VB Structures

RELSOFT TECHNOLOGIES

Visual Basic Decompiling

Visual Basic Image Internal Structure Format

Copyright© Copyright© 2004 Alex Ionescu Ionescu. cu. All Rights Reserved. Duplication of this this material is prohibited.

VISUAL BASIC DECOMPILING

Visual Basic Image Internal Structure Format  2004 Alex Ionescu Relsoft Technologies http://www.relsoft.net All Rights Reserved

1


Table of Contents STRUCTURE RELATIONSHIP DIAGRAM .............................................................................................. 3 1. THE VB HEADER. ............................................................................................................................. 4 THREAD FLAGS .......................................................................................................................... 4 MDL INTERNAL CONTROL FLAGS............................................................................................ 5 2. THE COM REGISTRATION DATA.............................................................................................. 6 2.1 THE COM REGISTRATION INFO. ........................................................................................ 6 2.2 THE DESIGNER INFO. .......................................................................................................... 7 OBJECT TYPES ........................................................................................................................... 7 3. THE PROJECT INFORMATION .................................................................................................. 8 4. THE SECONDARY PROJECT INFORMATION ..................................................................... 8 5. THE OBJECT TABLE....................................................................................................................... 9 6. THE PRIVATE OBJECT DESCRIPTOR ................................................................................... 9 7. THE PUBLIC OBJECT DESCRIPTOR .................................................................................... 10 8. THE OBJECT INFO......................................................................................................................... 10 9. THE OPTIONAL OBJECT INFO ................................................................................................ 11 10. THE CONTROL INFO .................................................................................................................. 11

2

Copyright© Copyright© 2004 Alex Ionescu Ionescu. cu. All Rights Reserved. Duplication of this this material is prohibited. Project Info 2 Project Info

Object List

Object Table Public Object Descriptors

Public Variable Data Static Variable Data

Imports Table

Private Object Descriptors

Methods Constants

Object Info Controls Optional Object Info

GUI Table

Event Handlers Events

VB Header

External Table

Overview of VB Structure Links. *VERY* Incomplete. To be completed on the way.

Project Registration Data COM Data Designer Data

Structure Relationship Diagram

3


29/08/2004 More Structures, Some Fixes This page is a work in progress. I hope you can find it useful, I will add more as I research. You’re free to use this for whatever reason you want, I’m simply asking you to credit the original source (Alex Ionescu or www.relsoft.net)

1. The VB Header. Structure name: EXEPROJECTINFO. Size: 0x68 bytes.

The VB Header is the main descriptor of any VB-compiled image file. It links into all the other structures contained in the file, and provides important language and program information. Here’s an at-a-glance view:

PE HEADER & I AT COM DATA VB HEADER PROJECT INFO OBJECT TABLE P R O J E CT I N F O 2 T B D L AT ER

Offset

Name

Description

0x0 0x4 0x6 0x14 0x22 0x24 0x28 0x2C 0x30 0x34 0x38 0x3C 0x40 0x44 0x46 0x48 0x4C 0x50 0x54 0x58 0x5C 0x60 0x64

szVbMagic wRuntimeBuild szLangDll szSecLangDll wRuntimeRevision dwLCID dwSecLCID lpSubMain lpProjectData fMdlIntCtls fMdlIntCtls2 dwThreadFlags dwThreadCount wFormCount wExternalCount dwThunkCount lpGuiTable lpExternalTable lpComRegisterData bSZProjectDescription bSZProjectExeName bSZProjectHelpFile bSZProjectName

“VB5!” String Build of the VB6 Runtime Language Extension DLL 2nd Language Extension DLL Internal Runtime Revision LCID of Language DLL LCID of 2nd Language DLL Pointer to Sub Main Code Pointer to Project Data VB Control Flags for IDs < 32 VB Control Flags for IDs > 32 Threading Mode Threads to support in pool Number of forms present Number of external controls Number of thunks to create Pointer to GUI Table Pointer to External Table Pointer to COM Information Offset to Project Description Offset to Project EXE Name Offset to Project Help File Offset to Project Name

Furthermore, the following flags are defined: Thread Flags Value Name Description 0x1 ApartmentModel Specifies multi-threading using an apartment model. 0x2 RequireLicense Specifies to do license validation (OCX only). 0x4 Unattended Specifies that no GUI elements should be initialized. 0x8 SingleThreaded Specifies that the image is single-threaded. 0x10 Retained Specifies to keep the file in memory (Unattended only) ex: A value of 0x15 specifies a multi-threaded, memory-resident ActiveX Object with no GUI.

