I've decided to release a beta version of my Visual Basic FRiSK plugin for IDA.
FRiSK stands for Fully Reversed in-Sequence Krypto... Just kidding.
Anyway this is how to use it:
1. Drop the IDA plugin into the IDA/plugins directory and re/start IDA.
1. Load a VB executable in IDA as you would normally
2. Run the plugin
Hmm, in retrospect that didn't really require explicit steps. Yes, its meant to be that simple. Once run, and the plugin has established that it is indeed dealing with a VB file to its satisfaction, it will parse the undocuments VB structures that are scattered throughout the file, marking, naming and making everything it finds in its path. This reveals the following:
- external API's (i.e anything not included by msvbvm?0.dll)
- strings (including unicode)
- forms (i have all the code to parse the form attributes as well but its not yet built in)
- event handlers (i.e Form_Load)
As you can imagine this is all really helpful stuff, I hope you find it as useful as I did.
Any troubles at all email me, and remember this is a debug beta build and is not final. Any havoc caused to your IDA listing is not my responsibility. I recommend using this only on VB files and only on virgin deadlistings. I've also noted it may take some time to finish when parsing overly large files, this is not my fault and the best way to handle this is to damn well wait for it to finish . ;)
Enjoy
