Da Li’L World of DLL Exports and Entry Points, Part 2

Posted on by

The first part of the series talked about the ‘main’ entry points of the DLL. These are almost always there and it’s easy to understand their functionality and follow their code flow

BUT…

If you do reversing a lot you for sure know that looking at the files of this type (i.e. reversing them) is always a bit of a challenge as it’s quite common for them to be implementing some functionality via many other exports, and often not all of them are very easy to understand or analyze (e.g. COM libraries and asynchronously called stuff); plus, on top of that there is really a lot of different types of DLLs and DLL exports out there. This leads us to an obvious question:

  • What DLL types and exports are actually out there?

To answer this question the easiest way is to run a script that will extract this information from a collection of PE files e.g. from your Windows directory. The script will simply parse the PE file, extract the information on what functions are exported via ‘default’ OS files and generate some stats. This is a good approach, but doesn’t take into account many aspects of a ‘big picture of DLL programming’ which includes:

  • DLL implementing services that may not used on your flavor of Windows / applications
  • DLL implementing services that are very specific, but rarely used
  • Old, legacy types of DLL
  • Plugins
  • Creativity of software developers / malware authors
  • and possibility a few other things

We obviously need a larger collection of samples.

Running the script over a few millions files including both malware and clean files I came up with a large list of possible exports with the top entries being as follows:

  • ___CPPdebugHook
  • __GetExceptDLLinfo
  • _LOADLIBRARY_DUMMY
  • CancelDll
  • COMResModuleInstance
  • DllCanUnloadNow
  • DllGetClassObject
  • DllMain
  • DllRegisterServer
  • DllUnregisterServer
  • DriverProc
  • JumpOff
  • JumpOn
  • KsCreateAllocator
  • KsCreatePin
  • KsCreateTopologyNode
  • LoadDll
  • modmCallback
  • modMessage
  • Outt
  • ServerMain
  • ServiceMain
  • Sett
  • ThreadPro
  • … and lots more

Many of these are easy to recognize and are very common; some are specific to certain families of malware and/or legitimate software. Some of these will be covered in the Part 3 of this series.

And now, for the fun part.

NSFW Warning: What follows may not be Safe for work 🙂 You have been warned 🙂

I mentioned the creativity of software developers / malware authors being an interesting aspect of research. Indeed, there is a lot of exports that are named in a strange way and some of them are actually quite amusing.

For instance, some exported functions are (I removed name decoration from some of the functions for readability):

  • Smileys
    • (=_______=)
  • “Funny” or intriguing names
    • CauseOfDeath_enum
    • CBloodSucking_DLLClass
    • CreateBloodSucking
    • DeathSequence
    • haha
    • HaHaInstall
    • HaHaUninstall
    • Particles_Ghostbuster
    • SillyMe
    • youaredog
    • your system is mine
    • Zombie_QueryInterface
    • Zoo
  • Obscenities, sex-related
    • _IFeelLikeAShit
    • asOsaretopExeshit
    • _fuck
    • _fuckAllProcesses
    • _BangBangBang
    • bitchcn
    • FUCK
    • FUCKYOU
    • Fuck
    • Fuck3
    • FuckAlls
    • FuckGIRLS
    • FuckJM
    • FuckJS
    • FuckKb
    • FuckKillVirus
    • FuckMain
    • FuckPLMM
    • FuckTray
    • FuckWorld
    • StartFuck
    • StopFuck
    • Wh4tsTh3Fuck
    • fuck
    • fuck007
    • fuckOff
    • fuckabc
    • fuckyou
    • mazafaka
  • Obscenities or love towards AV companies and other companies and other anti-av or anti-specific company sentiment (sometimes with typos)
    • FUCK360
    • Fuck360
    • FuckESETNOD32
    • FuckKV360
    • fuckingnod
    • FuckKaspersky
    • FuckRiSing
    • FuckRising
    • Fuck_Drweb
    • Fuckkav
    • Kill360Box
    • KIIsSes__McafEe
    • Kisses_Mcafee
    • Kisses_To_Mcafee
    • Kisses_To_Trojanhunter
    • Kisses_To_Tsojanhunter
    • Kisses_You_Mcafee
    • Kisses_hunter
    • SoftnyxCanSuckMyDick
    • DestoryAntiVirus
  • Non-English names (and sometimes also obscenities)
    • Russian
      • _Zdes_Tebe_Ne_Hollywood_Ruki_Nogi_Otorvut (from Russian ‘Здесь тебе не Голливуд – руки-ноги оторвут’)
    • Japanese
      • あなたを愛し-  – I love you
    • Chinese
      • 操你全家TX___痞子专用鄙视TX – Literally: “fuck your whole family”
      • 操死你  – Fuck you to death.
      • 怪物技能 – Monster skills.
      • 怪物数量 – The number of monsters.
      • 秒杀队友 – Kill your team member in a second.
      • 模仿会员 – Member impostor.
      • 人物自杀 – Character suicide.
      • 搜索_怪物数量 – Find number of monsters.
      • 无敌 – Invincible.
      • 熊猫 – Panda.
      • 中国万岁 – Long live China.
      • 自杀 – Suicide.
      • 自慰 – Masturbation.
      • 快乐线程 – Happy thread.
      • 狙击连发 – Continuous  sniper firing.
      • 自动开枪 – Automatic fire.
      • 自动攻击 – Auto-attack

