VB App object


Author: David Zimmer
Date: 02.08.21 - 1:56pm



Below is a sample on how VB6 access the App. object and what its vtable looks like. You will notice from the disasm that it first loads the app object from the globals.app
'compile an exe with the following code
'put a copy of the vbruntime with the debug symbols in the same directory
'start in ollydbg and start exploring.

Source:  
    MsgBox App.EXEName

so essentially what its doing
   objApp = globals.App 
   msgbox objApp.ExeName


00401F78   . 3BC3           CMP EAX,EBX                              ; do we already have a live instance of the object?
00401F7A   . 75 10          JNZ SHORT 00401F8C                       ; jmp if yes, load new if no
00401F7C   . 68 F0324000    PUSH 4032F0                              ; address to put live instance 
00401F81   . 68 301A4000    PUSH 401A30                              ; COMDEF structure defining clsid and iid of COM object
00401F86   . FF15 9C104000  CALL DWORD PTR DS:[40109C]               ; MSVBVM60.__vbaNew2
00401F8C   > 8B35 F0324000  MOV ESI,DWORD PTR DS:[4032F0]            ; same address as above see
...
00401F97   . 8B16           MOV EDX,DWORD PTR DS:[ESI]
00401F99   . FF52 14        CALL DWORD PTR DS:[EDX+14]               ; edx = 660130D0 MSVBVM60.CVBApplication::get_App (see below)
...
00401FC3   . 8B08           MOV ECX,DWORD PTR DS:[EAX]               ; COM object returned from get_APP (App object)
00401FC5   . 8BF0           MOV ESI,EAX
00401FC7   . FF51 58        CALL DWORD PTR DS:[ECX+58]               ; ecx = 021A41F0 MSVBVM60._CAPP_vtbl::get__ipropEXENameAPP (see below)


COMDEF structure
	00401A30  00000002
	00401A34  00401A10  Project1.00401A10
	00401A38  00401A20  Project1.00401A20
	00401A3C  00000000

VB Globals object:  (CVBApplication)
	00401A10  23 3D FB FC FA A0 68 10 A7 38 08 00 2B 33 71 B5   -> {FCFB3D23-A0FA-1068-A738-08002B3371B5}
	00401A20  22 3D FB FC FA A0 68 10 A7 38 08 00 2B 33 71 B5   -> {FCFB3D22-A0FA-1068-A738-08002B3371B5}

	660130D0 >660E2074  MSVBVM60.CVBApplication::QueryInterface
	$+4      >6601808A  MSVBVM60.CVBApplication::AddRef
	$+8      >66028553  MSVBVM60.CVBApplication::Release
	$+C      >6605CE6B  MSVBVM60.CVBApplication::Load
	$+10     >6605CEE2  MSVBVM60.CVBApplication::Unload
	$+14     >66026F9D  MSVBVM60.CVBApplication::get_App
	$+18     >6603D750  MSVBVM60.CVBApplication::get_Screen
	$+1C     >660489C7  MSVBVM60.CVBApplication::get_Clipboard
	$+20     >660E1EC6  MSVBVM60.CVBApplication::get_Printer
	$+24     >660E1EF8  MSVBVM60.CVBApplication::putref_Printer
	$+28     >66048EAE  MSVBVM60.CVBApplication::get_Forms
	$+2C     >660E1EE0  MSVBVM60.CVBApplication::get_Printers
	$+30     >660E1FA0  MSVBVM60.CVBApplication::LoadResStringOld
	$+34     >6604A7C3  MSVBVM60.CVBApplication::LoadResPicture
	$+38     >6604AB06  MSVBVM60.CVBApplication::LoadResData
	$+3C     >660E1FD9  MSVBVM60.CVBApplication::LoadPictureOld
	$+40     >6604776E  MSVBVM60.CVBApplication::SavePicture
	$+44     >6602C9D8  MSVBVM60.CVBApplication::LoadPicture
	$+48     >6604A683  MSVBVM60.CVBApplication::LoadResString
	$+4C     >660E1F71  MSVBVM60.CVBApplication::get_Licenses
	$+50     >53EC8B55
	

