Discuss VB General shelling Method

Discussion on the general shelling method of VB Author: fengliuyunyu
Information Source: evil baboons Information Security Team (Www.eviloctal.com)

I want to search for the common shell removal method of VB. Baidu looked at the methods of the experts and looked at me confused. I 'd like to solve it by myself. Maybe I can come up with a self-developed method called the romantic shell removal method.

Analysis
We first Open VB and make a simple program, 1.

Then we open the OD and load the program we just made into the OD. Then we can see that the program stops here, 2.

The Code is as follows:Copy content to clipboardCode:00401128 >/$  68 9C124000   push    0040129C
0040112D  |.  E8 F0FFFFFF   call    <jmp.&MSVBVM60.#100>In general, the entry points of programs made with VB are like this. Let's take a look at the second call. Here we call a function <jmp. & MSVBVM60. #100> what kind of function is this? Press Ctrl + N in OD to open the input table of the program. 3.

The first line is the MSVBVM60. #100 function. We love to press enter and the Code comes here, 4.

It turns out that #100 is the ThunRTMain function.
Press Ctrl + F2 to reload the program. In the command line window, enter bp ThunRTMain, 5.

Next breakpoint for the ThunRTMain function, and press F9 to run the program. As a result, the program is broken here, 6.

Next, we will follow up by pressing F8. When the code is executedCopy content to clipboardCode:mov     esi, dword ptr [ebp+8]In this sentence, we need to pay attention to the data window. We can see the information shown in 7:

Stack ss: [0012FFC0] = 0040129C (before shelling. 0040129C)
Esi = FFFFFFFF
There is an address 0040129C in the stack. Wow, isn't this the address of the first statement pushed into the stack at our previous entry point? Press Ctrl + G in the Disassembly window to bring up a window, 8.

Here we enter the address 0040129C, and the code will come here after you press OK, 9.

Hey, it's the data "VB5 !" I guess every program written in VB should have this, so our Monster shelling method is basically completed.
Let's take a look at the address 0040129C in the stack just now, and look at the address 00401128 at our entry point. We can get a formula:
Entry Point address = address in stack-174
Note: Here 174 is a hexadecimal number, and the decimal number is 372.

Lab
Now we can start shelling, and add an ASPack shell to the small program we just made, 10.

Now we load it into OD, and the code stops at 11.

As shown in, this is the shell entry point. Through the above analysis, we now know that the program using VB will call a function ThunRTMain during loading, then we continue the above operation. In the command window, enter bp ThunRTMain, press enter to give the ThunRTMain function the next breakpoint, press F9, and then stop. Check the code here:Copy content to clipboardCode:7339DE3E >  55              push    ebp
7339DE3F    8BEC            mov     ebp, esp
7339DE41    6A FF           push    -1
7339DE43    68 809D3A7