The first part of the series talked about the ‘main’ entry points of the DLL. These are almost always there and it’s easy to understand their functionality and follow their code flow

BUT…

If you do reversing a lot you for sure know that looking at the files of this type (i.e. reversing them) is always a bit of a challenge as it’s quite common for them to be implementing some functionality via many other exports, and often not all of them are very easy to understand or analyze (e.g. COM libraries and asynchronously called stuff); plus, on top of that there is really a lot of different types of DLLs and DLL exports out there. This leads us to an obvious question:

What DLL types and exports are actually out there?

To answer this question the easiest way is to run a script that will extract this information from a collection of PE files e.g. from your Windows directory. The script will simply parse the PE file, extract the information on what functions are exported via ‘default’ OS files and generate some stats. This is a good approach, but doesn’t take into account many aspects of a ‘big picture of DLL programming’ which includes:

DLL implementing services that may not used on your flavor of Windows / applications

DLL implementing services that are very specific, but rarely used

Old, legacy types of DLL

Plugins

Creativity of software developers / malware authors

and possibility a few other things

We obviously need a larger collection of samples.

Running the script over a few millions files including both malware and clean files I came up with a large list of possible exports with the top entries being as follows:

___CPPdebugHook

__GetExceptDLLinfo

_LOADLIBRARY_DUMMY

CancelDll

COMResModuleInstance

DllCanUnloadNow

DllGetClassObject

DllMain

DllRegisterServer

DllUnregisterServer

DriverProc

JumpOff

JumpOn

KsCreateAllocator

KsCreatePin

KsCreateTopologyNode

LoadDll

modmCallback

modMessage

Outt

ServerMain

ServiceMain

Sett

ThreadPro

… and lots more

Many of these are easy to recognize and are very common; some are specific to certain families of malware and/or legitimate software. Some of these will be covered in the Part 3 of this series.

And now, for the fun part.

NSFW Warning: What follows may not be Safe for work 🙂 You have been warned 🙂

I mentioned the creativity of software developers / malware authors being an interesting aspect of research. Indeed, there is a lot of exports that are named in a strange way and some of them are actually quite amusing.

For instance, some exported functions are (I removed name decoration from some of the functions for readability):

Smileys (=_______=)

“Funny” or intriguing names CauseOfDeath_enum CBloodSucking_DLLClass CreateBloodSucking DeathSequence haha HaHaInstall HaHaUninstall Particles_Ghostbuster SillyMe youaredog your system is mine Zombie_QueryInterface Zoo

Obscenities, sex-related _IFeelLikeAShit asOsaretopExeshit _fuck _fuckAllProcesses _BangBangBang bitchcn FUCK FUCKYOU Fuck Fuck3 FuckAlls FuckGIRLS FuckJM FuckJS FuckKb FuckKillVirus FuckMain FuckPLMM FuckTray FuckWorld StartFuck StopFuck Wh4tsTh3Fuck fuck fuck007 fuckOff fuckabc fuckyou mazafaka

Obscenities or love towards AV companies and other companies and other anti-av or anti-specific company sentiment (sometimes with typos) FUCK360 Fuck360 FuckESETNOD32 FuckKV360 fuckingnod FuckKaspersky FuckRiSing FuckRising Fuck_Drweb Fuckkav Kill360Box KIIsSes__McafEe Kisses_Mcafee Kisses_To_Mcafee Kisses_To_Trojanhunter Kisses_To_Tsojanhunter Kisses_You_Mcafee Kisses_hunter SoftnyxCanSuckMyDick DestoryAntiVirus

Non-English names (and sometimes also obscenities) Russian _Zdes_Tebe_Ne_Hollywood_Ruki_Nogi_Otorvut (from Russian ‘Здесь тебе не Голливуд – руки-ноги оторвут’) Japanese あなたを愛し- – I love you Chinese 操你全家TX___痞子专用鄙视TX – Literally: “fuck your whole family” 操死你 – Fuck you to death. 怪物技能 – Monster skills. 怪物数量 – The number of monsters. 秒杀队友 – Kill your team member in a second. 模仿会员 – Member impostor. 人物自杀 – Character suicide. 搜索_怪物数量 – Find number of monsters. 无敌 – Invincible. 熊猫 – Panda. 中国万岁 – Long live China. 自杀 – Suicide. 自慰 – Masturbation. 快乐线程 – Happy thread. 狙击连发 – Continuous sniper firing. 自动开枪 – Automatic fire. 自动攻击 – Auto-attack



Example of a DLL with Chinese exports (including some of these listed above) is shown below: