NoVirusThanks PE Export Viewer is a lightweight tool used to inspect the Export Address Table (EAT) of Portable Executable (PE) files, primarily Dynamic Link Libraries (DLLs). It helps malware analysts and developers see what functions a DLL makes available to other programs. ⚙️ Step-by-Step Analysis Process
Load the File: Open the tool and drag your target DLL into the interface, or use the file browser to select it.
Scan the Exports: The tool automatically parses the PE header and populates the main window with the exported functions.
Analyze the Export Table: Review the populated columns for critical function metadata:
Function Name: The actual text name of the exported function.
Ordinal: The numerical identifier used to call the function without a name.
Entry Point (RVA): The Relative Virtual Address where the function code begins inside the module.
Filter and Search: Use the built-in search bar to filter for suspicious keywords (e.g., “VirtualAlloc”, “WriteProcessMemory”, “Hook”).
Export the Report: Save the list of functions as a text or HTML file for documentation or further script automation. 🔍 Security Analysis Use Cases
Spotting DLL Hijacking: Identify if a legitimate DLL name has been weaponized with unusual or missing functions.
Detecting Malicious Capability: Look for low-level API functions related to process injection, keylogging, or network communication.
Finding Unnamed Functions: Uncover hidden functionality exported strictly by Ordinal numbers rather than names.
Leave a Reply