid and iid of COM object
00401F86   . FF15 9C104000  CALL DWORD PTR DS:[40109C]               ; MSVBVM60.__vbaNew2
00401F8C   > 8B35 F0324000  MOV ESI,DWORD PTR DS:[4032F0]            ; same address as above see
...
00401F97   . 8B16           MOV EDX,DWORD PTR DS:[ESI]
00401F99   . FF52 14        CALL DWORD PTR DS:[EDX+14]               ; edx = 660130D0 MSVBVM60.CVBApplication::get_App (see below)
...
00401FC3   . 8B08           MOV ECX,DWORD PTR DS:[EAX]               ; COM object returned from get_APP (App object)
00401FC5   . 8BF0           MOV ESI,EAX
00401FC7   . FF51 58        CALL DWORD PTR DS:[ECX+58]               ; ecx = 021A41F0 MSVBVM60._CAPP_vtbl::get__ipropEXENameAPP (see below)


COMDEF structure
	00401A30  00000002
	00401A34  00401A10  Project1.00401A10
	00401A38  00401A20  Project1.00401A20
	00401A3C  00000000

VB Globals object:  (CVBApplication)
	00401A10  23 3D FB FC FA A0 68 10 A7 38 08 00 2B 33 71 B5   -> {FCFB3D23-A0FA-1068-A738-08002B3371B5}
	00401A20  22 3D FB FC FA A0 68 10 A7 38 08 00 2B 33 71 B5   -> {FCFB3D22-A0FA-1068-A738-08002B3371B5}

	660130D0 >660E2074  MSVBVM60.CVBApplication::QueryInterface
	$+4      >6601808A  MSVBVM60.CVBApplication::AddRef
	$+8      >66028553  MSVBVM60.CVBApplication::Release
	$+C      >6605CE6B  MSVBVM60.CVBApplication::Load
	$+10     >6605CEE2  MSVBVM60.CVBApplication::Unload
	$+14     >66026F9D  MSVBVM60.CVBApplication::get_App
	$+18     >6603D750  MSVBVM60.CVBApplication::get_Screen
	$+1C     >660489C7  MSVBVM60.CVBApplication::get_Clipboard
	$+20     >660E1EC6  MSVBVM60.CVBApplication::get_Printer
	$+24     >660E1EF8  MSVBVM60.CVBApplication::putref_Printer
	$+28     >66048EAE  MSVBVM60.CVBApplication::get_Forms
	$+2C     >660E1EE0  MSVBVM60.CVBApplication::get_Printers
	$+30     >660E1FA0  MSVBVM60.CVBApplication::LoadResStringOld
	$+34     >6604A7C3  MSVBVM60.CVBApplication::LoadResPicture
	$+38     >6604AB06  MSVBVM60.CVBApplication::LoadResData
	$+3C     >660E1FD9  MSVBVM60.CVBApplication::LoadPictureOld
	$+40     >6604776E  MSVBVM60.CVBApplication::SavePicture
	$+44     >6602C9D8  MSVBVM60.CVBApplication::LoadPicture
	$+48     >6604A683  MSVBVM60.CVBApplication::LoadResString
	$+4C     >660E1F71  MSVBVM60.CVBApplication::get_Licenses
	$+50     >53EC8B55
	

VB App object: (CAPP)
	021A41F0 >6600905A  MSVBVM60.CTL::QueryInterface
	$+4      >66001BB2  MSVBVM60.CTL::AddRef
	$+8      >66001C09  MSVBVM60.CTL::Release
	$+C      >660E26F7  MSVBVM60.BASIC_DISPINTERFACE_GetTICount
	$+10     >660B3693  MSVBVM60.CTL::GetTypeInfo
	$+14     >66008858  MSVBVM60.CTL::GetIDsOfNames
	$+18     >6600887B  MSVBVM60.CTL::Invoke
	$+1C     >66046624  MSVBVM60.CTL::HctlDemandLoad
	$+20     >660C0FB2  MSVBVM60.APP::ChkProp
	$+24     >6602E532  MSVBVM60.APP::SetPropA
	$+28     >66027139  MSVBVM60.APP::GetPropA
	$+2C     >6609CF0C  MSVBVM60.CTLMENU::GetPropHsz
	$+30     >66066269  MSVBVM60.CTL::LoadProp
	$+34     >660C4C6C  MSVBVM60.CConnectionEnumerator::Skip
	$+38     >660637C8  MSVBVM60.ExecMod::PrepareForExec
	$+3C     >660C0FA1  MSVBVM60.APP::Reset
	$+40     >6609D823  MSVBVM60._CAPP_vtbl::get_DefaultProp
	$+44     >6609D833  MSVBVM60._CAPP_vtbl::put_DefaultProp
	$+48     >6609D850  MSVBVM60._CAPP_vtbl::get_000x
	$+4C     >6609D862  MSVBVM60._CAPP_vtbl::put_000x
	$+50     >660272FD  MSVBVM60._CAPP_vtbl::get__ipropPathAPP
	$+54     >6609D876  MSVBVM60._CAPP_vtbl::put__ipropPathAPP
	$+58     >660557CB  MSVBVM60._CAPP_vtbl::get__ipropEXENameAPP
	$+5C     >6609D88A  MSVBVM60._CAPP_vtbl::put__ipropEXENameAPP
	$+60     >66043A3F  MSVBVM60._CAPP_vtbl::get__ipropTitleAPP
	$+64     >66043AB8  MSVBVM60._CAPP_vtbl::put__ipropTitleAPP
	$+68     >6604896B  MSVBVM60._CAPP_vtbl::get__ipropPrevInstanceAPP
	$+6C     >6609D89E  MSVBVM60._CAPP_vtbl::put__ipropPrevInstanceAPP
	$+70     >6609D8B2  MSVBVM60._CAPP_vtbl::get__ipropStartModeAPP
	$+74     >6609D8C4  MSVBVM60._CAPP_vtbl::put__ipropStartModeAPP
	$+78     >6609D8D8  MSVBVM60._CAPP_vtbl::get__ipropTaskVisibleAPP
	$+7C     >6609D8EA  MSVBVM60._CAPP_vtbl::put__ipropTaskVisibleAPP
	$+80     >6609D8FE  MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyTimeoutAPP
	$+84     >6609D910  MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyTimeoutAPP
	$+88     >6609D924  MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyMsgTitleAPP
	$+8C     >6609D936  MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyMsgTitleAPP
	$+90     >6609D94A  MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyMsgTextAPP
	$+94     >6609D95C  MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyMsgTextAPP
	$+98     >6609D970  MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyRaiseErrorAPP
	$+9C     >6609D982  MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyRaiseErrorAPP
	$+A0     >6609D996  MSVBVM60._CAPP_vtbl::get__ipropOleRequestPendingTimeoutAPP
	$+A4     >6609D9A8  MSVBVM60._CAPP_vtbl::put__ipropOleRequestPendingTimeoutAPP
	$+A8     >6609D9BC  MSVBVM60._CAPP_vtbl::get__ipropOleRequestPendingMsgTitleAPP
	$+AC     >6609D9CE  MSVBVM60._CAPP_vtbl::put__ipropOleRequestPendingMsgTitleAPP
	$+B0     >6609D9E2  MSVBVM60._CAPP_vtbl::get__ipropOleRequestPendingMsgTextAPP
	$+B4     >6609D9F4  MSVBVM60._CAPP_vtbl::put__ipropOleRequestPendingMsgTextAPP
