I'm writing a program to detect which ".exe" file is generated by "Visual Basic6". I found that at the "entry point" of each vb file, there is an address at offset 1 from "entry point" which points to a location that contains the string: "vb5!", is that a certain signature? Can I be sure that in every vb files this string is exist? Then, I want to find the certain address of the beginning of the code, so that I can recognize every vb file from an other vb file.
views:
48answers:
1
+1
A:
Not exactly sure what you're trying to accomplish, but every VB6 exe, DLL or OCX will contain an import to MSVBVM60.dll. If it contains that, you can be pretty sure it's a VB6 exe.
About this
Then, I want to find the certain address of the beginning of the code, so that I can recognize every vb file from an other vb file.
VB6 doesn't embed the same kind of metadata in the exe that .net does, so it'll be impossible to extract any "VB Code" from the executable. Depending on how it was compiled, you MIGHT be able to retrieve functionnames and such, but that's only if the PDB (program database) was embedded into the exe and not compiled into a seperate PDB file.
Worse, there are plenty of tools out there to compress an exe (any exe), and if that's done, there's almost no way you'll be able to tell where the exe came from, at least not from simply looking at the contents of the exe file.
drventure
2010-10-15 20:42:17
You're right, the PDB is not available in almost 100% of files! In programs which are written in VSC++ (for example) there is call to the start of the main code that is not a part of the compiler, but in VB I still found nothing :(, I don't want to pars all the file, the time is so important for me. And I know this way I only could detect files that are not packed, compressed or crypted ... , but it is worthy for me.
rain
2010-10-18 06:28:07