VB6 Hijacking


Author: David Zimmer
Date: 07.04.21 - 5:04pm



So a forum user wanted to devise a way to automate a VB6 application that did not have a plugin or scripting framework. He wanted to get a hold of the Vb.Global.Forms collection so that he could access the open forms and then automate them as if his dll was loaded as a plugin.

Another forum user knew where to find the cached Vb.Global pointer, and the following code ensued: (you can read the fill thread here)

Option Explicit
'add one listbox and two buttons

Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Sub GetMem4 Lib "msvbvm60.dll" (ByVal lAddress As Long, var As Long)
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (lpDest As Any, lpSource As Any, ByVal cBytes&)

Private Type extEntry
    flag As Long
    offset As Long
End Type

Dim readyToReturn As Boolean

Private Sub Command1_Click()
    readyToReturn = True
End Sub

Function IsIde() As Boolean
    On Error GoTo out
    Debug.Print 1 / 0
out: IsIde = Err
End Function

Private Sub Command2_Click()
    End
End Sub

Private Sub Form_Load()

'    Dim v  As VB.Global
'    MsgBox v.App.EXEName 'variable not set..this is good, sanity check
'    End
    
    If IsIde Then
        MsgBox "Only run compiled"
        End
    Else
        Me.Caption = "It worked!"
        Command1.Caption = "Continue"
        Command2.Caption = "End"
        List1.Move 0, 0, 8000, 8000
        Me.Width = 8400
        Me.Height = 9100
        Command1.Move Me.Width - 3000, 8025
        Command2.Move Me.Width - 1500, 8025
        DoTheTrickStuff
    End If
    
End Sub

Sub xx(msg As String, v As Long, Optional wait As Boolean = False)
    List1.AddItem msg & ": " & Hex(v) & IIf(wait, "  --- Waiting for continue click...", Empty)
    List1.Refresh
    DoEvents
    If wait Then
        readyToReturn = False
        While Not readyToReturn
            DoEvents
        Wend
    End If
End Sub


Private Sub DoTheTrickStuff() Dim vbHeader As Long, lpProjectData As Long, projectDataPointerValue As Long Dim lpExternalTable As Long, externalTablePointerValue As Long Dim externalCount As Long, lpExternalCount As Long Dim i As Integer, e As extEntry, myCaption As String Dim globalPtr As Long, lpGlobalPtr As Long, globalClone As VB.Global Me.Visible = True xx "The pointer I am after", ObjPtr(VB.Global) vbHeader = GetVBHeader() xx "Header", vbHeader lpProjectData = vbHeader + &H30 GetMem4 ByVal lpProjectData, projectDataPointerValue xx "lpProject", projectDataPointerValue lpExternalCount = projectDataPointerValue + &H238 xx "lpExternalCount", lpExternalCount GetMem4 ByVal lpExternalCount, externalCount xx "ExtCount", externalCount lpExternalTable = projectDataPointerValue + &H234 xx "lpExtTable", lpExternalTable GetMem4 ByVal lpExternalTable, externalTablePointerValue xx "ExtTable", externalTablePointerValue For i = 0 To externalCount CopyMemory ByVal VarPtr(e), ByVal externalTablePointerValue, 8 Debug.Print i & ") " & Hex(externalTablePointerValue) & " " & e.flag & " " & Hex(e.offset) If e.flag = 6 Then 'Tag of global object xx "Found flag", e.flag GetMem4 ByVal e.offset + 4, lpGlobalPtr xx "lpGlobalPointer", lpGlobalPtr GetMem4 ByVal lpGlobalPtr, globalPtr xx "GlobalPointer", globalPtr If globalPtr = ObjPtr(VB.Global) Then List1.AddItem "Success!!" Else List1.AddItem "FAIL!!" Exit For End If Set globalClone = GlobalFromPointer(ByVal globalPtr) xx "ObjPtr(globalClone)", ObjPtr(globalClone) ', True myCaption = globalClone.Forms(0).Caption List1.AddItem "globalClone.Forms(0).Caption = " & myCaption globalClone.Forms(0).Caption = "Are you sure?!" Exit For End If externalTablePointerValue = externalTablePointerValue + 8 Next List1.AddItem "Complete" End Sub Private Function GlobalFromPointer(ByVal ptr&) As VB.Global ' this function returns a reference to our form class ' dimension an object variable that we can copy the ' passed pointer into Dim globalClone As VB.Global ' use the CopyMemory API function to copy the ' long pointer into the object variable. CopyMemory globalClone, ptr, 4& Set GlobalFromPointer = globalClone CopyMemory ptr&, 0&, 4& End Function Public Function ObjFromPtr(ByVal pObj As Long) As Object Dim obj As Object CopyMemory obj, pObj, LenB(obj) 'not size 4! Set ObjFromPtr = obj CopyMemory obj, 0&, LenB(obj) 'not size 4! End Function ' // Get VBHeader structure Private Function GetVBHeader() As Long Dim ptr As Long Dim hModule As Long hModule = GetModuleHandle(ByVal "Project1.exe") ' Get e_lfanew GetMem4 ByVal hModule + &H3C, ptr ' Get AddressOfEntryPoint GetMem4 ByVal ptr + &H28 + hModule, ptr ' Get VBHeader GetMem4 ByVal ptr + hModule + 1, GetVBHeader End Function Private Sub Form_Resize() On Error Resume Next List1.Width = Me.Width End Sub


