10

I am analyzing some Visual Basic 6.0 malware(before .NET) and I have several questions regarding the internal structure of the format. The samples I have are both p-code or native code compiled(depends on the malware version). In the last couple of days I read Alex Ionescu's paper as well as one other paper on the subject and I have a couple of questions regarding the format. Also, if you have any more resources where I can obtain additional information about the Visual Basic internal structure feel free to post them here.

So the questions are:

  1. In the ProjectInformation structure there is a field at offset 0x20 called lpNativeCode. Based on Alex's paper, the description says Pointer to .DATA section. When analyzing my samples, I noticed that the following field is 0x0 for p-code compiled samples and contains an address for native code compiled samples. So, my question is: Is it safe to use the following field to determine if the sample is p-code or native-code compiled?

  2. Inside the ObjectInfo structure there are fields at offsets 0x20 and 0x24 called wMethodCount and lpMethods. For p-code compiled samples I noticed that the lpMethods field points to an array of methods for that object. What I don't understand is the zero bytes that appear before the actual method addresses in the array. To make it more clear I included the following pictures:

    ObjectInfo structure of a p-code sample

    Methods array from ObjectInfo

The first picture is a dump view of an ObjectInfo structure while the second picture is the methods array pointed to by lpMethods field. Notice the 8 zero bytes before the actual method addresses (on some other samples there are more than 8 zero bytes so it's not always that number). What I would like to know is what are those zero bytes?

  1. And finally my last question. In the PublicObjectDescriptor structure there is a field at offset 0x1C called dwMethodCount with a description of Number of methods in Object. Also, inside the ObjectInfo structure there is a field called wMethodCount and in the OptionalObjectInfo there are fields called wEventCount and dwControlCount. What I would like to know is what are the relations between those fields.

    I noticed that for p-code compiled samples the PublicObjectDescriptor.dwMethodCount is equal to ObjectInfo.wMethodCount, while for native-code compiled samples the following relation does not stand.

Improve this question
1

1 Answer 1

Reset to default
1

disclaimer: Since the VB file structure is still undocumented, we cannot provide guaranteed answers without fully reverse engineering the format. This has been attempted to some success by Ionescu and others as you and others have mentioned.

I will attempt to answer your questions to the best of my ability without opening any reverse engineering tools. If you would like to ask how would someone go about reverse engineering the VB file format and related executables I would suggest opening another question on the subject specifically.

Now, without further ado, my answers (read: educated guesses):

  1. As an undocumented format not only we cannot offer a guaranteed "yes", the format and/or those assumptions could potentially be changed in future versions. This is unlikely to ever happen for a format as old as VB6, extremely so since it was abandoned. This seems like a fair assumption to make in this case.

  2. Since ObjectInfos and PublicObjectDescriptor structures are separate, I can assume null values in an ObjectInfo.lpMethods array are to indicate a method (defined by name in the PublicObjectDescriptor) is not implemented by the ObjectInfo. This is, again, an educated guess and further reverse engineering should be done to validate it.

  3. I believe that since PublicObjectDescriptor takes the role of an externally facing object description, it is used to describe the object in full. ObjectInfo is somewhat more external and specific for the p-code portions of the object. Therefore, and object that's fully implemented in p-code will have it's ObjectInfo.wMethodCount equal to it's PublicObjectDescriptor.dwMethodCount while an object that is partially (or fully) implemented natively will have a higher PublicObjectDescriptor.dwMethodCount than ObjectInfo.wMethodCount.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.