ghassani/ida_vb_hook.py

## ida_vb_hook.py
import sys
from idc import *
from idaapi import *
from idautils import *
import time
import ntpath

def path_leaf(path):
	head, tail = ntpath.split(path)
	return tail or ntpath.basename(head)

class DbgHook(DBG_Hooks):
	MSVBVM_LOADED = False
	MSVBVM_BASE = 0
	MSVBVM_SIZE = 0
	MSVBVM_PROCCALLENGINE = 0x660FD05D
	MSVBVM_METHCALLENGINE = 0x66103B68

	def dbg_library_load(self, pid, tid, ea, name, base, size):
		loadedName = path_leaf(name)
		if loadedName == "msvbvm60.dll":
			print "%s at %s - %s (%d bytes)" % (loadedName, hex(base), hex(base+size), size)
			idaapi.load_and_run_plugin("pdb", 3)
			self.MSVBVM_BASE = base
			self.MSVBVM_SIZE = size
			self.MSVBVM_LOADED = True
			print "Adding Breakpoint On Name: ProcCallEngine @ %s\n" % (hex(self.MSVBVM_PROCCALLENGINE))
			idaapi.add_bpt(self.MSVBVM_PROCCALLENGINE, 0, BPT_SOFT)
			print "Adding Breakpoint On Name: MethCallEngine @ %s\n" % (hex(self.MSVBVM_METHCALLENGINE))
			idaapi.add_bpt(self.MSVBVM_METHCALLENGINE, 0, BPT_SOFT)


		idaapi.continue_process()

	def dbg_bpt(self, tid, ea):
		#print "Break point at 0x%x pid=%d" % (ea, tid)
		if self.MSVBVM_LOADED and ea == self.MSVBVM_PROCCALLENGINE:
			print "ProcCallEngine: %s - %s" % (hex(idc.GetRegValue('EDX')), idc.Name(idc.GetRegValue('EDX')))
			idaapi.continue_process()
		elif self.MSVBVM_LOADED and ea == self.MSVBVM_METHCALLENGINE:
			print "ProcCallEngine: %s - %s" % (hex(idc.GetRegValue('EDX')), idc.Name(idc.GetRegValue('EDX')))
			idaapi.continue_process()
		return 0
try:
	debughook.unhook()
except:
	print "Debug Hook not set yet..."

debughook = DbgHook()
debughook.hook()
print "Installed debug hook ..."
	import sys
	from idc import *
	from idaapi import *
	from idautils import *
	import time
	import ntpath

	def path_leaf(path):
	head, tail = ntpath.split(path)
	return tail or ntpath.basename(head)

	class DbgHook(DBG_Hooks):
	MSVBVM_LOADED = False
	MSVBVM_BASE = 0
	MSVBVM_SIZE = 0
	MSVBVM_PROCCALLENGINE = 0x660FD05D
	MSVBVM_METHCALLENGINE = 0x66103B68

	def dbg_library_load(self, pid, tid, ea, name, base, size):
	loadedName = path_leaf(name)
	if loadedName == "msvbvm60.dll":
	print "%s at %s - %s (%d bytes)" % (loadedName, hex(base), hex(base+size), size)
	idaapi.load_and_run_plugin("pdb", 3)
	self.MSVBVM_BASE = base
	self.MSVBVM_SIZE = size
	self.MSVBVM_LOADED = True
	print "Adding Breakpoint On Name: ProcCallEngine @ %s\n" % (hex(self.MSVBVM_PROCCALLENGINE))
	idaapi.add_bpt(self.MSVBVM_PROCCALLENGINE, 0, BPT_SOFT)
	print "Adding Breakpoint On Name: MethCallEngine @ %s\n" % (hex(self.MSVBVM_METHCALLENGINE))
	idaapi.add_bpt(self.MSVBVM_METHCALLENGINE, 0, BPT_SOFT)


	idaapi.continue_process()

	def dbg_bpt(self, tid, ea):
	#print "Break point at 0x%x pid=%d" % (ea, tid)
	if self.MSVBVM_LOADED and ea == self.MSVBVM_PROCCALLENGINE:
	print "ProcCallEngine: %s - %s" % (hex(idc.GetRegValue('EDX')), idc.Name(idc.GetRegValue('EDX')))
	idaapi.continue_process()
	elif self.MSVBVM_LOADED and ea == self.MSVBVM_METHCALLENGINE:
	print "ProcCallEngine: %s - %s" % (hex(idc.GetRegValue('EDX')), idc.Name(idc.GetRegValue('EDX')))
	idaapi.continue_process()
	return 0
	try:
	debughook.unhook()
	except:
	print "Debug Hook not set yet..."

	debughook = DbgHook()
	debughook.hook()
	print "Installed debug hook ..."