Da Li’L World of DLL Exports and Entry Points, Part 2

August 11, 2013 in Batch Analysis, Malware Analysis

The first part of the series talked about the ‘main’ entry points of the DLL. These are almost always there and it’s easy to understand their functionality and follow their code flow

BUT…

If you do reversing a lot you for sure know that looking at the files of this type (i.e. reversing them) is always a bit of a challenge as it’s quite common for them to be implementing some functionality via many other exports, and often not all of them are very easy to understand or analyze (e.g. COM libraries and asynchronously called stuff); plus, on top of that there is really a lot of different types of DLLs and DLL exports out there. This leads us to an obvious question:

  • What DLL types and exports are actually out there?

To answer this question the easiest way is to run a script that will extract this information from a collection of PE files e.g. from your Windows directory. The script will simply parse the PE file, extract the information on what functions are exported via ‘default’ OS files and generate some stats. This is a good approach, but doesn’t take into account many aspects of a ‘big picture of DLL programming’ which includes:

  • DLL implementing services that may not used on your flavor of Windows / applications
  • DLL implementing services that are very specific, but rarely used
  • Old, legacy types of DLL
  • Plugins
  • Creativity of software developers / malware authors
  • and possibility a few other things

We obviously need a larger collection of samples.

Running the script over a few millions files including both malware and clean files I came up with a large list of possible exports with the top entries being as follows:

  • ___CPPdebugHook
  • __GetExceptDLLinfo
  • _LOADLIBRARY_DUMMY
  • CancelDll
  • COMResModuleInstance
  • DllCanUnloadNow
  • DllGetClassObject
  • DllMain
  • DllRegisterServer
  • DllUnregisterServer
  • DriverProc
  • JumpOff
  • JumpOn
  • KsCreateAllocator
  • KsCreatePin
  • KsCreateTopologyNode
  • LoadDll
  • modmCallback
  • modMessage
  • Outt
  • ServerMain
  • ServiceMain
  • Sett
  • ThreadPro
  • … and lots more

Many of these are easy to recognize and are very common; some are specific to certain families of malware and/or legitimate software. Some of these will be covered in the Part 3 of this series.

And now, for the fun part.

NSFW Warning: What follows may not be Safe for work :) You have been warned :)

I mentioned the creativity of software developers / malware authors being an interesting aspect of research. Indeed, there is a lot of exports that are named in a strange way and some of them are actually quite amusing.

For instance, some exported functions are (I removed name decoration from some of the functions for readability):

  • Smileys
    • (=_______=)
  • “Funny” or intriguing names
    • CauseOfDeath_enum
    • CBloodSucking_DLLClass
    • CreateBloodSucking
    • DeathSequence
    • haha
    • HaHaInstall
    • HaHaUninstall
    • Particles_Ghostbuster
    • SillyMe
    • youaredog
    • your system is mine
    • Zombie_QueryInterface
    • Zoo
  • Obscenities, sex-related
    • _IFeelLikeAShit
    • asOsaretopExeshit
    • _fuck
    • _fuckAllProcesses
    • _BangBangBang
    • bitchcn
    • FUCK
    • FUCKYOU
    • Fuck
    • Fuck3
    • FuckAlls
    • FuckGIRLS
    • FuckJM
    • FuckJS
    • FuckKb
    • FuckKillVirus
    • FuckMain
    • FuckPLMM
    • FuckTray
    • FuckWorld
    • StartFuck
    • StopFuck
    • Wh4tsTh3Fuck
    • fuck
    • fuck007
    • fuckOff
    • fuckabc
    • fuckyou
    • mazafaka
  • Obscenities or love towards AV companies and other companies and other anti-av or anti-specific company sentiment (sometimes with typos)
    • FUCK360
    • Fuck360
    • FuckESETNOD32
    • FuckKV360
    • fuckingnod
    • FuckKaspersky
    • FuckRiSing
    • FuckRising
    • Fuck_Drweb
    • Fuckkav
    • Kill360Box
    • KIIsSes__McafEe
    • Kisses_Mcafee
    • Kisses_To_Mcafee
    • Kisses_To_Trojanhunter
    • Kisses_To_Tsojanhunter
    • Kisses_You_Mcafee
    • Kisses_hunter
    • SoftnyxCanSuckMyDick
    • DestoryAntiVirus
  • Non-English names (and sometimes also obscenities)
    • Russian
      • _Zdes_Tebe_Ne_Hollywood_Ruki_Nogi_Otorvut (from Russian ‘Здесь тебе не Голливуд – руки-ноги оторвут’)
    • Japanese
      • あなたを愛し-  – I love you
    • Chinese
      • 操你全家TX___痞子专用鄙视TX – Literally: “fuck your whole family” and after a break ___”vulgar language specifically used by scumbags”
      • 操死你  – Fuck you to death.
      • 怪物技能 – Monster skills.
      • 怪物数量 – The number of monsters.
      • 秒杀队友 – Kill your team member in a second.
      • 模仿会员 – Member impostor.
      • 人物自杀 – Character suicide.
      • 搜索_怪物数量 – Find number of monsters.
      • 无敌 – Invincible.
      • 熊猫 – Panda.
      • 中国万岁 – Long live China.
      • 自杀 – Suicide.
      • 自慰 – Masturbation.
      • 快乐线程 – Happy thread.
      • 狙击连发 – Continuous  sniper firing.
      • 自动开枪 – Automatic fire.
      • 自动攻击 – Auto-attack

Example of a DLL with Chinese exports (including some of these listed above) is shown below:

chinese_exports

Comments are closed.