	$+B8     >6609DA08  MSVBVM60._CAPP_vtbl::get__ipropVerMajorAPP
	$+BC     >6609DA1A  MSVBVM60._CAPP_vtbl::put__ipropVerMajorAPP
	$+C0     >6609DA2E  MSVBVM60._CAPP_vtbl::get__ipropVerMinorAPP
	$+C4     >6609DA40  MSVBVM60._CAPP_vtbl::put__ipropVerMinorAPP
	$+C8     >6609DA54  MSVBVM60._CAPP_vtbl::get__ipropVerRevisionAPP
	$+CC     >6609DA66  MSVBVM60._CAPP_vtbl::put__ipropVerRevisionAPP
	$+D0     >6609DA7A  MSVBVM60._CAPP_vtbl::get__ipropVerCommentsAPP
	$+D4     >6609DA8C  MSVBVM60._CAPP_vtbl::put__ipropVerCommentsAPP
	$+D8     >6609DAA0  MSVBVM60._CAPP_vtbl::get__ipropVerCompanyNameAPP
	$+DC     >6609DAB2  MSVBVM60._CAPP_vtbl::put__ipropVerCompanyNameAPP
	$+E0     >6609DAC6  MSVBVM60._CAPP_vtbl::get__ipropVerFileDescriptionAPP
	$+E4     >6609DAD8  MSVBVM60._CAPP_vtbl::put__ipropVerFileDescriptionAPP
	$+E8     >6609DAEC  MSVBVM60._CAPP_vtbl::get__ipropVerLegalCopyrightAPP
	$+EC     >6609DAFE  MSVBVM60._CAPP_vtbl::put__ipropVerLegalCopyrightAPP
	$+F0     >6609DB12  MSVBVM60._CAPP_vtbl::get__ipropVerLegalTrademarksAPP
	$+F4     >6609DB24  MSVBVM60._CAPP_vtbl::put__ipropVerLegalTrademarksAPP
	$+F8     >6609DB38  MSVBVM60._CAPP_vtbl::get__ipropVerProductNameAPP
	$+FC     >6609DB4A  MSVBVM60._CAPP_vtbl::put__ipropVerProductNameAPP
	$+100    >660446D9  MSVBVM60._CAPP_vtbl::get__ipropHInstanceAPP
	$+104    >6609DB5E  MSVBVM60._CAPP_vtbl::put__ipropHInstanceAPP
	$+108    >6609DB72  MSVBVM60._CAPP_vtbl::get__ipropNonModalAllowedAPP
	$+10C    >6609DB84  MSVBVM60._CAPP_vtbl::put__ipropNonModalAllowedAPP
	$+110    >6609DB98  MSVBVM60._CAPP_vtbl::get__ipropLogPathAPP
	$+114    >6609DBAA  MSVBVM60._CAPP_vtbl::put__ipropLogPathAPP
	$+118    >6609DBBE  MSVBVM60._CAPP_vtbl::get__ipropLogModeAPP
	$+11C    >6609DBD0  MSVBVM60._CAPP_vtbl::put__ipropLogModeAPP
	$+120    >6609DBE4  MSVBVM60._CAPP_vtbl::get__ipropUnattendedAppAPP
	$+124    >6609DBF6  MSVBVM60._CAPP_vtbl::put__ipropUnattendedAppAPP
	$+128    >6609DC0A  MSVBVM60._CAPP_vtbl::get__ipropThreadAPP
	$+12C    >6609DC1C  MSVBVM60._CAPP_vtbl::put__ipropThreadAPP
	$+130    >6609DC30  MSVBVM60._CAPP_vtbl::get__ipropHelpFileAPP
	$+134    >6602E585  MSVBVM60._CAPP_vtbl::put__ipropHelpFileAPP
	$+138    >6609DC42  MSVBVM60._CAPP_vtbl::meth__methStartLogging
	$+13C    >6609DC55  MSVBVM60._CAPP_vtbl::meth__methLogEvent
	$+140    >6609DC68  MSVBVM60._CAPP_vtbl::get__ipropRetainedProjAPP
	$+144    >6609DC7A  MSVBVM60._CAPP_vtbl::put__ipropRetainedProjAPP
	$+148    >ABABABAB
	$+14C    >ABABABAB
	$+150    >00000000






Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 84 + 16 = ? followed by the letter: Q 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (All)
2021 (1)
     VB App object
2020 (8)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Vb6 PCode Internals
     Vb6 Runtime ForLoop Disasm
     VB6 Pcode - For Loops
     Yara Corrupt Imports
     Yara Undefined values
2019 ( 12 )
2017 ( 5 )
2016 ( 4 )
2015 ( 6 )
2014 ( 5 )
2013 ( 9 )
2012 ( 13 )
2011 ( 19 )
2010 ( 11 )
2009 ( 1 )