[VB6] Invoke arbitary native API without Declare keyword

November 30, 2010

Many would have thought this is not possible. However, Karcrack had written a nice hack to (ab)use undocumented MSVBVM60.Zombie_AddRef to indirectly invoke his dynamically generated call stub. While his technique is pretty l33t, he overlooked one important fact: you need to mark the stub executable with VirtualProtect. While it will work fine and happy on most PC, when DEP is enabled the process will throw an access violation.

Ironically, I first came across this technique when I was reversing a malware sample.

mZombieInvoke – Native VB6 Invoke
http://cobein.com/wp/?p=567

From → Coding, Visual Basic

One Comment

Karcrack permalink

Thank you for bringing that up! I will be aware of DEP

Reply

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Not published)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Twitter account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

[VB6] Invoke arbitary native API without Declare keyword

Leave a Reply Cancel reply

Pages

Recent Posts

Categories

Archives

Reverse Engineering

xrefs

Twitter Updates

Meta

Links

Pages

Search

Follow “Opcode0x90's Blog”

[VB6] Invoke arbitary native API without Declare keyword

Share this:

Like this:

Leave a Reply Cancel reply

Pages

Recent Posts

Categories

Archives

Category Cloud

Reverse Engineering

xrefs

Twitter Updates

Meta

Links

Pages

Search

Follow “Opcode0x90's Blog”