This will be short post on how to debug an exported DLL function and also sync the addresses from the debugger with the ones shown in the IDA Pro tool.
Unfortunately x64dbg has some missing features, one of them is the option to load a DLL and call an exported function. I don’t know why, but looks like nobody wants to implement this feature (see here).
If you don’t want to go back to Olly and use the “CallExport” feature, you can still use the “rundll32.exe” from the Windows OS inside x64dbg.
Get yourself a DLL with some exports of interest, I’ve got one for this demo that has the following export table (IDA Pro screenshot) :
From the list of functions above, I’m interested in calling the one named “NG61WXCKCNI7UOARV13H6GIFD8BA”. Let’s fire up the debugger and get things done.
In the debugger open rundll32 from “C:\Windows\SysWOW64\rundll32.exe” (or System32 if you want to run a x64 DLL). After loading the PE, go to the “Debug” menu and chose “Change command line” as shown in the next image.
Since the name of the exported function is pretty ugly and I’m lazy, I’ll use the ordinal value. It’s not mandatory for the exported DLL functions to have names and that’s why ordinals exist, thus calling can be done by using “#4” (the ordinal associated with the “NG61WXCKCNI7UOARV13H6GIFD8BA” function).
Use the following syntax as a command line for rundll32:
RUNDLL.EXE <dllname>,<entrypoint> <optional arguments>
Press Ok, then go to “Options”->”Preferences” and check the “DLL Entry” option under the “Events” tab. This places a breakpoint on the entrypoint (EP) of each loaded DLL.
Great, we’re almost done. You just have to hit Run (F9) until we reach the EP of our DLL (module). We can see this info in the title bar of the debugger.
So sync the addresses of the debugger with the ones from IDA, we have to get the address at which the DLL was loaded into memory. Right click and follow the code into the Memory Map tab of the debugger.
Get the address at which the “malicious.dll” has loaded and use it to rebase the disassembly in IDA.
In IDA, Go to “Edit”->”Segments”->”Rebase program” and paste the address there (my addr. is: “0x01FD0000”)
Wait a few moments and now you got your synchronised addresses between the debugger and IDA. The last step now is go inside the debugger at (CTRL+G) the EP address of the exported function, place a breakpoint, run the BP is hit.
Eureka, we are now inside the exported function and we can continue the analysis of our DLL inside X64dbg.