Scripting the disassembler: Local agentic reverse engineering through vbdec’s live COM object model
The article details a novel approach to reverse engineering where the VB6 disassembler vbdec exposes its internal object model via the Windows Component Object Model (COM). This allows local AI agents to programmatically query and automate complex analysis tasks, such as decompilation and call graph generation, without requiring built-in AI features or cloud uploads.
Detection / HunterGoogle
What Happened
Security researchers have demonstrated a new way to use AI to analyze software programs without sharing sensitive data online. By tweaking a specific analysis tool called vbdec, they allowed local AI assistants to directly read and interact with the tool's internal data. This means analysts can simply ask the AI to map out or explain complex code, saving hours of manual work. It matters because it keeps sensitive files safe on the user's computer while vastly speeding up the investigation process. Security teams should consider adopting tools that allow this kind of local, scriptable AI interaction.
Key Takeaways
- Analysis tools can support AI agent workflows by exposing their internal data models via scripting interfaces like COM, rather than building in native AI features.
- The vbdec disassembler registers its parsed VB6 project in the Windows Running Object Table (ROT), allowing local scripts to query it directly.
- Local AI agents (such as Claude Code) can automate complex reverse engineering tasks like decompilation and call graph generation without sending sensitive binaries to the cloud.
- This architecture turns a GUI-based disassembler into a persistent data server, decoupling the tool's capabilities from its hardcoded feature list.
Affected Systems
- Windows (Reverse Engineering Environments)
Attack Chain
This article does not describe an attack chain. Instead, it outlines a reverse engineering methodology where an analyst uses a local AI agent to interact with the vbdec disassembler via Windows COM. The agent executes VBScript to query the disassembler's live object model, automating tasks like decompilation, call graph generation, and opcode database construction.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No detection rules are provided as this article discusses a reverse engineering tool and methodology rather than a threat.
Detection Engineering Assessment
EDR Visibility: None — The article discusses a local reverse engineering workflow, not malicious activity to be detected by EDR. Network Visibility: None — The described AI agent and COM interactions occur entirely locally on the analyst's workstation. Detection Difficulty: N/A — This is a defensive reverse engineering technique, not a threat to be detected.
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| If you have visibility into script execution, consider hunting for cscript.exe or wscript.exe processes interacting with unusual COM objects via GetObject, which may indicate automated local scripting (both legitimate analysis or potential discovery). | Process Execution, Script Block Logging | Execution | High |
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Evaluate the integration of local AI agents and scriptable disassemblers (like vbdec) into your reverse engineering workflows to improve analysis efficiency.
Infrastructure Hardening
- Consider restricting access to sensitive reverse engineering environments to prevent unauthorized access to local AI models and parsed binaries.
User Protection
- Ensure reverse engineering workstations are isolated from production networks to safely analyze potentially malicious binaries.
Security Awareness
- Train malware analysts and reverse engineers on leveraging COM interfaces and local AI agents for automated binary analysis.
