Freigeben über


How to enumerate all VB6 applications that exist on a server

One of my coworkers sent out a email to my team asking if anyone knew of a tool that would find any VB6 (or older) based applications on a server.  He has a customer that needs to do this for support compliance reasons.  When such applications are found they want to ensure they have a plan to uplift.

In order to determine if an executable is a VB application, we need to determine if it depends on VBRUN.DLL.  We can do this with dumpbin.exe by using the /DEPENDENTS  option.

Let's take a look at the output from this command:

 C:>for %i in (%SystemRoot%system32notepad.exe) do dumpbin %i /DEPENDENTS   
       
 C:>dumpbin C:Windowssystem32notepad.exe /DEPENDENTS   
 Microsoft (R) COFF/PE Dumper Version 8.00.50727.42   
 Copyright (C) Microsoft Corporation.  All rights reserved.   
         
 Dump of file C:Windowssystem32notepad.exe   
       
   File Type: EXECUTABLE IMAGE  
      
     Image has the following dependencies:  
      
       ADVAPI32.dll  
       KERNEL32.dll  
       GDI32.dll  
       USER32.dll  
       ...

As we can see, we do get the DLL details we are looking for.  Now, we just need to create logic that can parse the results and provide use with the details we need.  Our goal is to enumerate all the executables that have a dependency on VBRULL.DLL.

Sure, we could write some C# I/O code that reads the file line-by-line, caching the name of the executables while looping and when we find VBRUN.DLL, write the executable name to a text file.  Using this approach is fine, but for our purposes all we need are the details in a text and how we get them is not that important to us.

We can accomplish this task with a little batch programming.

First, lets use NOTEPAD.EXE as our baseline for establishing a command/batch file that will provide the details we need.  Let's not forget the power of the "for loop" batch command. 

Let's start by writing a command that will enumerate all occurrences of executables in the "%SystemRoot%system32" directory and dumping all dependencies for each executable to individual files.

 C:>for %i in (%SystemRoot%system32notepad.exe) do dumpbin %i /DEPENDENTS   
       
 C:>dumpbin C:Windowssystem32notepad.exe /DEPENDENTS   
 Microsoft (R) COFF/PE Dumper Version 8.00.50727.42   
 Copyright (C) Microsoft Corporation.  All rights reserved.   
         
 Dump of file C:Windowssystem32notepad.exe   
       
   File Type: EXECUTABLE IMAGE  
      
     Image has the following dependencies:  
      
       ADVAPI32.dll  
       KERNEL32.dll  
       GDI32.dll  
       USER32.dll  
       ...

Okay, so the purpose of using a "for loop" should be clear, but in this example I will restrict it by asking for a specific file "notepad.exe".  So now that I have a working "for loop" that utilizes "dumpbin.exe" to dump the dependencies, we can more to our next step, which is dumping the results to a file, then parsing each file for the occurrence of "USER32.DLL" and then outputting the executable details to a "RESULTS.TXT" file.

To boil this down a bit, we really only need two steps.

 for %%i in (%SystemRoot%system32notepad.exe) do dumpbin %%i /DEPENDENTS /OUT:%%i.VBTXT
 for %%i in (%SystemRoot%system32*.VBTXT) do FINDSTR /I "USER32.DLL" %%i  %%i >>RESULTS.TXT
 Notepad RESULTS.TXT 

Pasting the above commands into a .CMD file and running will result in notepad opening the RESULTS.TXT, which will contain an enumeration of all executables that have a dependency on "USER32.DLL".  This approach can easily be used to enumerate all executables that have a dependency on "VBRULL.DLL".  Of course you will need to tweak it to make it more useful.

Regards - Rick

Comments