5 comments on “Hardcoded dll export address

  1. same to you. i usually use the python-idc to parse the api information which get from the ollydbg. for instance:

    00A05316 77D1869D USER32.ReleaseDC
    00A0531A 77D2F39A USER32.SendMessageA
    00A0531E 77D24795 USER32.SetForegroundWindow
    00A05322 77D29916 USER32.SwitchDesktop
    00A05326 77D18BF6 USER32.TranslateMessage
    00A0532A 77D1A8AD USER32.wsprintfA
    00A0532E 77D1A9B6 USER32.wsprintfW

  2. Nice method! And thanks for the tools, the generated lists will come in handy…

    In the past I started OllyDbg, loaded the appropriate DLL(s) and searched for the function addresses. It was OK, since I hadn’t much malware samples that made use of hardcoded function addresses, but your method is faster and less tedious. :)

    • Thx R136a1, I’m glad you like it :).
      Anyway, I was not totally correct in the post because Ollydbg is able to identify the external export address. Too bad it doesn’t show anything inside the disasm window, you have to click over an instruction and the resolved function appears inside the little window under the disasm, not fast and not handy indeed…

  3. Pingback: Hardcoded dll export address: Python approach | My infected computer

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s