Analyze DLL Export with PE Bear

Hi Fellows,

After quite sometimes that having no update on the blog especially things related to reverse engineering. In this session, I would like to share on basic analyzing DLL export with the PE Bear

You can finnd some details about PE Bear from this page PE Bear was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files

We can see the DLL Export in the PE is structure as below

typedef struct _IMAGE_EXPORT_DIRECTORY {
	DWORD	Characteristics;
	DWORD	TimeDateStamp;
	WORD	MajorVersion;
	WORD	MinorVersion;
	DWORD	Name;
	DWORD	Base;
	DWORD	NumberOfFunctions;
	DWORD	NumberOfNames;
	DWORD	AddressOfFunctions;
	DWORD	AddressOfNames;
	DWORD	AddressOfNameOrdinals;

We can see from the above data structure every DWORD will contain 4 bytes and WORD contain 2 bytes. This size is very important later when we are reading the data from the raw binary

Lets open sample dll with PE Bear. In this session, I use user32.dll. We can see from the image below that the export address RVA = A1D50 or BaseAddress + RVA = 1800A1D50. Base address value can be found from the Optional Hdr -> Image Base

Below is the view in IDA on the 1800A1D50. IDA will automatically give the comments following the EXPORT DIRECTORY structure as show below

Export Directory Tab

In the above image we can see that PE Bear successfully parse the PE Header. Also in the shown image above at the Export Directory tab, we can see the Export directory structure values have been filled up by PE Bear. The binary data was parsed like the image below. The red box below is based on the size of each field in the EXPORT_DIRECTORY structure. Dont forget to read the byte in reversed because of little endian things.

We need to pay attention to the last 3 fields of the export directory those are AddressOfFunctions, AddressOfNames and AddressOfNameOrdinals. The 3 fields that I mentioned are pointer to an array. AddressOfName is the pointer to address of the all exported function from the DLL. We can jump to RVA=A3074. The memory pointed by that RVA is 0A4829

The image above are IDA and PE Bear side by side. on the left is IDA and Right is PE Bear. If we take a look the 0A4829 is pointing to the first address of the array of exporterd name that point to ActiveKeyboardLayout function. If we look at that memory address (0A4829) using PE Bear then we can see the below array of function

You can do the same steps to get the functiona address and Ordinal value. The name of each function are split by a “.” or “\0” in the array list.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s