4


MDL Internal Control Flags Control ID 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xA 0xB 0xC 0xD 0xE 0xF 0x10 0x11 0x12 0x13 0x14 0x15 0x16 0x17 0x18 0x19 0x1A 0x1B 0x1C 0x1D 0x1E 0x1F 2nd Flag Zone

Value 0x1 0x2 0x4 0x8 0x10 0x20 0x40 0x80 0x100 0x200 0x400 0x800 0x1000 0x2000 0x4000 0x8000 0x10000 0x20000 0x40000 0x80000 0x100000 0x200000 0x400000 0x800000 0x1000000 0x2000000 0x4000000 0x8000000 0x10000000 0x20000000 0x40000000 0x80000000

Name PictureBox Object Label Object TextBox Object Frame Object CommandButton Object CheckBox Object OptionButton Object ComboBox Object ListBox Object HScrollBar Object VScrollBar Object Timer Object Print Object Form Object Screen Object Clipboard Object Drive Object Dir Object FileListBox Object Menu Object MDIForm Object App Object Shape Object Line Object Image Object Unsupported Unsupported Unsupported Unsupported Unsupported Unsupported Unsupported

2nd Flag Zone

2nd Flag Zone

0x20 0x1 Unsupported 0x21 0x2 Unsupported 0x22 0x4 Unsupported 0x23 0x8 Unsupported 0x24 0x10 Unsupported 0x25 0x20 DataQuery Object 0x26 0x40 OLE Object 0x27 0x80 Unsupported 0x28 0x100 UserControl Object 0x29 0x200 PropertyPage Object 0x2A 0x400 Document Object 0x2B 0x800 Unsupported ex: A value of 0x30F000 (the so called “static binary constant on most sites”) actually means to initialize the Print, Form, Screen, ClipBoard Objects (0xF000) as well as the Drive/Dir Objects (0x30000). This is default on VB projects because those objects can always be accesses from a module (ie, they are not graphic, except Forms, which can always be created).

5


2. The COM Registration Data Structure name: tagREGDATA. Size: 0x2A bytes.

The COM Registration Data contains information used if the image file is ActiveX, and contains valuable COM Registration data such as Typelib information, Designer data and Interface CLSIDs. Here’s an at-a-glance view: PE HEADER & I AT

REGISTRATION DATA

COM DATA VB HEADER

REGISTRATION I NF O

PROJECT INFO

DESIGNER INFO

Offset 0x0 0x4 0x8 0xC 0x10 0x20 0x24 0x26 0x28

Name bRegInfo bSZProjectName bSZHelpDirectory bSZProjectDescription uuidProjectClsId dwTlbLcid wUnknown wTlbVerMajor wTlbVerMinor

Description Offset to COM Interfaces Info Offset to Project/Typelib Name Offset to Help Directory Offset to Project Description CLSID of Project/Typelib LCID of Type Library Might be something. Must check Typelib Major Version Typelib Minor Version

OBJECT TABLE PROJECT INFO 2 T B D L AT ER

2.1 The COM Registration Info. Structure name: tagRegInfo. Size: 0x44 bytes.

If a valid Object needs to be registered, then RegData->bRegInfo will point to the following structure, for each valid Object: NB: All offsets are relative to tagREGDATA above.

