ExpoMon is a plugin developed by milCERT.ch, the Swiss Military CERT, for x64dbg with the goal to assist a reverse engineer during dynamic analysis of malicious binaries when they resolve APIs, e.g. with functions such as GetProcAddress, LdrGetProcedureAddress, etc. or a custom implementation of those functions. In theory, the plugin monitors access to a module's IMAGE_EXPORT_DIRECTORY.AddressOfFunctions array, which is usually accessed when resolving an exported function's address via the Export Address Table (EAT); in practice, in favor of increased performance, the plugin monitors access to a cloned page of the memory page containing the module's EAT with IMAGE_EXPORT_DIRECTORY.AddressOfFunctions hijacked to point to it.
- Logs context information on access to the address containing the RVA of an exported function
- Hijacks the accessed exported functions (RVA hijack)
- Cannot handle cases where pattern scanning is used to find the functions
- Cannot handle cases where hardcoded relative offsets are used to find the functions
- Cannot handle direct syscalls
- Download or compile the plugin
- Compiled with
- Visual Studio 2013 with Qt Visual Studio Tools version 2.3.2
- Qt 5.6.3 (x64/x86 msvc2013)
- Qt Creator 4.3.1
- Compiled with
- Copy the plugin to the
pluginsdirectoryrelease\x64\plugins\ExpoMon.dp64release\x32\plugins\ExpoMon.dp32
- Set or add
MembpAlt=1to the[Engine]section inx64dbg.ini- This configures memory breakpoints to use
PAGE_NOACCESSinstead ofPAGE_GUARD
- This configures memory breakpoints to use
-
If it is not visiable in the tabs
Plugins > ExpoMon > Show
-
To enable the exports monitoring:
Monitor Exports- This will monitor the access to the exports of all the currently loaded modules
- In the
Settingstab it is possible to configure to only monitor specific modules
- In the
- Modules that are loaded at a later stage are also automatically monitored (
CB_LOADDL 6C90 L/LOAD_DLL_DEBUG_EVENT)
- This will monitor the access to the exports of all the currently loaded modules
-
To temporarily disable any monitoring:
Disable Monitoring- Internally executes the
DisableMemoryBreakpointcommand on every monitored memory page
- Internally executes the
-
To completely remove and disable the monitoring:
Reset- This may potentially lead to a crash / unhandled exceptions, due to the fact that there may still be pointers in use to the monitored pages, which will be freed, causing invalid memory access
-
In the
Settingstab it is possible to configure the conditions for breaking and hijacking- The conditions use the internal scripting engine (https://help.x64dbg.com/en/latest/introduction/index.html)
- Module and function names can be separated by a
,and;or a newline- The check performs an needle/substring search so that adding file extensions is not required
MIT License