Example of a DLL with Chinese exports (including some of these listed above) is shown below:

chinese_exports

Da Li’L World of DLL Exports and Entry Points, Part 1

Posted on by

This series is an attempt to bring together in one place various info scattered all over the place about numerous types of DLL Entry Points and DLL Exports. Knowing what functions are exported by specific DLL types helps in both identification of a file and its reverse engineering. Everything below is from a reverse engineer’s perspective i.e. what you see when you open a DLL in a RCE tool e.g. IDA Pro. Information provided here is based on a lot of sources yet it is quite condensed; if you want a nice starter about DLLs instead, please check this Microsoft support article What is a DLL? first.

Since this is by no means an exhaustive list, and as I was researching it I was finding more and more stuff I started getting really insane while trying to make it all correct and nicely hyperlinked so please consider this to be a draft quality a.k.a. a WORK IN PROGRESS. If you spot any mistake please let me know. Thanks and see in you in a Part 2 soon!

Generic Exports

  • .tls
    • Not really an exported function per se, but since it may be present inside PE file I am mentioning it for completeness. Code potentially present inside .tls section (.tls callbacks) is executed on many ‘funny’ occasions. Do read Ange’s article to understand its quirks; it’s seriously @#$%^.
  • DllEntryPoint
    • A pseudo-export (unless really exported and I have actually seen it exported) so you will see it mainly inside programs for analysis e.g. IDA Pro. This is actually an entry point of the Portable Executable (note that on the source code level in high-level languages or RAD tools it is a place holder and it can be customized by a programmer so it can have some ‘funny’ stuff inside); This is where you start analysis, unless an RCE program finds DllMain for you (beware that DllMain can be empty yet DLL can be executing some code via modified DllEntryPoint, or .tls, or obviously – via other exports expected for certain types of DLLs).
  • DllMain
    • A main function for a non-.NET user-mode DLL (32- and 64-bit); does NOT need to be exported, but sometimes is. It is called by DllEntryPoint. If the DLL is written in an assembly language, often has the same address as DllEntryPoint.
  • _CorDllMain
    • NET entry point; it initializes the Common Language Run-Time (CLR) and starts the .NET DLL. It is called internally by DllEntryPoint on OSs not supporting .NET. Sometimes exports named like this are fake.
  • LibMain / LibEntry
    • DLL initialization entry point (16-bit). Newer DLLs use DllMain.
  • DllInstall
    • Can be quite common, handles installation and setup for a DLL. To be executed by regsvr32.exe, a command line argument “/i” needs to be used – as per Microsoft:

To use DllInstall with regsvr32, add a “/i” flag followed by a colon (:) and a string. The string will be passed to DllInstall as the pszCmdLine parameter. If you omit the colon and string, pszCmdLine will be set to NULL.

  • ___DllMainCRTStartup (DLLMainCRTStartup)
    •   Run-time library Startup code. Calls DllMain internally.
  • WEP (_WEP)
    • Exported by old DLLs (16-bit) and is called before the driver DLL is removed from memory (WEP=Windows Exit Program).
  • LangDataCall
    • An export that can be found inside NLS*.dll on Windows 7; the function is called internally by NaturalLanguage6.dll.
  • ___CPPdebugHook
    • A debug export often found in the projects created using Borland C++ Builder (BCB)/ Delphi. It provides a way for a program to communicate with the Borland debugger (note: it’s not a function, but a variable; debugger finds it and writes “2” changing the internal state of the RTL component which will result in debugger being notified about the events via RaiseException API with a magic value).
  • __GetExceptDLLinfo
    • Another Borland-specific export used by a debugger. This one is actually a function which is called anytime the DLL is attached or a new thread is created.

If it is a lot and it’s confusing think of it this way:

  • DllEntryPoint is like Start
  • DllMain is like WinMain

for .exe files, and a code execution flow for a DLL is as follows:

If kernel mode DLL:

  • DllInitialize
  • then DLL is doing stuff asynchronously
  • then DllUnload when DLL is unloaded

If user mode DLL, .NET:

  • _CorDllMain (if ran on OS supporting .NET)

If user mode either not a .NET DLL, or .NET DLL used on a OS not supporting .NET:

  • .tls callbacks (if exist)
  • then DllEntryPoint
  • then _CorDllMain (if .NET)

CorDllMain

  • then  DLLMainCRTStartup (if exists)

___DllMainCRTStartup

  • then either DllEntryPoint or ___DllMainCRTStartup calls DllMain
  • and asynchronously:
    • specifically named exports for specific protocols – see list below for examples
    • .tls callbacks depending on circumstances (loading/unloading, creating/exiting threads)