PE HEADER & I AT

REGISTRATION DATA

COM DATA VB HEADER

REGISTRATION I NF O

PROJECT INFO

DESIGNER INFO


2.2

Offset 0x0 0x4 0x8 0xC 0x10 0x14 0x24 0x28 0x2C 0x30 0x34 0x38 0x39 0x3A 0x3C 0x3E 0x40

Name bNextObject bObjectName bObjectDescription dwInstancing dwObjectId uuidObject fIsInterface bUuidObjectIFace bUuidEventsIFace fHasEvents dwMiscStatus fClassType fObjectType wToolboxBitmap32 wDefaultIcon fIsDesigner bDesignerData

Description Offset to COM Interfaces Info Offset to Object Name Offset to Object Description Instancing Mode Current Object ID in the Project CLSID of Object Specifies if the next CLSID is valid Offset to CLSID of Object Interface Offset to CLSID of Events Interface Specifies if the CLSID above is valid OLEMISC Flags (see MSDN docs) Class Type Flag identifying the Object Type Control Bitmap ID in Toolbox Minimized Icon of Control Window Specifies whether this is a Designer Offset to Designer Data

Please note that some of these values are only valid depending on the Object Type (see Flags below)

6


2.2 The Designer Info. Structure name: NONE. Size: Variable.

If the Object happens to be a Designer (used for Add-Ins), then the tagRegInfo structure is augmented by the Designer Data structure, shown below: NB: A BSTR contains the string length as a long, followed by the string itself. PE HEADER & I AT

REGISTRATION DATA

COM DATA VB HEADER PROJECT INFO

REGISTRATION I NF O DESIGNER INFO

Offset 0x0 0x10 0x14 VAR VAR VAR VAR VAR VAR

Name uuidDesigner cbStructSize bstrAddinRegKey bstrAddinName bstrAddinDescription dwLoadBehaviour bstrSatelliteDll bstrAdditionalRegKey dwCommandLineSafe

Description CLSID of the Addin/Designer Total Size of the next fields. Registry Key of the Addin Friendly Name of the Addin Description of Addin CLSID of Object Satellite DLL, if specified Extra Registry Key, if specified Specifies a GUI-less Addin if 1.


To read the Designer Info structure, simply read the first long value at 0x14, which is the length of the Add-In Registry Key. Then add that number to the current offset, and you get the offset of Add-In Name’s Length. Add that number to your new offset, and you get to the Add-In Description. Next up is the Load Behavior, a long value, followed by another length, this time the Satellite DLL’s Name. If this is 0, it’s the Additional Registry Key Name. If this is 0, then you arrive at dwCommandLineSafe. Finally, here are the flags for RegData->ObjectType Object Types Value Name Description 0x2 Designer A Visual Basic Designer for an Add-In 0x10 Class Module A Visual Basic Class 0x20 User Control A Visual Basic Active X User Control (OCX) 0x80 User Document A Visual Basic User Document nb: Other values may exist to define VB Objects, but they aren’t used in this structure.

7


3. The Project Information Structure name: none. Size: 0x23C bytes.

The Project Information structure is pointed by the VB Header. It contains user information about the project as well as critical information (such as a pointer to the Object Table). It is also heavily used for compilation statistics. Here’s an at-a-glance view:

PE HEADER & I AT COM DATA VB HEADER PROJECT INFO OBJECT TABLE

Offset 0x0 0x4 0x8 0xC 0x10 0x14 0x18 0x1C 0x20 0x24 0x234 0x238

Name dwVersion lpObjectTable dwNull lpCodeStart lpCodeEnd dwDataSize lpThreadSpace lpVbaSeh lpNativeCode szPathInformation lpExternalTable dwExternalCount

Description 5.00 in Hex (0x1F4). Version. Pointer to the Object Table Unused value after compilation. Points to start of code. Unused. Points to end of code. Unused. Size of VB Object Structures. Unused. Pointer to Pointer to Thread Object. Pointer to VBA Exception Handler Pointer to .DATA section. Contains Path and ID string. < SP6 Pointer to External Table. Objects in the External Table.

P R O J E CT I N F O 2 T B D L AT ER

A great majority of these values are only used for compilation are leftovers of statistical data. These include the path information, code pointers, and data size.

