Skip to content

[VB6] Invoke arbitary native API without Declare keyword

November 30, 2010

Many would have thought this is not possible. However, Karcrack had written a nice hack to (ab)use undocumented MSVBVM60.Zombie_AddRef to indirectly invoke his dynamically generated call stub. While his technique is pretty l33t, he overlooked one important fact: you need to mark the stub executable with VirtualProtect. While it will work fine and happy on most PC, when DEP is enabled the process will throw an access violation.

Ironically, I first came across this technique when I was reversing a malware sample.

mZombieInvoke – Native VB6 Invoke 🙂


From → Coding, Visual Basic

  1. Karcrack permalink

    Thank you for bringing that up! I will be aware of DEP 😀

  2. waliedassar permalink

    Or at least to call the “ZwSetInformationProcess” function with the ProcessInformationClass set to 0x22, a quick way to disable DEP (per-process).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: