VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown

mscorlib_load_assembly.vba

' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb

Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long
Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr)
Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr

#If Win64 Then
Const LS As LongPtr = 8&
#Else
Const LS As LongPtr = 4&
#End If

Private Function decodeHex(hex)
    On Error Resume Next
    Dim DM, EL
    Set DM = CreateObject("Microsoft.XMLDOM")
    Set EL = DM.createElement("tmp")
    EL.DataType = "bin.hex"
    EL.Text = hex
    decodeHex = EL.NodeTypedValue
End Function

Sub Test()
    Dim b As String
    b = b & "4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010300c60cf7f50000000000000000e000"
    b = b & "22200b013000000800000006000000000000a6260000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000512600004f000000004000008803000000000000000000000000000000000000006000000c000000ac250000"
    b = b & "380000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000ac060000002000000008000000020000000000000000000000000000200000602e72737263000000880300000040000000040000000a000000000000000000000000"
    b = b & "0000400000402e72656c6f6300000c0000000060000000020000000e0000000000000000000000000000400000420000000000000000000000000000000085260000000000004800000002000500642000004805000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004a02280e00000a72"
    b = b & "01000070280f00000a262a0042534a4201000100000000000c00000076322e302e35303732370000000005006c000000bc010000237e0000280200003c02000023537472696e6773000000006404000014000000235553007804000010000000234755494400000088040000c000000023426c6f620000000000000002000001471400000900000000fa013300160000010000001100"
    b = b & "000002000000010000000f0000000d0000000100000002000000000066010100000000000600db00c70106004801c7010600280095010f00e7010000060050007d010600be007d0106009f007d0106002f017d010600fb007d01060014017d01060067007d0106003c00a80106001a00a801060082007d010600170276010a003002f6010a001e02f601000000000800000000000100"
    b = b & "01000100100001000b023d000100010050200000000086188f010600010009008f01010011008f01060019008f010a0029008f01100031008f01100039008f01100041008f01100049008f01100051008f01100059008f01100061008f01150069008f01100071008f01100079008f01060081002b021a002e000b0029002e00130032002e001b0051002e0023005a002e002b006b00"
    b = b & "2e0033006b002e003b006b002e0043005a002e004b0071002e0053006b002e005b006b002e00630089002e006b00b3000480000001000000000000000000000000000b02000002000000000000000000000020001100000000000200000000000000000000002000f601000000000000000000436c61737331003c4d6f64756c653e006d73636f726c69620047756964417474726962"
    b = b & "7574650044656275676761626c6541747472696275746500436f6d56697369626c6541747472696275746500417373656d626c795469746c6541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e417474726962"
    b = b & "75746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d6543"
    b = b & "6f6d7061746962696c6974794174747269627574650053696d706c65436c6173732e646c6c0053797374656d0053797374656d2e5265666c656374696f6e002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e496e7465726f7053657276696365730053797374656d2e52756e74696d652e436f6d70696c65725365727669636573"
    b = b & "00446562756767696e674d6f6465730053797374656d2e57696e646f77732e466f726d730053696d706c65436c617373004f626a656374004469616c6f67526573756c740053686f77004d657373616765426f78000000112e004e00450054002000420042005900000022c18df3d2b8d54abc83bb3fd5031dc700042001010803200001052001011111042001010e04200101020500"
    b = b & "0111450e08b77a5c561934e0890801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f7773010801000200000000001001000b53696d706c65436c617373000005010000000017010012436f7079726967687420c2a920203230313800002901002464373731313239322d346563392d343634352d393261382d36393566393832333065373800"
    b = b & "000c010007312e302e302e30000000000000528424c200000000020000006d000000e4250000e40700000000000000000000000000001000000000000000000000000000000052534453f03ba3d0b135054fad53bf5d04d5ce2b01000000433a5c55736572735c4e69636b5c446f63756d656e74735c50726f6a656374735c53696d706c65436c6173735c53696d706c65436c617373"
    b = b & "5c6f626a5c52656c656173655c53696d706c65436c6173732e706462007926000000000000000000009326000000200000000000000000000000000000000000000000000085260000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000000000ff2500200010000000000000000000000000000000000000000000000000000000000000"
    b = b & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    b = b & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    b = b & "00000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000002c03000000000000000000002c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe0000010000000100"
    b = b & "0000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b0048c020000010053007400720069006e006700460069006c00650049006e0066006f000000680200000100"
    b = b & "3000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000022000100010043006f006d00700061006e0079004e0061006d006500000000000000000040000c000100460069006c0065004400650073006300720069007000740069006f006e0000000000530069006d0070006c00650043006c00610073007300000030000800"
    b = b & "0100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e003000000040001000010049006e007400650072006e0061006c004e0061006d0065000000530069006d0070006c00650043006c006100730073002e0064006c006c0000004800120001004c006500670061006c0043006f007000790072006900670068007400000043006f007000"
    b = b & "7900720069006700680074002000a90020002000320030003100380000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000004800100001004f0072006900670069006e0061006c00460069006c0065006e0061006d0065000000530069006d0070006c00650043006c006100730073002e0064006c006c00000038000c00"
    b = b & "0100500072006f0064007500630074004e0061006d00650000000000530069006d0070006c00650043006c006100730073000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e003000"
    b = b & "2e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000a836000000000000"
    b = b & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    b = b & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    b = b & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
    b = b & "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
     
    Dim bytes() As Byte
    bytes = decodeHex(b)
    
    ' -------------------------------------
        
    Dim host As New mscoree.CorRuntimeHost, dom As AppDomain
    host.Start
    host.GetDefaultDomain dom

    Dim vRet As Variant, lRet As Long
    Dim vTypes(0 To 1) As Integer
    Dim vValues(0 To 1) As LongPtr

    Dim pPArry As LongPtr: pPArry = VarPtrArray(bytes)
    Dim pArry As LongPtr
    RtlMoveMemory pArry, ByVal pPArry, LS
    Dim vWrap: vWrap = pArry
    
    vValues(0) = VarPtr(vWrap)
    vTypes(0) = 16411
    
    Dim pRef As LongPtr: pRef = 0
    Dim vWrap2: vWrap2 = VarPtr(pRef)
    
    vValues(1) = VarPtr(vWrap2)
    vTypes(1) = 16396
    
    lRet = DispCallFunc(ObjPtr(dom), 45 * LS, 4, vbLong, 2, vTypes(0), vValues(0), vRet)
    
    Dim aRef As mscorlib.assembly
    RtlMoveMemory aRef, pRef, LS
    aRef.CreateInstance "SimpleClass.Class1"
    
End Sub