-
-
[分享]VB可执行体内部数据结构描述脚本
-
发表于: 2014-10-29 12:50
-
最近在完善SR关于VB程序数据结构展示的部分。
Semi VB Decompiler里面的结构已经被我研究烂了,还发现了一个SVBD解析VB结构的错误。过段时间分享下成果。
为了获得更多关于VB可执行体内部的数据结构的描述,google了很久,才找到这个脚本的。
这玩意我记得好像是给IDA用的,毕竟在硬盘里放好久了,都快忘了它的存在了,一直没来的及研究,今天稍微看了下,只能说很详细。
感觉这里面有很多结构在SVBD里都没有的(猜测SVBD的数据结构都是来自这里的).
贴一小段关于VBHEADER结构的代码:
下载地址:https://www.hex-rays.com/products/ida/support/freefiles/vb.idc
原文链接:https://www.hex-rays.com/products/ida/support/download.shtml
下载页面上的说该脚本更新于2014年4月.
Semi VB Decompiler里面的结构已经被我研究烂了,还发现了一个SVBD解析VB结构的错误。过段时间分享下成果。
为了获得更多关于VB可执行体内部的数据结构的描述,google了很久,才找到这个脚本的。
这玩意我记得好像是给IDA用的,毕竟在硬盘里放好久了,都快忘了它的存在了,一直没来的及研究,今天稍微看了下,只能说很详细。
感觉这里面有很多结构在SVBD里都没有的(猜测SVBD的数据结构都是来自这里的).
贴一小段关于VBHEADER结构的代码:
///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//
// VB header structure
//
static FixVBHeader(ea,catstring)
{
ExtLinA(ea,0,"|---------------------------------------------------------------------------------");
ExtLinA(ea,1,"| VB Header ");
ExtLinA(ea,2,"|---------------------------------------------------------------------------------");
ClearUnknown(ea,0x68);
FixStr (ea + 0x00, ea + 0x04, catstring + "_" + "szVbMagic" , "“VB5!” String");
FixWord (ea + 0x04, catstring + "_" + "wRuntimeBuild" , "Build of the VB6 Runtime");
FixStr (ea + 0x06, ea + 0x14, catstring + "_" + "szLangDll" , "Language Extension DLL");
FixStr (ea + 0x14, ea + 0x22, catstring + "_" + "szSecLangDll" , "2nd Language Extension DLL");
FixWord (ea + 0x22, catstring + "_" + "wRuntimeRevision" , "Internal Runtime Revision");
FixDword (ea + 0x24, catstring + "_" + "dwLCID" , "LCID of Language DLL");
FixDword (ea + 0x28, catstring + "_" + "dwSecLCID" , "LCID of 2nd Language DLL");
FixDword (ea + 0x2C, catstring + "_" + "lpSubMain" , "Pointer to Sub Main Code");
FixDword (ea + 0x30, catstring + "_" + "lpProjectData" , "Pointer to Project Data");
FixDword (ea + 0x34, catstring + "_" + "fMdlIntCtls" , "VB Control Flags for IDs < 32");
FixDword (ea + 0x38, catstring + "_" + "fMdlIntCtls2" , "VB Control Flags for IDs > 32");
FixDword (ea + 0x3C, catstring + "_" + "dwThreadFlags" , "Threading Mode");
FixDword (ea + 0x40, catstring + "_" + "dwThreadCount" , "Threads to support in pool");
FixWord (ea + 0x44, catstring + "_" + "wFormCount" , "Number of forms present");
FixWord (ea + 0x46, catstring + "_" + "wExternalCount" , "Number of external controls");
FixDword (ea + 0x48, catstring + "_" + "dwThunkCount" , "Number of thunks to create");
FixDword (ea + 0x4C, catstring + "_" + "lpGuiTable" , "Pointer to GUI Table");
FixDword (ea + 0x50, catstring + "_" + "lpExternalTable" , "Pointer to External Table");
FixDword (ea + 0x54, catstring + "_" + "lpComRegisterData" , "Pointer to COM Information");
FixDword (ea + 0x58, catstring + "_" + "bSZProjectDescription", "Offset to Project Description");
FixDword (ea + 0x5C, catstring + "_" + "bSZProjectExeName" , "Offset to Project EXE Name");
FixDword (ea + 0x60, catstring + "_" + "bSZProjectHelpFile" , "Offset to Project Help File");
FixDword (ea + 0x64, catstring + "_" + "bSZProjectName" , "Offset to Project Name");
//
// Add entrypoint of sub_main if exists...
//
if(Dword(ea+0x2c) != 0)
{
AddEntryPoint(Dword(ea+0x2c),Dword(ea+0x2c),"Sub_Main",1);
}
Message("--> Done fixing vbheader structure.\n");
} 下载地址:https://www.hex-rays.com/products/ida/support/freefiles/vb.idc
原文链接:https://www.hex-rays.com/products/ida/support/download.shtml
下载页面上的说该脚本更新于2014年4月.
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
