[VB6] Invoke arbitary native API without Declare keyword
Many would have thought this is not possible. However, Karcrack had written a nice hack to (ab)use undocumented MSVBVM60.Zombie_AddRef to indirectly invoke his dynamically generated call stub. While his technique is pretty l33t, he overlooked one important fact: you need to mark the stub executable with VirtualProtect. While it will work fine and happy on most PC, when DEP is enabled the process will throw an access violation.
Ironically, I first came across this technique when I was reversing a malware sample.
mZombieInvoke – Native VB6 Invoke 🙂