Special considerations:
  • inject native dll which loads vb dll as "plugin"
  • native call vb6 activex method which sets timer
  • vb plugin must execute in the same thread as STA main vb6 app


Description:

find the VBHeader.aProjectInfo at offset 0x30 of the VBHeader

walk the VBHeader.aProjectInfo.aExternalTable (offset 0x234 in VBHeader.aProjectInfo struct) of which there will be VBHeader.aProjectInfo.ExternalCount entries (offset 0x238 from start of VBHeader.aProjectInfo )

each entry will be an 8 byte structure

private type extEntry flag as long offset as long end type

when you find flag = 6 you found your target. at that target.offset you will find another 8 byte structure

private type extEntryTarget clsidIIDStructOffset as long lpValue as long end type

you can verify the clsidIID values they are actually another struct 32 bytes consecutive of just use the hex dump of the guids the value of the actual vb.globals you want will be found at the lpValue offset.

I havent played with it as in injection yet, but its an interesting concept.

The Trick ended up posting a full example with injection here. (Local snapshot)




Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 79 + 62 = ? followed by the letter: I 



About Me
More Blogs
Main Site
Posts: (year)
2023 (4)
     UDTs in Native Const Pool
     PublicBytes struct
     DispCallFunc
     VB6 Class Instances
2022 (6)
     VB6 Implements
     vbdec remote scripting
     VB6 Stubs BS
     VB6 TypeInfo
     VB6 VTable Layout
     Yara isPCode rule
2021 (4)
     VB6 Hijacking
     rtcTypeName
     VB6 Gosub
     VB App object
2020 (6)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Vb6 PCode Internals
     Yara Corrupt Imports
     Yara Undefined values
2019 (6)
     Yara WorkBench
     SafeArrayGetVartype
     vb6 API and call backs
     PrintFile
     ImpAdCallNonVirt
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 (4)
     KANAL Mod
     Decoders again
     CDO.Message Breakpoints
     SysAnalyzer Updates
2015 (6)
     SysAnalyzer and Site Updates
     crazy decoder
     ida js w/dbg
     flash patching #2
     JS Graphing
     packet reassembly
2014 (5)
     Delphi IDA Plugin
     scdbg IDA integration
     API Hash Database
     Winmerge plugin
     IDACompare Updates
2013 (9)
     Guest Post @ hexblog
     TCP Stream Reassembly
     SysAnalyzer Updates
     Apilogger Video
     Shellcode2Exe trainer
     scdbg updates
     IDA Javascript w/IDE
     Rop Analysis II
     scdbg vrs ROP
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     findDll
     Java Hacking
     Windows 8
     Win7 x64
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     BootLoaders
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation