RELSOFT TECHNOLOGIES

Visual Basic Decompiling

Visual Basic Image

Internal Structure
Format

Copyright
Copyright 2004 Alex Ionescu
Ionescu.
cu. All Rights Reserved. Duplication of this
this material is prohibited.

VISUAL BASIC DECOMPILING

Visual Basic Image Internal Structure Format

2004 Alex Ionescu
Relsoft Technologies
http://www.relsoft.net
All Rights Reserved

Copyright
Copyright 2004 Alex Ionescu
Ionescu.
cu. All Rights Reserved. Duplication of this
this material is prohibited.

Table of Contents
STRUCTURE RELATIONSHIP DIAGRAM .............................................................................................. 3
1. THE VB HEADER. ............................................................................................................................. 4
THREAD FLAGS .......................................................................................................................... 4
MDL INTERNAL CONTROL FLAGS............................................................................................ 5
2. THE COM REGISTRATION DATA.............................................................................................. 6
2.1 THE COM REGISTRATION INFO. ........................................................................................ 6
2.2 THE DESIGNER INFO. .......................................................................................................... 7
OBJECT TYPES ........................................................................................................................... 7
3. THE PROJECT INFORMATION .................................................................................................. 8
4. THE SECONDARY PROJECT INFORMATION ..................................................................... 8
5. THE OBJECT TABLE....................................................................................................................... 9
6. THE PRIVATE OBJECT DESCRIPTOR ................................................................................... 9
7. THE PUBLIC OBJECT DESCRIPTOR .................................................................................... 10
8. THE OBJECT INFO......................................................................................................................... 10
9. THE OPTIONAL OBJECT INFO ................................................................................................ 11
10. THE CONTROL INFO .................................................................................................................. 11

Copyright
Copyright 2004 Alex Ionescu
Ionescu.
cu. All Rights Reserved. Duplication of this
this material is prohibited.
Project Info 2
Project Info

Object List

Object Table
Public Object
Descriptors

Public
Variable
Data
Static
Variable
Data

Imports Table

Private Object
Descriptors

Methods
Constants

Object Info
Controls
Optional
Object Info

GUI Table

Event
Handlers
Events

VB Header

External Table

Overview of VB Structure Links.

*VERY* Incomplete. To be completed
on the way.

Project
Registration Data
COM Data
Designer Data

Structure Relationship Diagram

Copyright
Copyright 2004 Alex Ionescu
Ionescu.
cu. All Rights Reserved. Duplication of this
this material is prohibited.

29/08/2004 More Structures, Some Fixes

This page is a work in progress. I hope you can find it useful, I will add more
as I research. Youre free to use this for whatever reason you want, Im simply
asking you to credit the original source (Alex Ionescu or www.relsoft.net)

1. The VB Header.
Structure name: EXEPROJECTINFO. Size: 0x68 bytes.

The VB Header is the main descriptor of any VB-compiled image file.

It links into all the other structures contained in the file, and provides
important language and program information. Heres an at-a-glance view:

PE HEADER
&
I AT
COM DATA
VB HEADER
PROJECT INFO
OBJECT TABLE
P R O J E CT I N F O 2
T B D L AT ER

Offset

Name

Description

0x0
0x4
0x6
0x14
0x22
0x24
0x28
0x2C
0x30
0x34
0x38
0x3C
0x40
0x44
0x46
0x48
0x4C
0x50
0x54
0x58
0x5C
0x60
0x64

szVbMagic
wRuntimeBuild
szLangDll
szSecLangDll
wRuntimeRevision
dwLCID
dwSecLCID
lpSubMain
lpProjectData
fMdlIntCtls
fMdlIntCtls2
dwThreadFlags
dwThreadCount
wFormCount
wExternalCount
dwThunkCount
lpGuiTable
lpExternalTable
lpComRegisterData
bSZProjectDescription
bSZProjectExeName
bSZProjectHelpFile
bSZProjectName

VB5! String
Build of the VB6 Runtime
Language Extension DLL
2nd Language Extension DLL
Internal Runtime Revision
LCID of Language DLL
LCID of 2nd Language DLL
Pointer to Sub Main Code
Pointer to Project Data
VB Control Flags for IDs < 32
VB Control Flags for IDs > 32
Threading Mode
Threads to support in pool
Number of forms present
Number of external controls
Number of thunks to create
Pointer to GUI Table
Pointer to External Table
Pointer to COM Information
Offset to Project Description
Offset to Project EXE Name
Offset to Project Help File
Offset to Project Name

Furthermore, the following flags are defined:

Thread Flags
Value
Name
Description
0x1
ApartmentModel
Specifies multi-threading using an apartment model.
0x2
RequireLicense
Specifies to do license validation (OCX only).
0x4
Unattended
Specifies that no GUI elements should be initialized.
0x8
SingleThreaded
Specifies that the image is single-threaded.
0x10
Retained
Specifies to keep the file in memory (Unattended only)
ex: A value of 0x15 specifies a multi-threaded, memory-resident ActiveX Object with no GUI.

Copyright
Copyright 2004 Alex Ionescu
Ionescu.
cu. All Rights Reserved. Duplication of this
this material is prohibited.

MDL Internal Control Flags

Control ID
0x0
0x1
0x2
0x3
0x4
0x5
0x6
0x7
0x8
0x9
0xA
0xB
0xC
0xD
0xE
0xF
0x10
0x11
0x12
0x13
0x14
0x15
0x16
0x17
0x18
0x19
0x1A
0x1B
0x1C
0x1D
0x1E
0x1F
2nd Flag Zone

Value
0x1
0x2
0x4
0x8
0x10
0x20
0x40
0x80
0x100
0x200
0x400
0x800
0x1000
0x2000
0x4000
0x8000
0x10000
0x20000
0x40000
0x80000
0x100000
0x200000
0x400000
0x800000
0x1000000
0x2000000
0x4000000
0x8000000
0x10000000
0x20000000
0x40000000
0x80000000

Name
PictureBox Object
Label Object
TextBox Object
Frame Object
CommandButton Object
CheckBox Object
OptionButton Object
ComboBox Object
ListBox Object
HScrollBar Object
VScrollBar Object
Timer Object
Print Object
Form Object
Screen Object
Clipboard Object
Drive Object
Dir Object
FileListBox Object
Menu Object
MDIForm Object
App Object
Shape Object
Line Object
Image Object
Unsupported
Unsupported
Unsupported
Unsupported
Unsupported
Unsupported
Unsupported

2nd Flag Zone

2nd Flag Zone

0x20
0x1
Unsupported
0x21
0x2
Unsupported
0x22
0x4
Unsupported
0x23
0x8
Unsupported
0x24
0x10
Unsupported
0x25
0x20
DataQuery Object
0x26
0x40
OLE Object
0x27
0x80
Unsupported
0x28
0x100
UserControl Object
0x29
0x200
PropertyPage Object
0x2A
0x400
Document Object
0x2B
0x800
Unsupported
ex: A value of 0x30F000 (the so called static binary constant on most sites) actually means
to initialize the Print, Form, Screen, ClipBoard Objects (0xF000) as well as the Drive/Dir
Objects (0x30000). This is default on VB projects because those objects can always be
accesses from a module (ie, they are not graphic, except Forms, which can always be created).

Copyright
Copyright 2004 Alex Ionescu
Ionescu.
cu. All Rights Reserved. Duplication of this
this material is prohibited.

2. The COM Registration Data

Structure name: tagREGDATA. Size: 0x2A bytes.

The COM Registration Data contains information used if the image file
is ActiveX, and contains valuable COM Registration data such as Typelib
information, Designer data and Interface CLSIDs. Heres an at-a-glance view:
PE HEADER
&
I AT

REGISTRATION
DATA

COM DATA
VB HEADER

REGISTRATION
I NF O

PROJECT INFO

DESIGNER INFO

Offset
0x0
0x4
0x8
0xC
0x10
0x20
0x24
0x26
0x28

Name
bRegInfo
bSZProjectName
bSZHelpDirectory
bSZProjectDescription
uuidProjectClsId
dwTlbLcid
wUnknown
wTlbVerMajor
wTlbVerMinor

Description
Offset to COM Interfaces Info
Offset to Project/Typelib Name
Offset to Help Directory
Offset to Project Description
CLSID of Project/Typelib
LCID of Type Library
Might be something. Must check
Typelib Major Version
Typelib Minor Version

OBJECT TABLE
PROJECT INFO 2
T B D L AT ER

2.1 The COM Registration Info.

Structure name: tagRegInfo. Size: 0x44 bytes.

If a valid Object needs to be registered, then RegData->bRegInfo will

point to the following structure, for each valid Object:
NB: All offsets are relative to tagREGDATA above.

PE HEADER
&
I AT

REGISTRATION
DATA

COM DATA
VB HEADER

REGISTRATION
I NF O

PROJECT INFO

DESIGNER INFO

OBJECT TABLE
PROJECT INFO 2
T B D L AT ER

2.2

Offset
0x0
0x4
0x8
0xC
0x10
0x14
0x24
0x28
0x2C
0x30
0x34
0x38
0x39
0x3A
0x3C
0x3E
0x40

Name
bNextObject
bObjectName
bObjectDescription
dwInstancing
dwObjectId
uuidObject
fIsInterface
bUuidObjectIFace
bUuidEventsIFace
fHasEvents
dwMiscStatus
fClassType
fObjectType
wToolboxBitmap32
wDefaultIcon
fIsDesigner
bDesignerData

Description
Offset to COM Interfaces Info
Offset to Object Name
Offset to Object Description
Instancing Mode
Current Object ID in the Project
CLSID of Object
Specifies if the next CLSID is valid
Offset to CLSID of Object Interface
Offset to CLSID of Events Interface
Specifies if the CLSID above is valid
OLEMISC Flags (see MSDN docs)
Class Type
Flag identifying the Object Type
Control Bitmap ID in Toolbox
Minimized Icon of Control Window
Specifies whether this is a Designer
Offset to Designer Data

Please note that some of

these values are only valid depending on the Object Type (see Flags below)

Copyright
Copyright 2004 Alex Ionescu
Ionescu.
cu. All Rights Reserved. Duplication of this
this material is prohibited.

2.2 The Designer Info.

Structure name: NONE. Size: Variable.

If the Object happens to be a Designer (used for Add-Ins), then the

tagRegInfo structure is augmented by the Designer Data structure, shown
below:
NB: A BSTR contains the string length as a long, followed by the string itself.
PE HEADER
&
I AT

REGISTRATION
DATA

COM DATA
VB HEADER
PROJECT INFO

REGISTRATION
I NF O
DESIGNER INFO

Offset
0x0
0x10
0x14
VAR
VAR
VAR
VAR
VAR
VAR

Name
uuidDesigner
cbStructSize
bstrAddinRegKey
bstrAddinName
bstrAddinDescription
dwLoadBehaviour
bstrSatelliteDll
bstrAdditionalRegKey
dwCommandLineSafe

Description
CLSID of the Addin/Designer
Total Size of the next fields.
Registry Key of the Addin
Friendly Name of the Addin
Description of Addin
CLSID of Object
Satellite DLL, if specified
Extra Registry Key, if specified
Specifies a GUI-less Addin if 1.

OBJECT TABLE
PROJECT INFO 2
T B D L AT ER

To read the Designer Info structure, simply read the first long value at
0x14, which is the length of the Add-In Registry Key. Then add that number
to the current offset, and you get the offset of Add-In Names Length. Add
that number to your new offset, and you get to the Add-In Description. Next
up is the Load Behavior, a long value, followed by another length, this time
the Satellite DLLs Name. If this is 0, its the Additional Registry Key Name.
If this is 0, then you arrive at dwCommandLineSafe.
Finally, here are the flags for RegData->ObjectType
Object Types
Value
Name
Description
0x2
Designer
A Visual Basic Designer for an Add-In
0x10
Class Module
A Visual Basic Class
0x20
User Control
A Visual Basic Active X User Control (OCX)
0x80
User Document
A Visual Basic User Document
nb: Other values may exist to define VB Objects, but they arent used in this structure.

Copyright
Copyright 2004 Alex Ionescu
Ionescu.
cu. All Rights Reserved. Duplication of this
this material is prohibited.

3. The Project Information

Structure name: none. Size: 0x23C bytes.

The Project Information structure is pointed by the VB Header. It

contains user information about the project as well as critical information
(such as a pointer to the Object Table). It is also heavily used for compilation
statistics. Heres an at-a-glance view:

PE HEADER
&
I AT
COM DATA
VB HEADER
PROJECT INFO
OBJECT TABLE

Offset
0x0
0x4
0x8
0xC
0x10
0x14
0x18
0x1C
0x20
0x24
0x234
0x238

Name
dwVersion
lpObjectTable
dwNull
lpCodeStart
lpCodeEnd
dwDataSize
lpThreadSpace
lpVbaSeh
lpNativeCode
szPathInformation
lpExternalTable
dwExternalCount

Description
5.00 in Hex (0x1F4). Version.
Pointer to the Object Table
Unused value after compilation.
Points to start of code. Unused.
Points to end of code. Unused.
Size of VB Object Structures. Unused.
Pointer to Pointer to Thread Object.
Pointer to VBA Exception Handler
Pointer to .DATA section.
Contains Path and ID string. < SP6
Pointer to External Table.
Objects in the External Table.

P R O J E CT I N F O 2
T B D L AT ER

A great majority of these values are only used for

compilation are leftovers of statistical data. These include
the path information, code pointers, and data size.

4. The Secondary Project Information

Structure name: none. Size: 0x28 bytes.

This Secondary structure, pointed by the Object Table contains mostly

data used when compiling the project. It does also however pave the way to
the Form List (To be described later) and gives the elusive Help Context ID.
PE HEADER
&
I AT
COM DATA
VB HEADER
PROJECT INFO
OBJECT TABLE
P R O J E CT I N F O 2

Offset
0x0
0x4
0x8
0xC
0x10
0x14
0x18
0x1C
0x20
0x24

Name
lpHeapLink
lpObjectTable
dwReserved
dwUnused
lpObjectList
dwUnused2
szProjectDescription
szProjectHelpFile
dwReserved2
dwHelpContextId

T B D L AT ER
8

Description
Unused after compilation, always 0.
Back-Pointer to the Object Table.
Always set to -1 after compiling. Unused
Not written or read in any case.
Pointer to Object Descriptor Pointers.
Not written or read in any case.
Pointer to Project Description
Pointer to Project Help File
Always set to -1 after compiling. Unused
Help Context ID set in Project Settings.

Copyright
Copyright 2004 Alex Ionescu
Ionescu.
cu. All Rights Reserved. Duplication of this
this material is prohibited.

5. The Object Table

Structure name: none. Size: 0x54 bytes.

