Portable Executable Exports

Portable Executable (PE) is an official name of the executable file format used in Windows. In the user mode we use mostly EXEs and DLLs, both sharing the same format but with some important differences in their functionality. I will not cover all differences here, but in general DLLs must be loaded by a process (using EXE as its image) and then DLLs methods are called.
​
To make it possible, most of the methods are “exported” from DLL and their names are present in the exports table. On the lowest level, calls are always about addresses and not names, which is not very comfortable for developers. Process using a DLL rather calls a method using its name and Windows does the rest of the magic, locating appropriate address in the memory and making the actual call, etc.
​
And what if EXE file exports a method as well? The PE format allows it, from the code perspective it’s easy, but will it work? Surprisingly, the answer is “yes”. A code can call methods exported from EXEs too, in some cases (such as netsh.exe extensions) it’s the right way of communicating between modules.
​
Using EXE instead of DLL may be tempting from an attacker perspective. When run in a regular way EXE seems to be totally innocent, but it also exports a malicious method. It does not fool all possible detection rules but raises the bar for detection engines, which is always beneficial.
​
Calling methods from EXE is not easy as (according to @sixtyvividtails on X/Twitter) “absence of IMAGE_FILE_DLL flag (EXE/DLL distinction) in the imported module makes LDR skip these steps for it:
1. gscookie init
2. entry point & tls callbacks invocation (ever)
3. imports resolution (deps not loaded either)”
​
Writing a working code looks like a small challenge, feel free to try, and in the meantime, you can focus on finding EXEs with exports in your System32 folder.
​
You can try to use following techniques to analyze your PE files:
1. “Dumpbin /exports” - part of the SDK, the official way Microsoft recommends,
2. Dependency Walker - old but good (and free) tool for analyzing imports and exports in PE files,
3. Other PE file analyzers, pick your favorite if you have one,
4. My simple PowerShell script digging through structures of PE file and extracting exported function names. https://github.com/gtworek/PSBits/blob/master/Misc2/Get-Exports.ps1 It’s not perfect, but works well, and c’mon, it’s PowerShell!
​
Try it on your own, netsh.exe or bcdedit.exe seem to be good candidates. And when you receive weirdly looking results (e.g. for vds.exe) you should wait for the newsletter focused on function name decoration. I will write it sooner or later.