4. The Secondary Project Information Structure name: none. Size: 0x28 bytes.

This Secondary structure, pointed by the Object Table contains mostly data used when compiling the project. It does also however pave the way to the Form List (To be described later) and gives the elusive Help Context ID. PE HEADER & I AT COM DATA VB HEADER PROJECT INFO OBJECT TABLE P R O J E CT I N F O 2

Offset 0x0 0x4 0x8 0xC 0x10 0x14 0x18 0x1C 0x20 0x24

Name lpHeapLink lpObjectTable dwReserved dwUnused lpObjectList dwUnused2 szProjectDescription szProjectHelpFile dwReserved2 dwHelpContextId

T B D L AT ER 8

Description Unused after compilation, always 0. Back-Pointer to the Object Table. Always set to -1 after compiling. Unused Not written or read in any case. Pointer to Object Descriptor Pointers. Not written or read in any case. Pointer to Project Description Pointer to Project Help File Always set to -1 after compiling. Unused Help Context ID set in Project Settings.


5. The Object Table Structure name: none. Size: 0x54 bytes.

The Object Table structure is pointed by the Project Info Structure. It contains points to the Object Array, as well as more repeated Project Data (presumably so it can be read quickly from here). Some values are also only used when running the project in memory (in the IDE). Here’s an at-a-glance view: PE HEADER & I AT COM DATA VB HEADER PROJECT INFO OBJECT TABLE P R O J E CT I N F O 2 T B D L AT ER

Offset 0x0 0x4 0x8 0xC 0x10 0x14 0x18 0x28 0x2A 0x2C 0x2E 0x30 0x34 0x38 0x3C 0x40 0x44 0x48 0x4C 0x50

Name lpHeapLink lpExecProj lpProjectInfo2 dwReserved dwNull lpProjectObject uuidObject fCompileState dwTotalObjects dwCompiledObjects dwObjectsInUse lpObjectArray fIdeFlag lpIdeData lpIdeData2 lpszProjectName dwLcid dwLcid2 lpIdeData3 dwIdentifier

Description Unused after compilation, always 0. Pointer to VB Project Exec COM Object. Secondary Project Information. Always set to -1 after compiling. Unused Not used in compiled mode. Pointer to in-memory Project Data. GUID of the Object Table. Internal flag used during compilation. Total objects present in Project. Equal to above after compiling. Usually equal to above after compile. Pointer to Object Descriptors Flag/Pointer used in IDE only. Flag/Pointer used in IDE only. Flag/Pointer used in IDE only. Pointer to Project Name. LCID of Project. Alternate LCID of Project. Flag/Pointer used in IDE only. Template Version of Structure.

6. The Private Object Descriptor Structure name: none. Size: 0x40 bytes.

The Private Object Descriptor Table is pointed by an array defined in the Object List Pointer in the Secondary Project Information. The whole structure can be deleted after compilation. Here’s an at-a-glance view: PE HEADER & I AT COM DATA VB HEADER PROJECT INFO OBJECT DATA

Offset 0x0 0x4 0x8 0xC 0x18 0x1C 0x20 0x2C 0x38 0x3C

Name lpHeapLink lpObjectInfo dwReserved dwIdeData[3] lpObjectList dwIdeData2 lpObjectList2[3] dwIdeData3[3] dwObjectType dwIdentifier

P R O J E CT I N F O 2 T B D L AT ER 9

Description Unused after compilation, always 0. Pointer to the Object Info for this Object. Always set to -1 after compiling. Not valid after compilation. Points to the Parent Structure (Array) Not valid after compilation. Points to the Parent Structure (Array). Not valid after compilation. Type of the Object described. Template Version of Structure.


7. The Public Object Descriptor Structure name: none. Size: 0x30 bytes.

The Public Object Descriptor Table is pointed by the Array lpObjectArray in the Object Table. Each Object in the project will have its own. Unlike the private structure, this one is actually used by VB for a variety of tasks. Here’s an at-a-glance view: PE HEADER & I AT COM DATA VB HEADER PROJECT INFO OBJECT TABLE P R O J E CT I N F O 2

Offset 0x0 0x4 0x8 0xC 0x10 0x14 0x18 0x1C 0x20 0x24 0x28 0x2C

Name lpObjectInfo dwReserved lpPublicBytes lpStaticBytes lpModulePublic lpModuleStatic lpszObjectName dwMethodCount lpMethodNames bStaticVars fObjectType dwNull

Description Pointer to the Object Info for this Object. Always set to -1 after compiling. Pointer to Public Variable Size integers. Pointer to Static Variable Size integers. Pointer to Public Variables in DATA section Pointer to Static Variables in DATA section Name of the Object. Number of Methods in Object. If present, pointer to Method names array. Offset to where to copy Static Variables. Flags defining the Object Type. Not valid after compilation.