The Object Table structure is pointed by the Project Info Structure. It

contains points to the Object Array, as well as more repeated Project Data
(presumably so it can be read quickly from here). Some values are also only
used when running the project in memory (in the IDE). Heres an at-a-glance
view:
PE HEADER
&
I AT
COM DATA
VB HEADER
PROJECT INFO
OBJECT TABLE
P R O J E CT I N F O 2
T B D L AT ER

Offset
0x0
0x4
0x8
0xC
0x10
0x14
0x18
0x28
0x2A
0x2C
0x2E
0x30
0x34
0x38
0x3C
0x40
0x44
0x48
0x4C
0x50

Name
lpHeapLink
lpExecProj
lpProjectInfo2
dwReserved
dwNull
lpProjectObject
uuidObject
fCompileState
dwTotalObjects
dwCompiledObjects
dwObjectsInUse
lpObjectArray
fIdeFlag
lpIdeData
lpIdeData2
lpszProjectName
dwLcid
dwLcid2
lpIdeData3
dwIdentifier

Description
Unused after compilation, always 0.
Pointer to VB Project Exec COM Object.
Secondary Project Information.
Always set to -1 after compiling. Unused
Not used in compiled mode.
Pointer to in-memory Project Data.
GUID of the Object Table.
Internal flag used during compilation.
Total objects present in Project.
Equal to above after compiling.
Usually equal to above after compile.
Pointer to Object Descriptors
Flag/Pointer used in IDE only.
Flag/Pointer used in IDE only.
Flag/Pointer used in IDE only.
Pointer to Project Name.
LCID of Project.
Alternate LCID of Project.
Flag/Pointer used in IDE only.
Template Version of Structure.

6. The Private Object Descriptor

Structure name: none. Size: 0x40 bytes.

The Private Object Descriptor Table is pointed by an array defined in

the Object List Pointer in the Secondary Project Information. The whole
structure can be deleted after compilation. Heres an at-a-glance view:
PE HEADER
&
I AT
COM DATA
VB HEADER
PROJECT INFO
OBJECT DATA

Offset
0x0
0x4
0x8
0xC
0x18
0x1C
0x20
0x2C
0x38
0x3C

Name
lpHeapLink
lpObjectInfo
dwReserved
dwIdeData[3]
lpObjectList
dwIdeData2
lpObjectList2[3]
dwIdeData3[3]
dwObjectType
dwIdentifier

P R O J E CT I N F O 2
T B D L AT ER
9

Description
Unused after compilation, always 0.
Pointer to the Object Info for this Object.
Always set to -1 after compiling.
Not valid after compilation.
Points to the Parent Structure (Array)
Not valid after compilation.
Points to the Parent Structure (Array).
Not valid after compilation.
Type of the Object described.
Template Version of Structure.

Copyright
Copyright 2004 Alex Ionescu
Ionescu.
cu. All Rights Reserved. Duplication of this
this material is prohibited.

7. The Public Object Descriptor

Structure name: none. Size: 0x30 bytes.

The Public Object Descriptor Table is pointed by the Array

lpObjectArray in the Object Table. Each Object in the project will have its
own. Unlike the private structure, this one is actually used by VB for a
variety of tasks. Heres an at-a-glance view:
PE HEADER
&
I AT
COM DATA
VB HEADER
PROJECT INFO
OBJECT TABLE
P R O J E CT I N F O 2

Offset
0x0
0x4
0x8
0xC
0x10
0x14
0x18
0x1C
0x20
0x24
0x28
0x2C

Name
lpObjectInfo
dwReserved
lpPublicBytes
lpStaticBytes
lpModulePublic
lpModuleStatic
lpszObjectName
dwMethodCount
lpMethodNames
bStaticVars
fObjectType
dwNull

Description
Pointer to the Object Info for this Object.
Always set to -1 after compiling.
Pointer to Public Variable Size integers.
Pointer to Static Variable Size integers.
Pointer to Public Variables in DATA section
Pointer to Static Variables in DATA section
Name of the Object.
Number of Methods in Object.
If present, pointer to Method names array.
Offset to where to copy Static Variables.
Flags defining the Object Type.
Not valid after compilation.

T B D L AT ER

8. The Object Info

Structure name: none. Size: 0x38 bytes.

