0xHabib

Export Table Walker

Visualizing the manual resolution of API addresses. Demonstrates how malware parses the Export Directory, walks the AddressOfNames, and retrieves function addresses without using GetProcAddress.

By 0xHabibDecember 20, 2025
Post Related
#malware-analysis
#pe-format
#api-hashing

To evade hooks on GetProcAddress, malware often manually parses the Export Directory of system DLLs (like kernel32.dll). This visualization shows the logical flow of this process.

The Algorithm

  1. Locate Export Directory: Found via the DataDirectory[0] in the Optional Header.
  2. Walk Names: Iterate through AddressOfNames to match the target function string.
  3. Get Ordinal: Use the index from the name match to read from AddressOfNameOrdinals.
  4. Get Address: Use the ordinal to index into AddressOfFunctions.
Manual Export Resolution
Visualizing how LdrLoadGetProcedureAddress finds a function address manually.
Step 1 of 5

1. Locate Export Directory

From Optional Header -> DataDirectory[0] -> IMAGE_EXPORT_DIRECTORY

ExportTable = (DWORD64)hModule + Optional->DataDirectory[0].VirtualAddress
IMAGE_EXPORT_DIRECTORY
AddressOfNames
AddressOfFunctions
AddressOfOrdinals
Names[]
Index [i]
Ordinals[]
Index [i]
Functions[]
Index [Ordinal]