T B D L AT ER

8. The Object Info Structure name: none. Size: 0x38 bytes.

The Object Information structure defines an Object and provides various information to its methods and constants (in Pseudo Code). Here’s an at-a-glance view: PE HEADER & I AT COM DATA VB HEADER PROJECT INFO OBJECT TABLE P R O J E CT I N F O 2 T B D L AT ER

Offset 0x0 0x2 0x4 0x8 0xC 0x10 0x14 0x18 0x1C 0x20 0x22 0x24 0x28 0x2A 0x2C 0x30 0x34

Name wRefCount wObjectIndex lpObjectTable lpIdeData lpPrivateObject dwReserved dwNull lpObject lpProjectData wMethodCount wMethodCount2 lpMethods wConstants wMaxConstants lpIdeData2 lpIdeData3 lpConstants

10

Description Always 1 after compilation. Index of this Object. Pointer to the Object Table Zero after compilation. Used in IDE only. Pointer to Private Object Descriptor. Always -1 after compilation. Unused. Back-Pointer to Public Object Descriptor. Pointer to in-memory Project Object. Number of Methods Zeroed out after compilation. IDE only. Pointer to Array of Methods. Number of Constants in Constant Pool. Constants to allocate in Constant Pool. Valid in IDE only. Valid in IDE only. Pointer to Constants Pool.


9. The Optional Object Info Structure name: none. Size: 0x40 bytes.

The Optional Object Information structure, present only for COM Objects (anything but a Module) defines some GUIDs as well as other useful Form Information, and points to Controls. Here’s an at-a-glance view: PE HEADER & I AT COM DATA VB HEADER PROJECT INFO OBJECT DATA P R O J E CT I N F O 2 T B D L AT ER

Offset 0x0 0x4 0x8 0xC 0x10 0x14 0x18 0x1C 0x20 0x24 0x28 0x2A 0x2C 0x2E 0x30 0x34 0x38 0x3C

Name dwObjectGuids lpObjectGuid dwNull lpuuidObjectTypes dwObjectTypeGuids lpControls2 dwNull2 lpObjectGuid2 dwControlCount lpControls wEventCount wPCodeCount bWInitializeEvent bWTerminateEvent lpEvents lpBasicClassObject dwNull3 lpIdeData

Description How many GUIDs to Register. 2 = Designer Unique GUID of the Object *VERIFY* Unused. Pointer to Array of Object Interface GUIDs How many GUIDs in the Array above. Usually the same as lpControls. Unused. Pointer to Array of Object GUIDs. Number of Controls in array below. Pointer to Controls Array. Number of Events in Event Array. Number of P-Codes used by this Object. Offset to Initialize Event from Event Table. Offset to Terminate Event in Event Table. Pointer to Events Array. Pointer to in-memory Class Objects. Unused. Only valid in IDE.

10. The Control Info Structure name: none. Size: 0x28 bytes.

The Control Information Structure contains data about each control on the Form, and points to the Event Handler Table for this Control. Here’s an at-a-glance view: PE HEADER & I AT COM DATA VB HEADER PROJECT INFO OBJECT DATA P R O J E CT I N F O 2

Offset 0x0 0x4 0x6 0x8 0xC 0x10 0x14 0x18 0x1C 0x20 0x24

Name fControlType wEventcount bWEventsOffset lpGuid dwIndex dwNull dwNull2 lpEventTable lpIdeData lpszName dwIndexCopy

T B D L AT ER

11

Description Type of control. Number of Event Handlers supported. Offset in to Memory struct to copy Events. Pointer to GUID of this Control. Index ID of this Control. Unused. Unused. Pointer to Event Handler Table. Valid in IDE only. Name of this Control. Secondary Index ID of this Control.

VB Structures

Recommend Documents