Credits:
-----------------------------
NTCore Hooking Engine written by Daniel Pistelli ntcore at gmail dot com (slightly modified)
https://ntcore.com/files/nthookengine.htm

diStorm x86/x64 BSD disassembler engine
Copyright (C) 2003-2012 Gil Dabah. diStorm at gmail dot com.
https://github.com/gdabah/distorm

vb_structs.h is from vbParser by sysenter-eip

openscript.dll and injector written by David Zimmer dzzie@yahoo.com
http://sandsprite.com

About:
-----------------------------

This is a research project aimed at making any VB6 application scriptable.

This starts with an injection dll that hooks some functions in the vb runtime,
patches internal class ObjectTypes, and registers the vb.global.forms
object in the Running Object Table (ROT)

Now all of the forms, embedded controls, public methods/variables/classes are accessible
as if it were an ActiveX exe. Clients can include WSH scripts, python scripts, VB6 etc.
Basically any language that use COM objects.

A brief overview of the technique is as follows:

- VB6 process is started with an injection dll
- New thread hooks  CVBApplication_Init and BeginPaint
- CVBApplication_Init hook:
      - Stores a reference to internal VB objects during runtime initialization
      - Patches VBHeader.ProjectInfo.ObjectTable setting all classes public
- BeginPaint hook:
      - Runs from main VB6 thread
      - Adds a system menu item and subclasses main window for IPC (optional)
      - Registers internal VB.Global.Forms object in the ROT 

Note: This code is dependant on this particular version of the vb runtime (msvbvm60.dll)

See the following Avast blog post for more details: https://decoded.avast.io/davidzimmer/scripting-arbitrary-vb6-applications/