By ro0ted | February 12, 2015 - 13:21 | Posted in /b/ | Comments Off on #ro0ted #OpNewblood What the blackhats don’t want you to know: Visual Basic Binaries Brief Walk Through
#ro0ted #OpNewblood What the blackhats don’t want you to know: Visual Basic Binaries Brief Walk Through

Today in What the blackhats don’t want you to know we will go over Visual Basic Binaries. As one day you will come across malware written in Visual Basic as Visual Basic is the number one most over used code by novice users. –


(In order)

Why am I teaching Reverse Engineering to inexperienced new Anons in OpNewblood?

Whitehat Lab

ASM Programming

Introduction Part 1 Ollydbg 

Introduction Part 2 Using Ollydbg and Tracing Botnets

Analyzing Botnets

 Introduction Part 3 Ollydbg: Cheating a Crackme

Introduction Part 4 Ollydbg: Your first Patch

Encryption 101

Cuckoo Sandbox: Automated Malware Analysis also known as

Introduction to Honeydrive: A Brief Walk Through

Installing Kippo the SSH Honeypot on a VPS Part 1: How to set it up

Resource Hacker

Dll Injection the Easy Way

Visual Basic Binaries Walk Through Part 1 +


Tools used:


Ollydbg modified

This will be a walk through of understanding Visual Basic Binaries. You are a spectator. Consider this an online lecture. #ro0ted


Okay first we run the target in ExeinfoPE which is an exe analyzer.


Let’s investigate the header before we run Ollydbg.


Click import. Which will reveal dependencies it uses.


Let’s if it edits the registry or makes any registry entries:


This is how we can tell this an indeed a fake program or just really packed. Let’s run it in CFF Explorer Suite. Another .exe analyzer.


Okay let’s open the target in Ollydbg. Keep in mind I’m using a modified Ollydbg with every plugin.


If this was a C++ or C program if you viewed All Reference Strings it won’t show anything worth reviewing. As for Visual Basic that isn’t the case. Example:


Another hindrance to reversing is the fact that the method calls are completely different in a VB executable. Instead of calls to such things as RegisterWindowEx and MessageBoxA, VB uses its own API calls, embedded in the runtime DLL:


Let’s open the executable modules.







conclusion ollydbg reveals a lot but nothing mouth watering so best bet is always decompiling the vb program. IllSpy & .NETReflector won’t show anything sometimes. Use Vb Decompiler pro or lite. Next we will discuss patching vb programs next tutorial. This is just a brief discussion.










(Visited 522 times, 1 visits today)

  • You can follow any responses to this entry through the RSS 2.0 feed.
  • Both comments and pings are currently closed.