VB6 TypeInfoAuthor: David Zimmer Date: 10.06.22 - 5:59pm So I am on the hunt for type info for private classes. Someone asked about getting the function offset for a private class function which would be a COM Vtable. VB6 objects all support IDispatch which means they support IDispatch.GetIdsOfName so at least the method names, dispatchID, and vtable layout must be available for dynamic lookup and execution. Technically using ITypeInfo you can query the layout and get all the information you need. You can find a sample project here. A C++ implementation to dump entire function prototypes is here. So If you load a vb6 COM object from an ActiveX dll the ITypeInfo implementation comes from oleaut32.dll and is based on the full type library compiled into the dll. When you are running your code in the vb6 IDE, you get a full ITypeInfo interface from vba6.dll However when you are running a compiled exe, with an internal private vb6 class, now you get a partial ITypeInfo implementation from msvbvm60.dll. And guess what..IType->GetTypeAttr and GetFuncDesc return not implemented. Awesome. Sooo now what? The information is still in there I promise you, they just havent exposed it. So now we would have to reach into some internal structures if we want it. There is another way. This clever code actually returns a fake COM object that the compiler believes is the expected internal type. The ASM thunk will calculate what offset in its fake vtable was called by the compiler for the desired method and reveal it to you. Its cool, but intricate. Honestly I dont even want to use callbacks from class function pointers. VB6 creators didnt want us to. It can be done but your out in unsupported land. The real reason I want to explore this information is to make vbdec disassembler better and get the type info for it. So I started digging. I saw that p32Dasm can show eventnames,args and private class function names/args. I knew it had to be tied to IDisp type information buried in the binary. If you search for known test strings you will find them. But how to find the links within the binary structures. Since they are type info, we can catch their access in a debugger if you are using IDispatch such as through the vb6 callbyname function. Turns out they are linked through sub structures below CodeObject.ObjInfo.PrivateObj I still have some more digging to do to understand all the variations and field meanings but it is a fun puzzle anyway. In other news, I added a new node to the vbdec treeview for IDC Structs. This node will generate all of the main structures for vb internal types, and then set the appropriate offsets as that structure type so you can walk them all visually in IDA and explore them. Only took about 6hrs labor which is great. It will be a huge help when exploring disassemblies. I will release an update tonight or tomorrow. In other news part 2. when calling add_struc_member IDC function..I wanted some of the fields to show as offsets to other structures instead of just 32bit numbers. This allows IDA to pull in any sub structure names set at that address. The docs are not helpful. Google didnt help much either. I did find one great post though. So if you manually alter a structure to set the member type exactly as you want it through the UI which supports a ton of variations. Then you can dump the types to IDC and voila you get the magical IDC constants you need to replicate the output. I Thanks buddy your a god send! Thats it for this post. over and out. Comments: (1)On 10.31.22 - 2:04pm Dave wrote:
|
About Me More Blogs Main Site |
|