不注册调用ActiveX Dll

Option Explicit

''存储加载dll后获得的函数地址
Private m_NewFucPtr As Long

Public Function DllGetClassObject( _
    ByRef rclsid As UUID, ByRef riid As UUID, ByRef ppv As IClassFactory) As Long

End Function

Public Sub SetFunctionPtr(newptr&)
m_NewFucPtr = newptr
End Sub

''再建一module

Option Explicit

Public Declare Function LoadLibrary Lib "kernel32.dll" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Public Declare Function FreeLibrary Lib "kernel32.dll" (ByVal hLibModule As Long) As Long
Public Declare Function GetProcAddress Lib "kernel32.dll" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Public Declare Sub CopyMemory Lib "kernel32.dll" Alias "RtlMoveMemory" (ByRef Destination As Any, ByRef Source As Any, ByVal Length As Long)

Public Type typAsm
    code(1) As Long
End Type
Public asm As typAsm

''然后,初始化时,让asm为如下值,
asm.code(0) = &HFF515859
asm.code(1) = &H90003460
''这个是汇编代码,具体是
''pop ecx
''pop eax
''push ecx
''jmp DWORD PTR [eax + 52]
''这是抄回来的,具体原理我不太清楚,如下是原注释
''Here''s the magic asm for doing the function pointer call.
''The stack comes in with the following:
''esp: return address
''esp + 4: this pointer for FunctionDelegator
''All that we need to do is remove the this pointer from the
''stack, replace it with the return address, then jmp to the
''correct function.  In other words, we''re just squeezing the
''this pointer completely out of the picture.
''The code is:
''pop ecx (stores return address)
''pop eax (gets the this pointer)
''push ecx (restores the return address)
''jmp DWORD PTR [eax + 4] (jump to address at this + 4, 3 byte instruction)
''The corresponding byte stream for this is: 59 58 51 FF 60 04
''We pad these six bytes with two int 3 commands (CC CC) to get eight
''bytes, which can be stored in a Currency constant.
''Note that the memory location of this constant is not executable, so
''it must be copied into a currency variable.  The address of the variable
''is then used as the forwarding function.

''下面是调用代码:
Dim tadd As Long, vTab&
Dim tobj As cFucPtr

Dim tLib&

Dim tUn As olelib.IUnknown
Dim tDem As dllDemo.IDemo
Dim tFac As olelib.IClassFactory

Set tobj = New cFucPtr

''加载dll
tLib = LoadLibrary(App.Path & "\dllDemo.dll")
If tLib <> 0 Then
    tadd = GetProcAddress(tLib, "DllGetClassObject")
End If

Dim asmadd&
If tadd <> 0 Then
    ''获取vtable地址
    CopyMemory vTab, ByVal ObjPtr(tobj), 4
    asmadd = VarPtr(asm)
    ''替换掉cFucPtr.DllGetClassObject地址
    CopyMemory ByVal (vTab + (8 - 1) * 4), asmadd, 4
   
    ''设置函数地址
    tobj.SetFunctionPtr tadd

    tobj.DllGetClassObject ClsId_Obj, iid_iclassfactory, tFac