In my previous post I introduced a simple VBS API Monitor developed using Frida framework.

Today I did some more code analysis of vbscript.dll and I realized that in my previous post I made a naive assumption that arguments are passed to VBS callback functions using the same conventions like Windows API.

It turns out that the arguments are passed via the argument 2 (r8 on 64-bit Windows), and the number of arguments is passed in the argument 1 (rdx on 64-bit Windows). So, we can get the value of argument 1, and then use it to loop over the memory region pointed to by r8. All arguments are placed every 24 bytes (8×3).

Additionally, I discovered that there is one more VARIANT type that indicates string arguments passed by reference. I have added it to the code as well, so now all the functions show proper arguments.

With these changes in place we get this (for the test script from the previous post):

The updated IDAPython script can be found here.