Reversing It Out
November 17th, 2007, 17:04
Recently, static analysis of Visual Basic executables has been made easier by the release of a very nice IDC script by Reginald Wong. On top of its analysis, I decided to create a script to automatically handle DllFunctionCall.
DllFunctionCall is found in the implementation of the Visual Basic Declare statements, that are used to call Windows API functions in Visual Basic 5/6 programs.
For example, lots of VB malwares do use such mechanism to call Windows APIs. Let's consider a simpe autorun VB worm: we load it into IDA, run the script provided by Reginald Wong, and start analyzing it. Analyzing the code, we find several references to code of this kind:
http://bp0.blogger.com/_Iq20R_ym4vY/Rthj-9WrRmI/AAAAAAAAAAk/gKCizuhr9So/s320/Before.png ("http://bp0.blogger.com/_Iq20R_ym4vY/Rthj-9WrRmI/AAAAAAAAAAk/gKCizuhr9So/s1600-h/Before.png")
With a bit of manual intervention, the purpose of this code becomes clearer:
http://bp0.blogger.com/_Iq20R_ym4vY/RthkL9WrRnI/AAAAAAAAAAs/SPcsurb1TR8/s320/After.png ("http://bp0.blogger.com/_Iq20R_ym4vY/RthkL9WrRnI/AAAAAAAAAAs/SPcsurb1TR8/s1600-h/After.png")
Analyzing this was easy. However, if we look at the number of calls to DllFunctionCall, we find that there are quite a lot of such calls, more than we do want to fix manually:
http://bp3.blogger.com/_Iq20R_ym4vY/RthkWtWrRoI/AAAAAAAAAA0/bZqfaEkEDKk/s320/Listbefore.png ("http://bp3.blogger.com/_Iq20R_ym4vY/RthkWtWrRoI/AAAAAAAAAA0/bZqfaEkEDKk/s1600-h/Listbefore.png")
So I wrote a little script to handle this automatically: it will create functions where needed, will name functions properly and add type information. The previous list after running the script becomes:
http://bp2.blogger.com/_Iq20R_ym4vY/RthkqdWrRpI/AAAAAAAAAA8/7wQ5ntT74Hc/s320/Listafter.png ("http://bp2.blogger.com/_Iq20R_ym4vY/RthkqdWrRpI/AAAAAAAAAA8/7wQ5ntT74Hc/s1600-h/Listafter.png")
and:
http://bp1.blogger.com/_Iq20R_ym4vY/Rth40NWrRrI/AAAAAAAAABM/3WUjraVtdmc/s320/impcode.png ("http://bp1.blogger.com/_Iq20R_ym4vY/Rth40NWrRrI/AAAAAAAAABM/3WUjraVtdmc/s1600-h/impcode.png")
Hopefully this will make your VB reversing sessions easier
You can fetch the script here ("https://www.openrce.org/repositories/users/Paolo/vb_dllcall.py").
http://reversingitout.blogspot.com/2007/08/visual-basic-dllfunctioncall.html
DllFunctionCall is found in the implementation of the Visual Basic Declare statements, that are used to call Windows API functions in Visual Basic 5/6 programs.
For example, lots of VB malwares do use such mechanism to call Windows APIs. Let's consider a simpe autorun VB worm: we load it into IDA, run the script provided by Reginald Wong, and start analyzing it. Analyzing the code, we find several references to code of this kind:
http://bp0.blogger.com/_Iq20R_ym4vY/Rthj-9WrRmI/AAAAAAAAAAk/gKCizuhr9So/s320/Before.png ("http://bp0.blogger.com/_Iq20R_ym4vY/Rthj-9WrRmI/AAAAAAAAAAk/gKCizuhr9So/s1600-h/Before.png")
With a bit of manual intervention, the purpose of this code becomes clearer:
http://bp0.blogger.com/_Iq20R_ym4vY/RthkL9WrRnI/AAAAAAAAAAs/SPcsurb1TR8/s320/After.png ("http://bp0.blogger.com/_Iq20R_ym4vY/RthkL9WrRnI/AAAAAAAAAAs/SPcsurb1TR8/s1600-h/After.png")
Analyzing this was easy. However, if we look at the number of calls to DllFunctionCall, we find that there are quite a lot of such calls, more than we do want to fix manually:
http://bp3.blogger.com/_Iq20R_ym4vY/RthkWtWrRoI/AAAAAAAAAA0/bZqfaEkEDKk/s320/Listbefore.png ("http://bp3.blogger.com/_Iq20R_ym4vY/RthkWtWrRoI/AAAAAAAAAA0/bZqfaEkEDKk/s1600-h/Listbefore.png")
So I wrote a little script to handle this automatically: it will create functions where needed, will name functions properly and add type information. The previous list after running the script becomes:
http://bp2.blogger.com/_Iq20R_ym4vY/RthkqdWrRpI/AAAAAAAAAA8/7wQ5ntT74Hc/s320/Listafter.png ("http://bp2.blogger.com/_Iq20R_ym4vY/RthkqdWrRpI/AAAAAAAAAA8/7wQ5ntT74Hc/s1600-h/Listafter.png")
and:
http://bp1.blogger.com/_Iq20R_ym4vY/Rth40NWrRrI/AAAAAAAAABM/3WUjraVtdmc/s320/impcode.png ("http://bp1.blogger.com/_Iq20R_ym4vY/Rth40NWrRrI/AAAAAAAAABM/3WUjraVtdmc/s1600-h/impcode.png")
Hopefully this will make your VB reversing sessions easier
You can fetch the script here ("https://www.openrce.org/repositories/users/Paolo/vb_dllcall.py").http://reversingitout.blogspot.com/2007/08/visual-basic-dllfunctioncall.html