Skip to content

jbremer/vb6tracer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

42 Commits
bins
bins
 
 
data
data
 
 
distorm3.2-package
distorm3.2-package
 
 
dll
dll
 
 
presentation
presentation
 
 
src
src
 
 
utils
utils
 
 
LICENSE.txt
LICENSE.txt
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

VB6 Tracer

VB6Tracer is a tool designed to instrument the Visual Basic 6 Virtual Machine in order to analyze VB6 P-Code applications at runtime. For a high-level overview of our tool including the goals, approach, and results, you can refer to our Area41 presentation.

Usage

VB6Tracer has been designed to work in two different ways. It can either be ran manually from the commandline using the dllinject utility, or it can be ran automatically by integrating it with a recent version of Cuckoo Sandbox.

Use at your own risk!

At all times use the tool in a Virtual Machine. We are not responsible for any damage. Furthermore, the tool might not work etc :-)

Manual Usage

Running the following command from cmd.exe should do the trick. It will then write a log file to C:\logz.txt.

$ utils/dllinject.exe vb6tracer.dll sample.exe

Automated Usage

To modify an existing Cuckoo installation to work with VB6 Tracer there are two steps involved.

  • Overwrite Cuckoo's monitor DLL with vb6tracer.dll
    • Copy vb6tracer.dll to $CUCKOO/analyzer/windows/dll/cuckoomon.dll
    • Either take vb6tracer-generic.dll or vb6tracer-specific.dll from the dll/ directory (see als the Compilation section.)
  • Modify Cuckoo to not randomize pipe names in the Guest.
    • Open $CUCKOO/analyzer/windows/lib/common/constants.py
    • Replace the PIPE = line by PIPE = "\\\\.\\PIPE\\cuckoo"

To then analyze a sample and get its log, follow the following steps.

  • Submit your sample to Cuckoo (./utils/submit.py sample.exe.)
  • Run the Cuckoo daemon (./cuckoo.py -d, -d for debug mode.)
  • Wait for the analysis to finish.
  • Open the logz.txt file, which can be found under $CUCKOO/storage/analyses/latest/files/*/logz.txt

Compilation

To compile the DLL under Ubuntu you'll need the mingw32 package and run make. Provided are two DLLs, one generic and one specific. The generic vb6tracer DLL dumps mnemonics of all the executed instructions. The specific DLL dumps meta-information of only a subset of instructions which seemed interesting at the time of developing this tool.

To modify this behavior please open up main.c and comment or uncomment the vb6_hook_generic(...) and vb6_set_hooks() lines.

License

VB6Tracer is licensed under GPLv3.

Authors

Jurriaan Bremer, Marion Marschalek.

About

Runtime tracer for the vb6 virtual machine

Resources

Readme

License

GPL-3.0 license
Activity

Stars

54 stars

Watchers

13 watching

Forks

11 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages