Last active
May 18, 2023 13:30
-
-
Save monoxgas/1b36031c5593ebfed3229f4424f77090 to your computer and use it in GitHub Desktop.
VBA code for calling AppDomain.Load using raw vtable lookups for the IUnknown
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ' Need to add project references to C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscoree.tlb and mscorlib.tlb | |
| Private Declare PtrSafe Function DispCallFunc Lib "oleaut32.dll" (ByVal pv As LongPtr, ByVal ov As LongPtr, ByVal cc As Integer, ByVal vr As Integer, ByVal ca As Long, ByRef pr As Integer, ByRef pg As LongPtr, ByRef par As Variant) As Long | |
| Private Declare PtrSafe Sub RtlMoveMemory Lib "kernel32" (Dst As Any, Src As Any, ByVal BLen As LongPtr) | |
| Private Declare PtrSafe Function VarPtrArray Lib "VBE7" Alias "VarPtr" (ByRef Var() As Any) As LongPtr | |
| #If Win64 Then | |
| Const LS As LongPtr = 8& | |
| #Else | |
| Const LS As LongPtr = 4& | |
| #End If | |
| Private Function decodeHex(hex) | |
| On Error Resume Next | |
| Dim DM, EL | |
| Set DM = CreateObject("Microsoft.XMLDOM") | |
| Set EL = DM.createElement("tmp") | |
| EL.DataType = "bin.hex" | |
| EL.Text = hex | |
| decodeHex = EL.NodeTypedValue | |
| End Function | |
| Sub Test() | |
| Dim b As String | |
| b = b & "4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010300c60cf7f50000000000000000e000" | |
| b = b & "22200b013000000800000006000000000000a6260000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000512600004f000000004000008803000000000000000000000000000000000000006000000c000000ac250000" | |
| b = b & "380000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000ac060000002000000008000000020000000000000000000000000000200000602e72737263000000880300000040000000040000000a000000000000000000000000" | |
| b = b & "0000400000402e72656c6f6300000c0000000060000000020000000e0000000000000000000000000000400000420000000000000000000000000000000085260000000000004800000002000500642000004805000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004a02280e00000a72" | |
| b = b & "01000070280f00000a262a0042534a4201000100000000000c00000076322e302e35303732370000000005006c000000bc010000237e0000280200003c02000023537472696e6773000000006404000014000000235553007804000010000000234755494400000088040000c000000023426c6f620000000000000002000001471400000900000000fa013300160000010000001100" | |
| b = b & "000002000000010000000f0000000d0000000100000002000000000066010100000000000600db00c70106004801c7010600280095010f00e7010000060050007d010600be007d0106009f007d0106002f017d010600fb007d01060014017d01060067007d0106003c00a80106001a00a801060082007d010600170276010a003002f6010a001e02f601000000000800000000000100" | |
| b = b & "01000100100001000b023d000100010050200000000086188f010600010009008f01010011008f01060019008f010a0029008f01100031008f01100039008f01100041008f01100049008f01100051008f01100059008f01100061008f01150069008f01100071008f01100079008f01060081002b021a002e000b0029002e00130032002e001b0051002e0023005a002e002b006b00" | |
| b = b & "2e0033006b002e003b006b002e0043005a002e004b0071002e0053006b002e005b006b002e00630089002e006b00b3000480000001000000000000000000000000000b02000002000000000000000000000020001100000000000200000000000000000000002000f601000000000000000000436c61737331003c4d6f64756c653e006d73636f726c69620047756964417474726962" | |
| b = b & "7574650044656275676761626c6541747472696275746500436f6d56697369626c6541747472696275746500417373656d626c795469746c6541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e417474726962" | |
| b = b & "75746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d6543" | |
| b = b & "6f6d7061746962696c6974794174747269627574650053696d706c65436c6173732e646c6c0053797374656d0053797374656d2e5265666c656374696f6e002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e496e7465726f7053657276696365730053797374656d2e52756e74696d652e436f6d70696c65725365727669636573" | |
| b = b & "00446562756767696e674d6f6465730053797374656d2e57696e646f77732e466f726d730053696d706c65436c617373004f626a656374004469616c6f67526573756c740053686f77004d657373616765426f78000000112e004e00450054002000420042005900000022c18df3d2b8d54abc83bb3fd5031dc700042001010803200001052001011111042001010e04200101020500" | |