The Object Information structure defines an Object and provides

various information to its methods and constants (in Pseudo Code). Heres an
at-a-glance view:
PE HEADER
&
I AT
COM DATA
VB HEADER
PROJECT INFO
OBJECT TABLE
P R O J E CT I N F O 2
T B D L AT ER

Offset
0x0
0x2
0x4
0x8
0xC
0x10
0x14
0x18
0x1C
0x20
0x22
0x24
0x28
0x2A
0x2C
0x30
0x34

Name
wRefCount
wObjectIndex
lpObjectTable
lpIdeData
lpPrivateObject
dwReserved
dwNull
lpObject
lpProjectData
wMethodCount
wMethodCount2
lpMethods
wConstants
wMaxConstants
lpIdeData2
lpIdeData3
lpConstants

10

Description
Always 1 after compilation.
Index of this Object.
Pointer to the Object Table
Zero after compilation. Used in IDE only.
Pointer to Private Object Descriptor.
Always -1 after compilation.
Unused.
Back-Pointer to Public Object Descriptor.
Pointer to in-memory Project Object.
Number of Methods
Zeroed out after compilation. IDE only.
Pointer to Array of Methods.
Number of Constants in Constant Pool.
Constants to allocate in Constant Pool.
Valid in IDE only.
Valid in IDE only.
Pointer to Constants Pool.

Copyright
Copyright 2004 Alex Ionescu
Ionescu.
cu. All Rights Reserved. Duplication of this
this material is prohibited.

9. The Optional Object Info

Structure name: none. Size: 0x40 bytes.

The Optional Object Information structure, present only for COM

Objects (anything but a Module) defines some GUIDs as well as other useful
Form Information, and points to Controls. Heres an at-a-glance view:
PE HEADER
&
I AT
COM DATA
VB HEADER
PROJECT INFO
OBJECT DATA
P R O J E CT I N F O 2
T B D L AT ER

Offset
0x0
0x4
0x8
0xC
0x10
0x14
0x18
0x1C
0x20
0x24
0x28
0x2A
0x2C
0x2E
0x30
0x34
0x38
0x3C

Name
dwObjectGuids
lpObjectGuid
dwNull
lpuuidObjectTypes
dwObjectTypeGuids
lpControls2
dwNull2
lpObjectGuid2
dwControlCount
lpControls
wEventCount
wPCodeCount
bWInitializeEvent
bWTerminateEvent
lpEvents
lpBasicClassObject
dwNull3
lpIdeData

Description
How many GUIDs to Register. 2 = Designer
Unique GUID of the Object *VERIFY*
Unused.
Pointer to Array of Object Interface GUIDs
How many GUIDs in the Array above.
Usually the same as lpControls.
Unused.
Pointer to Array of Object GUIDs.
Number of Controls in array below.
Pointer to Controls Array.
Number of Events in Event Array.
Number of P-Codes used by this Object.
Offset to Initialize Event from Event Table.
Offset to Terminate Event in Event Table.
Pointer to Events Array.
Pointer to in-memory Class Objects.
Unused.
Only valid in IDE.

10. The Control Info

Structure name: none. Size: 0x28 bytes.

The Control Information Structure contains data about each control on

the Form, and points to the Event Handler Table for this Control. Heres an
at-a-glance view:
PE HEADER
&
I AT
COM DATA
VB HEADER
PROJECT INFO
OBJECT DATA
P R O J E CT I N F O 2

Offset
0x0
0x4
0x6
0x8
0xC
0x10
0x14
0x18
0x1C
0x20
0x24

Name
fControlType
wEventcount
bWEventsOffset
lpGuid
dwIndex
dwNull
dwNull2
lpEventTable
lpIdeData
lpszName
dwIndexCopy

T B D L AT ER

11

Description
Type of control.
Number of Event Handlers supported.
Offset in to Memory struct to copy Events.
Pointer to GUID of this Control.
Index ID of this Control.
Unused.
Unused.
Pointer to Event Handler Table.
Valid in IDE only.
Name of this Control.
Secondary Index ID of this Control.