https://github.com/kasperskylab/vbscriptinternals

Scripts for disassembling VBScript p-code in the memory to aid in exploits analysis
https://github.com/kasperskylab/vbscriptinternals

Last synced: 11 months ago
JSON representation

Scripts for disassembling VBScript p-code in the memory to aid in exploits analysis

• Host: GitHub
• URL: https://github.com/kasperskylab/vbscriptinternals
• Owner: KasperskyLab
• Created: 2018-07-03T12:41:32.000Z (almost 8 years ago)
• Default Branch: master
• Last Pushed: 2022-06-01T07:34:10.000Z (almost 4 years ago)
• Last Synced: 2025-04-13T01:56:32.033Z (about 1 year ago)
• Language: Python
• Size: 10.7 KB
• Stars: 85
• Watchers: 7
• Forks: 23
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# VBscriptInternals

Author: [Boris Larin](https://twitter.com/oct0xor)

This repository contains

scripts for disassembling VBScript p-code in the memory to aid in exploits

analysis.

https://securelist.com/delving-deep-into-vbscript-analysis-of-cve-2018-8174-exploitation/86333/

## Contents

`kl_vbs_disasm_ida.py` - Script for IDA Pro 

`kl_vbs_disasm_windbg.py` - Script for WinDbg with PyKD extension

## Usage

Set breakpoint at

function `vbscript!CScriptRuntime::RunNoEH` and use appropriate script after breakpoint is hit.