| b = b & "0111450e08b77a5c561934e0890801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f7773010801000200000000001001000b53696d706c65436c617373000005010000000017010012436f7079726967687420c2a920203230313800002901002464373731313239322d346563392d343634352d393261382d36393566393832333065373800" | |
| b = b & "000c010007312e302e302e30000000000000528424c200000000020000006d000000e4250000e40700000000000000000000000000001000000000000000000000000000000052534453f03ba3d0b135054fad53bf5d04d5ce2b01000000433a5c55736572735c4e69636b5c446f63756d656e74735c50726f6a656374735c53696d706c65436c6173735c53696d706c65436c617373" | |
| b = b & "5c6f626a5c52656c656173655c53696d706c65436c6173732e706462007926000000000000000000009326000000200000000000000000000000000000000000000000000085260000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000000000ff2500200010000000000000000000000000000000000000000000000000000000000000" | |
| b = b & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" | |
| b = b & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" | |
| b = b & "00000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000002c03000000000000000000002c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe0000010000000100" | |
| b = b & "0000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b0048c020000010053007400720069006e006700460069006c00650049006e0066006f000000680200000100" | |
| b = b & "3000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000022000100010043006f006d00700061006e0079004e0061006d006500000000000000000040000c000100460069006c0065004400650073006300720069007000740069006f006e0000000000530069006d0070006c00650043006c00610073007300000030000800" | |
| b = b & "0100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e003000000040001000010049006e007400650072006e0061006c004e0061006d0065000000530069006d0070006c00650043006c006100730073002e0064006c006c0000004800120001004c006500670061006c0043006f007000790072006900670068007400000043006f007000" | |
| b = b & "7900720069006700680074002000a90020002000320030003100380000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000004800100001004f0072006900670069006e0061006c00460069006c0065006e0061006d0065000000530069006d0070006c00650043006c006100730073002e0064006c006c00000038000c00" | |
| b = b & "0100500072006f0064007500630074004e0061006d00650000000000530069006d0070006c00650043006c006100730073000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e003000" | |
| b = b & "2e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000a836000000000000" | |
| b = b & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" | |
| b = b & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" | |
| b = b & "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" | |
| b = b & "00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" | |
| Dim bytes() As Byte | |
| bytes = decodeHex(b) | |
| ' ------------------------------------- | |
| Dim host As New mscoree.CorRuntimeHost, dom As AppDomain | |
| host.Start | |
| host.GetDefaultDomain dom | |
| Dim vRet As Variant, lRet As Long | |
| Dim vTypes(0 To 1) As Integer | |
| Dim vValues(0 To 1) As LongPtr | |
| Dim pPArry As LongPtr: pPArry = VarPtrArray(bytes) | |
| Dim pArry As LongPtr | |
| RtlMoveMemory pArry, ByVal pPArry, LS | |
| Dim vWrap: vWrap = pArry | |
| vValues(0) = VarPtr(vWrap) | |
| vTypes(0) = 16411 | |
| Dim pRef As LongPtr: pRef = 0 | |
| Dim vWrap2: vWrap2 = VarPtr(pRef) | |
| vValues(1) = VarPtr(vWrap2) | |
| vTypes(1) = 16396 | |
| lRet = DispCallFunc(ObjPtr(dom), 45 * LS, 4, vbLong, 2, vTypes(0), vValues(0), vRet) | |
| Dim aRef As mscorlib.assembly | |
| RtlMoveMemory aRef, pRef, LS | |
| aRef.CreateInstance "SimpleClass.Class1" | |
| End Sub |
And by the way, this will not load dependencies, for example "System.Windows.Forms". is there anyway to load all the dependencies? including system dependencies.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you! This saves me days of time. I try to download dll from github. I can load the bytes array to app domain. But failed at last step when trying to createinstance. Error message is "Exception has been thrown by the target of an invocation". Do you know why?