Curing A 15 Year Old Disease presented at Area41 2014

by Marion Marschalek, Juriaan Bremer,

Summary : Visual Basic P-code executables have been a pain for a digital eternity and even up until today reverse engineers did not come up with a helpful painkiller. So 15 years after the era of VB6 we present a tool that fully subverts the VB6 virtual machine, thus intercepting and instrumenting the VB P-code in real time. Through dynamic analysis we show that our tool aims at intercepting relevant information at runtime, such as plaintext strings in memory, and which APIs were called. Even more, with our tool an analyst could instrument the execution of byte code on-the-fly, allowing modification of the virtual machine state during execution.
With this fancy gadget it is possible to ease an analyst's life significantly. Having described all ins and outs of our tool we will demonstrate various possible use cases, concluding our talk by the profit gain for researchers, what we got from it, and possible future use-cases.
Jurriaan is a freelance security researcher and software developer from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan occasionally plays so-called Capture The Flag games as a member of Eindbazen CTF Team, he’s a member of The Honeynet Project, and he’s also one of the Core Developers of Cuckoo Sandbox.
Marion Marschalek is a malware researcher at is a malware researcher at Cyphort Inc. based in Santa Clara. Marion is working as malware analyst and in incident response, but has also done research in the area of automated malware analysis and vulnerability search. Besides that she teaches basics of malware analysis at University of Applied Sciences St. Pölten. Marion has spoken at international hacker conferences such as Defcon Las Vegas and POC Seoul. In March 2013 she won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. "