Home

Awesome

ExpoMon

ExpoMon is a plugin developed by milCERT.ch, the Swiss Military CERT, for x64dbg with the goal to assist a reverse engineer during dynamic analysis of malicious binaries when they resolve APIs, e.g. with functions such as GetProcAddress, LdrGetProcedureAddress, etc. or a custom implementation of those functions. In theory, the plugin monitors access to a module's IMAGE_EXPORT_DIRECTORY.AddressOfFunctions array, which is usually accessed when resolving an exported function's address via the Export Address Table (EAT); in practice, in favor of increased performance, the plugin monitors access to a cloned page of the memory page containing the module's EAT with IMAGE_EXPORT_DIRECTORY.AddressOfFunctions hijacked to point to it.

Features

Known limitations (by design)

Install

Usage

Screenshots

Accessed Exports

Hijacked Exports

License

MIT License