Open baxitaurus opened 5 years ago
Nice that you're trying to make this work :-) My first assumption would be: you looked at the 64-bit .dll, but wscript.exe loads the 32-bit .dll (or the other way around, but I think that's less likely). So in that case - different dll with different PE timestamp etc.
Thanks for your reply @jbremer, but actually I did look at the 32-bit version of vbscript.dll
because I saw that wscript was loading it (through IDA), so the offsets I used in the hook definition are referred to the 32-bit version :smile:
Looking at the insn/flash.yml
I saw an interesting comment:
5 BaseExecMgr_setNative:
6 module: flash32_20_0_0_228
7 init: flash_init
8 offsets:
9 0x565123f2:
10 # The BaseExecMgr::setNative method starts at 0x6d7900, however, it has
11 # to process a flag in order to determine the real native address of the
12 # method. We just await this computation before fetching it.
13 offset: 0x705230
14 stack: 4 8
15 logging:
16 - S method_name length, name
17 - p offset flash_module_offset(stk1)
18 pre: |
19 uint32_t length = 0; const char *name;
20 name = flash_get_method_name(stk0, &length);
I was wondering if something similar should be done with the new definition of the COleScript::Compile function in the version of vbscript.dll i'm working on. Maybe here the start address of the function is not the "real" start address of the function?
Below i screenshot of the function in the DLL used in the article (the hook definition in the master branch refers to it):
And here you can find "my" version of it:
Well, all those screenshots show 64-bit x86, so ;-)
Ok, I do have to study the definitions of 32/64 bit and x86/x64, I admit it :laughing: Despite of this I'm sure the DLL that wscipt is loading is that one (under C:\Windows\System32
), or at least this is what I see with WinDBG:
So the problem here should be not the DLL I'm looking at, am i wrong?
Hi guys, first of all thanks alot for your excellent work.
I'm having issues in getting the
COleScript::Compile
hook defined ininsn/vbscript.yml
to work properly, and that's confirmed by theDEBUG:Error resolving function vbscript!COleScript_Compile through our custom callback
log messages I see in theanalysis.log
file.I followed the steps described in this article to set up my hook, since my
C:\Windows\System32\vbscript.dll
has a different sha256 (9cb3ace7916fbe3876970f58870a6635f32ebeb0ab4aecece7a96be31434b2eb
) I had to change both the offset of the PE timestamp and the one of the function inside the DLL, while I wasn't able to figure out what doesstack: 56
refers to (how should be set this parameter?). Below you can see my definition of the hook:Despite of this, the hook seems not working yet. Is there some useful documentation about this "special" hooks? I can't find nothing but that article on the web, and I have no idea what is wrong with the above definition.
I'm working with a Windows 7 Professional x64 (SP1) VM and the sample I'm using for tests is a simple "Hello World" VBS script. My version of
vbscript.dll
is 5.8.9200.16521.(I've tried with
bitmode: 64
too)Edit: I checked the steps I followed to reach the above definition on the same
vbscript.dll
version used in the article, and they seems to be correct since I can obtain the same offsets used in the production version of this hook. What am i missing?