{"id":2081,"date":"2013-08-11T12:45:27","date_gmt":"2013-08-11T12:45:27","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2081"},"modified":"2023-05-12T21:44:49","modified_gmt":"2023-05-12T21:44:49","slug":"da-lil-world-of-dll-exports-and-entry-points-part-2","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2013\/08\/11\/da-lil-world-of-dll-exports-and-entry-points-part-2\/","title":{"rendered":"Da Li&#8217;L World of DLL Exports and Entry Points, Part 2"},"content":{"rendered":"<p>The first part of the <a title=\"Da Li\u2019L World of DLL Exports and Entry Points, Part 1\" href=\"https:\/\/www.hexacorn.com\/blog\/2013\/08\/08\/da-lil-world-of-dll-exports-and-entry-points-part-1\/\">series<\/a> talked about the &#8216;main&#8217; entry points of the DLL. These are almost always there and it&#8217;s easy to understand their functionality and follow their code flow<\/p>\n<p>BUT&#8230;<\/p>\n<p>If you do reversing a lot you for sure know that looking at the files of this type (i.e. reversing them) is always a bit of a challenge as it&#8217;s quite common for them to be implementing some functionality via many other exports, and often not all of them are very easy to understand or analyze (e.g. COM libraries and asynchronously called stuff); plus, on top of that there is really a lot of different types of DLLs and DLL exports out there. This leads us to an obvious question:<\/p>\n<ul>\n<li>What DLL types and exports are actually out there?<\/li>\n<\/ul>\n<p>To answer this question the easiest way is to run a script that will extract this information from a collection of PE files e.g. from your Windows directory. The script will simply parse the PE file, extract the information on what functions are exported via &#8216;default&#8217; OS files and generate some stats. This is a good approach, but doesn&#8217;t take into account many aspects of a &#8216;big picture of DLL programming&#8217; which includes:<\/p>\n<ul>\n<li>DLL implementing services that may not used on your flavor of Windows \/ applications<\/li>\n<li>DLL implementing services that are very specific, but rarely used<\/li>\n<li>Old, legacy types of DLL<\/li>\n<li>Plugins<\/li>\n<li>Creativity of software developers \/ malware authors<\/li>\n<li>and possibility a few other things<\/li>\n<\/ul>\n<p>We obviously need a larger collection of samples.<\/p>\n<p>Running the script over a few millions files including both malware and clean files I came up with a large list of possible exports with the top entries being as follows:<\/p>\n<ul>\n<li>___CPPdebugHook<\/li>\n<li>__GetExceptDLLinfo<\/li>\n<li>_LOADLIBRARY_DUMMY<\/li>\n<li>CancelDll<\/li>\n<li>COMResModuleInstance<\/li>\n<li>DllCanUnloadNow<\/li>\n<li>DllGetClassObject<\/li>\n<li>DllMain<\/li>\n<li>DllRegisterServer<\/li>\n<li>DllUnregisterServer<\/li>\n<li>DriverProc<\/li>\n<li>JumpOff<\/li>\n<li>JumpOn<\/li>\n<li>KsCreateAllocator<\/li>\n<li>KsCreatePin<\/li>\n<li>KsCreateTopologyNode<\/li>\n<li>LoadDll<\/li>\n<li>modmCallback<\/li>\n<li>modMessage<\/li>\n<li>Outt<\/li>\n<li>ServerMain<\/li>\n<li>ServiceMain<\/li>\n<li>Sett<\/li>\n<li>ThreadPro<\/li>\n<li>&#8230; and lots more<\/li>\n<\/ul>\n<p>Many of these are easy to recognize and are very common; some are specific to certain families of malware and\/or legitimate software. Some of these will be covered in the Part 3 of this series.<\/p>\n<p>And now, for the fun part.<\/p>\n<p><strong>NSFW Warning:<\/strong> What follows may not be Safe for work \ud83d\ude42 You have been warned \ud83d\ude42<\/p>\n<p>I mentioned the creativity of software developers \/ malware authors being an interesting aspect of research. Indeed, there is a lot of exports that are named in a strange way and some of them are actually quite amusing.<\/p>\n<p>For instance, some exported functions are (I removed name decoration from some of the functions for readability):<\/p>\n<ul>\n<li>Smileys\n<ul>\n<li>(=_______=)<\/li>\n<\/ul>\n<\/li>\n<li>&#8220;Funny&#8221; or intriguing names\n<ul>\n<li>CauseOfDeath_enum<\/li>\n<li>CBloodSucking_DLLClass<\/li>\n<li>CreateBloodSucking<\/li>\n<li>DeathSequence<\/li>\n<li>haha<\/li>\n<li>HaHaInstall<\/li>\n<li>HaHaUninstall<\/li>\n<li>Particles_Ghostbuster<\/li>\n<li>SillyMe<\/li>\n<li>youaredog<\/li>\n<li>your system is