Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fileinfo: VisualBasic header parsing + P-Code detection #138

Closed
PeterMatula opened this issue Jan 31, 2018 · 1 comment
Closed

Fileinfo: VisualBasic header parsing + P-Code detection #138

PeterMatula opened this issue Jan 31, 2018 · 1 comment
Labels
C-fileinfo new-feature T-lang-visual-basic

Comments

@PeterMatula
Copy link
Collaborator

Visual Basic can be compiled into binary or P-Code - bytecode for VB virtual machines. Add VBHeader parsing and dumping to fileinfo. Description.

How to do it:

  • When Visual Basic is detected, look at EP where should be push offset 0x????????. VBHeader should be at this offset. Some of its records are pointers to other structures (e.g. ProjectInfo).
  • Add detection of P-Code (aNativeCode == 0), tag the input as bytecode, warn users that decompiling this is not a good idea.

This might help: https://github.com/SekoiaLab/pe-tools

Also some pictures from IDA where these structures were defined and used:
blacktsanalysis
dmmanalysis
This was referenced Feb 11, 2019
Merged
Merged
@s3rvac
Copy link
Member

s3rvac commented Mar 6, 2019

I am closing the issue as it has been implemented in #440.

@s3rvac s3rvac closed this as completed Mar 6, 2019
s3rvac added a commit that referenced this issue Mar 6, 2019
@s3rvac
Add a new CHANGELOG entry (#138, #440).
7f940f3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-fileinfo new-feature T-lang-visual-basic
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@s3rvac @PeterMatula