Reversing It Out
11-17-2007, 05:04 PM
Recently, static analysis of Visual Basic executables has been made easier by the release of a very nice IDC script by Reginald Wong. On top of its analysis, I decided to create a script to automatically handle DllFunctionCall.
DllFunctionCall is found in the implementation of the Visual Basic Declare statements, that are used to call Windows API functions in Visual Basic 5/6 programs.
For example, lots of VB malwares do use such mechanism to call Windows APIs. Let's consider a simpe autorun VB worm: we load it into IDA, run the script provided by Reginald Wong, and start analyzing it. Analyzing the code, we find several references to code of this kind:
http://bp0.blogger.com/_Iq20R_ym4vY/Rthj-9WrRmI/AAAAAAAAAAk/gKCizuhr9So/s320/Before.png (http://bp0.blogger.com/_Iq20R_ym4vY/Rthj-9WrRmI/AAAAAAAAAAk/gKCizuhr9So/s1600-h/Before.png)
With a bit of manual intervention, the purpose of this code becomes clearer:
http://bp0.blogger.com/_Iq20R_ym4vY/RthkL9WrRnI/AAAAAAAAAAs/SPcsurb1TR8/s320/After.png (http://bp0.blogger.com/_Iq20R_ym4vY/RthkL9WrRnI/AAAAAAAAAAs/SPcsurb1TR8/s1600-h/After.png)
Analyzing this was easy. However, if we look at the number of calls to DllFunctionCall, we find that there are quite a lot of such calls, more than we do want to fix manually:
http://bp3.blogger.com/_Iq20R_ym4vY/RthkWtWrRoI/AAAAAAAAAA0/bZqfaEkEDKk/s320/Listbefore.png (http://bp3.blogger.com/_Iq20R_ym4vY/RthkWtWrRoI/AAAAAAAAAA0/bZqfaEkEDKk/s1600-h/Listbefore.png)
So I wrote a little script to handle this automatically: it will create functions where needed, will name functions properly and add type information. The previous list after running the script becomes:
http://bp2.blogger.com/_Iq20R_ym4vY/RthkqdWrRpI/AAAAAAAAAA8/7wQ5ntT74Hc/s320/Listafter.png (http://bp2.blogger.com/_Iq20R_ym4vY/RthkqdWrRpI/AAAAAAAAAA8/7wQ5ntT74Hc/s1600-h/Listafter.png)
and:
http://bp1.blogger.com/_Iq20R_ym4vY/Rth40NWrRrI/AAAAAAAAABM/3WUjraVtdmc/s320/impcode.png (http://bp1.blogger.com/_Iq20R_ym4vY/Rth40NWrRrI/AAAAAAAAABM/3WUjraVtdmc/s1600-h/impcode.png)
Hopefully this will make your VB reversing sessions easier
You can fetch the script here (https://www.openrce.org/repositories/users/Paolo/vb_dllcall.py).
http://reversingitout.blogspot.com/2007/08/visual-basic-dllfunctioncall.html
DllFunctionCall is found in the implementation of the Visual Basic Declare statements, that are used to call Windows API functions in Visual Basic 5/6 programs.
For example, lots of VB malwares do use such mechanism to call Windows APIs. Let's consider a simpe autorun VB worm: we load it into IDA, run the script provided by Reginald Wong, and start analyzing it. Analyzing the code, we find several references to code of this kind:
http://bp0.blogger.com/_Iq20R_ym4vY/Rthj-9WrRmI/AAAAAAAAAAk/gKCizuhr9So/s320/Before.png (http://bp0.blogger.com/_Iq20R_ym4vY/Rthj-9WrRmI/AAAAAAAAAAk/gKCizuhr9So/s1600-h/Before.png)
With a bit of manual intervention, the purpose of this code becomes clearer:
http://bp0.blogger.com/_Iq20R_ym4vY/RthkL9WrRnI/AAAAAAAAAAs/SPcsurb1TR8/s320/After.png (http://bp0.blogger.com/_Iq20R_ym4vY/RthkL9WrRnI/AAAAAAAAAAs/SPcsurb1TR8/s1600-h/After.png)
Analyzing this was easy. However, if we look at the number of calls to DllFunctionCall, we find that there are quite a lot of such calls, more than we do want to fix manually:
http://bp3.blogger.com/_Iq20R_ym4vY/RthkWtWrRoI/AAAAAAAAAA0/bZqfaEkEDKk/s320/Listbefore.png (http://bp3.blogger.com/_Iq20R_ym4vY/RthkWtWrRoI/AAAAAAAAAA0/bZqfaEkEDKk/s1600-h/Listbefore.png)
So I wrote a little script to handle this automatically: it will create functions where needed, will name functions properly and add type information. The previous list after running the script becomes:
http://bp2.blogger.com/_Iq20R_ym4vY/RthkqdWrRpI/AAAAAAAAAA8/7wQ5ntT74Hc/s320/Listafter.png (http://bp2.blogger.com/_Iq20R_ym4vY/RthkqdWrRpI/AAAAAAAAAA8/7wQ5ntT74Hc/s1600-h/Listafter.png)
and:
http://bp1.blogger.com/_Iq20R_ym4vY/Rth40NWrRrI/AAAAAAAAABM/3WUjraVtdmc/s320/impcode.png (http://bp1.blogger.com/_Iq20R_ym4vY/Rth40NWrRrI/AAAAAAAAABM/3WUjraVtdmc/s1600-h/impcode.png)
Hopefully this will make your VB reversing sessions easier
You can fetch the script here (https://www.openrce.org/repositories/users/Paolo/vb_dllcall.py).http://reversingitout.blogspot.com/2007/08/visual-basic-dllfunctioncall.html