mine<\/li>\n<li>Zombie_QueryInterface<\/li>\n<li>Zoo<\/li>\n<\/ul>\n<\/li>\n<li>Obscenities, sex-related\n<ul>\n<li>_IFeelLikeAShit<\/li>\n<li>asOsaretopExeshit<\/li>\n<li>_fuck<\/li>\n<li>_fuckAllProcesses<\/li>\n<li>_BangBangBang<\/li>\n<li>bitchcn<\/li>\n<li>FUCK<\/li>\n<li>FUCKYOU<\/li>\n<li>Fuck<\/li>\n<li>Fuck3<\/li>\n<li>FuckAlls<\/li>\n<li>FuckGIRLS<\/li>\n<li>FuckJM<\/li>\n<li>FuckJS<\/li>\n<li>FuckKb<\/li>\n<li>FuckKillVirus<\/li>\n<li>FuckMain<\/li>\n<li>FuckPLMM<\/li>\n<li>FuckTray<\/li>\n<li>FuckWorld<\/li>\n<li>StartFuck<\/li>\n<li>StopFuck<\/li>\n<li>Wh4tsTh3Fuck<\/li>\n<li>fuck<\/li>\n<li>fuck007<\/li>\n<li>fuckOff<\/li>\n<li>fuckabc<\/li>\n<li>fuckyou<\/li>\n<li>mazafaka<\/li>\n<\/ul>\n<\/li>\n<li>Obscenities or love towards AV companies and other companies and other anti-av or anti-specific company sentiment (sometimes with typos)\n<ul>\n<li>FUCK360<\/li>\n<li>Fuck360<\/li>\n<li>FuckESETNOD32<\/li>\n<li>FuckKV360<\/li>\n<li>fuckingnod<\/li>\n<li>FuckKaspersky<\/li>\n<li>FuckRiSing<\/li>\n<li>FuckRising<\/li>\n<li>Fuck_Drweb<\/li>\n<li>Fuckkav<\/li>\n<li>Kill360Box<\/li>\n<li>KIIsSes__McafEe<\/li>\n<li>Kisses_Mcafee<\/li>\n<li>Kisses_To_Mcafee<\/li>\n<li>Kisses_To_Trojanhunter<\/li>\n<li>Kisses_To_Tsojanhunter<\/li>\n<li>Kisses_You_Mcafee<\/li>\n<li>Kisses_hunter<\/li>\n<li>SoftnyxCanSuckMyDick<\/li>\n<li>DestoryAntiVirus<\/li>\n<\/ul>\n<\/li>\n<li>Non-English names (and sometimes also obscenities)\n<ul>\n<li>Russian\n<ul>\n<li>_Zdes_Tebe_Ne_Hollywood_Ruki_Nogi_Otorvut (from Russian &#8216;\u0417\u0434\u0435\u0441\u044c \u0442\u0435\u0431\u0435 \u043d\u0435 \u0413\u043e\u043b\u043b\u0438\u0432\u0443\u0434 &#8211; \u0440\u0443\u043a\u0438-\u043d\u043e\u0433\u0438 \u043e\u0442\u043e\u0440\u0432\u0443\u0442&#8217;)<\/li>\n<\/ul>\n<\/li>\n<li>Japanese\n<ul>\n<li>\u3042\u306a\u305f\u3092\u611b\u3057-&nbsp; &#8211; I love you<\/li>\n<\/ul>\n<\/li>\n<li>Chinese\n<ul>\n<li>\u64cd\u4f60\u5168\u5bb6TX___\u75de\u5b50\u4e13\u7528\u9119\u89c6TX &#8211; Literally: &#8220;fuck your whole family&#8221;<\/li>\n<li>\u64cd\u6b7b\u4f60&nbsp; &#8211; Fuck you to death.<\/li>\n<li>\u602a\u7269\u6280\u80fd &#8211; Monster skills.<\/li>\n<li>\u602a\u7269\u6570\u91cf &#8211; The number of monsters.<\/li>\n<li>\u79d2\u6740\u961f\u53cb &#8211; Kill your team member in a second.<\/li>\n<li>\u6a21\u4eff\u4f1a\u5458 &#8211; Member impostor.<\/li>\n<li>\u4eba\u7269\u81ea\u6740 &#8211; Character suicide.<\/li>\n<li>\u641c\u7d22_\u602a\u7269\u6570\u91cf &#8211; Find number of monsters.<\/li>\n<li>\u65e0\u654c &#8211; Invincible.<\/li>\n<li>\u718a\u732b &#8211; Panda.<\/li>\n<li>\u4e2d\u56fd\u4e07\u5c81 &#8211; Long live China.<\/li>\n<li>\u81ea\u6740 &#8211; Suicide.<\/li>\n<li>\u81ea\u6170 &#8211; Masturbation.<\/li>\n<li>\u5feb\u4e50\u7ebf\u7a0b &#8211; Happy thread.<\/li>\n<li>\u72d9\u51fb\u8fde\u53d1 &#8211; Continuous&nbsp; sniper firing.<\/li>\n<li>\u81ea\u52a8\u5f00\u67aa &#8211; Automatic fire.<\/li>\n<li>\u81ea\u52a8\u653b\u51fb &#8211; Auto-attack<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p style=\"padding-left: 90px;\">Example of a DLL with Chinese exports (including some of these listed above) is shown below:<\/p>\n<p style=\"padding-left: 90px;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/08\/chinese_exports.png\"><img decoding=\"async\" loading=\"lazy\" class=\"size-full wp-image-2096 alignleft\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/08\/chinese_exports.png\" alt=\"chinese_exports\" width=\"413\" height=\"435\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/08\/chinese_exports.png 413w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2013\/08\/chinese_exports-284x300.png 284w\" sizes=\"(max-width: 413px) 100vw, 413px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The first part of the series talked about the &#8216;main&#8217; entry points of the DLL. These are almost always there and it&#8217;s easy to understand their functionality and follow their code flow BUT&#8230; If you do reversing a lot you &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2013\/08\/11\/da-lil-world-of-dll-exports-and-entry-points-part-2\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[28,109,9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2081"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=2081"}],"version-history":[{"count":21,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2081\/revisions"}],"predecessor-version":[{"id":8509,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/2081\/revisions\/8509"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=2081"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=2081"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=2081"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}