VB App object: (CAPP)
	021A41F0 >6600905A  MSVBVM60.CTL::QueryInterface
	$+4      >66001BB2  MSVBVM60.CTL::AddRef
	$+8      >66001C09  MSVBVM60.CTL::Release
	$+C      >660E26F7  MSVBVM60.BASIC_DISPINTERFACE_GetTICount
	$+10     >660B3693  MSVBVM60.CTL::GetTypeInfo
	$+14     >66008858  MSVBVM60.CTL::GetIDsOfNames
	$+18     >6600887B  MSVBVM60.CTL::Invoke
	$+1C     >66046624  MSVBVM60.CTL::HctlDemandLoad
	$+20     >660C0FB2  MSVBVM60.APP::ChkProp
	$+24     >6602E532  MSVBVM60.APP::SetPropA
	$+28     >66027139  MSVBVM60.APP::GetPropA
	$+2C     >6609CF0C  MSVBVM60.CTLMENU::GetPropHsz
	$+30     >66066269  MSVBVM60.CTL::LoadProp
	$+34     >660C4C6C  MSVBVM60.CConnectionEnumerator::Skip
	$+38     >660637C8  MSVBVM60.ExecMod::PrepareForExec
	$+3C     >660C0FA1  MSVBVM60.APP::Reset
	$+40     >6609D823  MSVBVM60._CAPP_vtbl::get_DefaultProp
	$+44     >6609D833  MSVBVM60._CAPP_vtbl::put_DefaultProp
	$+48     >6609D850  MSVBVM60._CAPP_vtbl::get_000x
	$+4C     >6609D862  MSVBVM60._CAPP_vtbl::put_000x
	$+50     >660272FD  MSVBVM60._CAPP_vtbl::get__ipropPathAPP
	$+54     >6609D876  MSVBVM60._CAPP_vtbl::put__ipropPathAPP
	$+58     >660557CB  MSVBVM60._CAPP_vtbl::get__ipropEXENameAPP
	$+5C     >6609D88A  MSVBVM60._CAPP_vtbl::put__ipropEXENameAPP
	$+60     >66043A3F  MSVBVM60._CAPP_vtbl::get__ipropTitleAPP
	$+64     >66043AB8  MSVBVM60._CAPP_vtbl::put__ipropTitleAPP
	$+68     >6604896B  MSVBVM60._CAPP_vtbl::get__ipropPrevInstanceAPP
	$+6C     >6609D89E  MSVBVM60._CAPP_vtbl::put__ipropPrevInstanceAPP
	$+70     >6609D8B2  MSVBVM60._CAPP_vtbl::get__ipropStartModeAPP
	$+74     >6609D8C4  MSVBVM60._CAPP_vtbl::put__ipropStartModeAPP
	$+78     >6609D8D8  MSVBVM60._CAPP_vtbl::get__ipropTaskVisibleAPP
	$+7C     >6609D8EA  MSVBVM60._CAPP_vtbl::put__ipropTaskVisibleAPP
	$+80     >6609D8FE  MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyTimeoutAPP
	$+84     >6609D910  MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyTimeoutAPP
	$+88     >6609D924  MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyMsgTitleAPP
	$+8C     >6609D936  MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyMsgTitleAPP
	$+90     >6609D94A  MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyMsgTextAPP
	$+94     >6609D95C  MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyMsgTextAPP
	$+98     >6609D970  MSVBVM60._CAPP_vtbl::get__ipropOleServerBusyRaiseErrorAPP
	$+9C     >6609D982  MSVBVM60._CAPP_vtbl::put__ipropOleServerBusyRaiseErrorAPP
	$+A0     >6609D996  MSVBVM60._CAPP_vtbl::get__ipropOleRequestPendingTimeoutAPP
	$+A4     >6609D9A8  MSVBVM60._CAPP_vtbl::put__ipropOleRequestPendingTimeoutAPP
	$+A8     >6609D9BC  MSVBVM60._CAPP_vtbl::get__ipropOleRequestPendingMsgTitleAPP
	$+AC     >6609D9CE  MSVBVM60._CAPP_vtbl::put__ipropOleRequestPendingMsgTitleAPP
	$+B0     >6609D9E2  MSVBVM60._CAPP_vtbl::get__ipropOleRequestPendingMsgTextAPP
	$+B4     >6609D9F4  MSVBVM60._CAPP_vtbl::put__ipropOleRequestPendingMsgTextAPP
	$+B8     >6609DA08  MSVBVM60._CAPP_vtbl::get__ipropVerMajorAPP
	$+BC     >6609DA1A  MSVBVM60._CAPP_vtbl::put__ipropVerMajorAPP
	$+C0     >6609DA2E  MSVBVM60._CAPP_vtbl::get__ipropVerMinorAPP
	$+C4     >6609DA40  MSVBVM60._CAPP_vtbl::put__ipropVerMinorAPP
	$+C8     >6609DA54  MSVBVM60._CAPP_vtbl::get__ipropVerRevisionAPP
	$+CC     >6609DA66  MSVBVM60._CAPP_vtbl::put__ipropVerRevisionAPP
	$+D0     >6609DA7A  MSVBVM60._CAPP_vtbl::get__ipropVerCommentsAPP
	$+D4     >6609DA8C  MSVBVM60._CAPP_vtbl::put__ipropVerCommentsAPP
	$+D8     >6609DAA0  MSVBVM60._CAPP_vtbl::get__ipropVerCompanyNameAPP
	$+DC     >6609DAB2  MSVBVM60._CAPP_vtbl::put__ipropVerCompanyNameAPP
	$+E0     >6609DAC6  MSVBVM60._CAPP_vtbl::get__ipropVerFileDescriptionAPP
	$+E4     >6609DAD8  MSVBVM60._CAPP_vtbl::put__ipropVerFileDescriptionAPP
	$+E8     >6609DAEC  MSVBVM60._CAPP_vtbl::get__ipropVerLegalCopyrightAPP
	$+EC     >6609DAFE  MSVBVM60._CAPP_vtbl::put__ipropVerLegalCopyrightAPP
	$+F0     >6609DB12  MSVBVM60._CAPP_vtbl::get__ipropVerLegalTrademarksAPP
	$+F4     >6609DB24  MSVBVM60._CAPP_vtbl::put__ipropVerLegalTrademarksAPP
	$+F8     >6609DB38  MSVBVM60._CAPP_vtbl::get__ipropVerProductNameAPP
	$+FC     >6609DB4A  MSVBVM60._CAPP_vtbl::put__ipropVerProductNameAPP
	$+100    >660446D9  MSVBVM60._CAPP_vtbl::get__ipropHInstanceAPP
	$+104    >6609DB5E  MSVBVM60._CAPP_vtbl::put__ipropHInstanceAPP
	$+108    >6609DB72  MSVBVM60._CAPP_vtbl::get__ipropNonModalAllowedAPP
	$+10C    >6609DB84  MSVBVM60._CAPP_vtbl::put__ipropNonModalAllowedAPP
	$+110    >6609DB98  MSVBVM60._CAPP_vtbl::get__ipropLogPathAPP
	$+114    >6609DBAA  MSVBVM60._CAPP_vtbl::put__ipropLogPathAPP
	$+118    >6609DBBE  MSVBVM60._CAPP_vtbl::get__ipropLogModeAPP
	$+11C    >6609DBD0  MSVBVM60._CAPP_vtbl::put__ipropLogModeAPP
	$+120    >6609DBE4  MSVBVM60._CAPP_vtbl::get__ipropUnattendedAppAPP
	$+124    >6609DBF6  MSVBVM60._CAPP_vtbl::put__ipropUnattendedAppAPP
	$+128    >6609DC0A  MSVBVM60._CAPP_vtbl::get__ipropThreadAPP
	$+12C    >6609DC1C  MSVBVM60._CAPP_vtbl::put__ipropThreadAPP
	$+130    >6609DC30  MSVBVM60._CAPP_vtbl::get__ipropHelpFileAPP
	$+134    >6602E585  MSVBVM60._CAPP_vtbl::put__ipropHelpFileAPP
	$+138    >6609DC42  MSVBVM60._CAPP_vtbl::meth__methStartLogging
	$+13C    >6609DC55  MSVBVM60._CAPP_vtbl::meth__methLogEvent
	$+140    >6609DC68  MSVBVM60._CAPP_vtbl::get__ipropRetainedProjAPP
	$+144    >6609DC7A  MSVBVM60._CAPP_vtbl::put__ipropRetainedProjAPP
	$+148    >ABABABAB
	$+14C    >ABABABAB
	$+150    >00000000






Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 97 + 57 = ? followed by the letter: I 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (year)
2021 (4)
     VB6 Hijacking
     rtcTypeName
     VB6 Gosub
     VB App object
2020 (8)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Vb6 PCode Internals
     Vb6 Runtime ForLoop Disasm
     VB6 Pcode - For Loops
     Yara Corrupt Imports
     Yara Undefined values
2019 (12)
     Yara WorkBench
     SafeArrayGetVartype
     vbdec dbg updates
     vb6 PCode NOP
     vb6 API and call backs
     how pcode works Pt1
     PrintFile
     ImpAdCallNonVirt
     Reversing PCode Args
     VB6 PCode Disassembly
     VB6 PCode Debugger
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 (4)
     KANAL Mod
     Decoders again
     CDO.Message Breakpoints
     SysAnalyzer Updates
2015 (6)
     SysAnalyzer and Site Updates
     crazy decoder
     ida js w/dbg
     flash patching #2
     JS Graphing
     packet reassembly
2014 (5)
     Delphi IDA Plugin
     scdbg IDA integration
     API Hash Database
     Winmerge plugin
     IDACompare Updates
2013 (9)
     Guest Post @ hexblog
     TCP Stream Reassembly
     SysAnalyzer Updates
     Apilogger Video
     Shellcode2Exe trainer
     scdbg updates
     IDA Javascript w/IDE
     Rop Analysis II
     scdbg vrs ROP
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     findDll
     Java Hacking
     Windows 8
     Win7 x64
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     BootLoaders
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation