exports

process::exports lists all the exported functions from the DLLs each running process is using. If a** **/pid is not specified, then exports for mimikatz.exe will be displayed. It has the following command line argument:

  • /pid: the process id

mimikatz # process::exports

mimikatz.exe
ntdll.dll
        00007FFED50A11A8 -> 1           00007FFED4FCF110
        00007FFED50A11AC -> 2   0       00007FFED4F90230        A_SHAFinal
        00007FFED50A11B0 -> 3   1       00007FFED4F91060        A_SHAInit
        00007FFED50A11B4 -> 4   2       00007FFED4F910A0        A_SHAUpdate
        00007FFED50A11B8 -> 5   3       00007FFED5030740        AlpcAdjustCompletionListConcurrencyCount
        00007FFED50A11BC -> 6   4       00007FFED4FC0620        AlpcFreeCompletionListMessage
        00007FFED50A11C0 -> 7   5       00007FFED5030770        AlpcGetCompletionListLastMessageInformation
        00007FFED50A11C4 -> 8   6       00007FFED5030790        AlpcGetCompletionListMessageAttributes
        00007FFED50A11C8 -> 9   7       00007FFED4FC0350        AlpcGetHeaderSize
        00007FFED50A11CC -> 10  8       00007FFED4FC0310        AlpcGetMessageAttribute
        00007FFED50A11D0 -> 11  9       00007FFED4F60A60        AlpcGetMessageFromCompletionList
        00007FFED50A11D4 -> 12  10      00007FFED4FD5CA0        AlpcGetOutstandingCompletionListMessageCount
        00007FFED50A11D8 -> 13  11      00007FFED4FC02B0        AlpcInitializeMessageAttribute
        00007FFED50A11DC -> 14  12      00007FFED4FD4900        AlpcMaxAllowedMessageLength
        00007FFED50A11E0 -> 15  13      00007FFED4FD5B20        AlpcRegisterCompletionList
        00007FFED50A11E4 -> 16  14      00007FFED4FC5130        AlpcRegisterCompletionListWorkerThread
        00007FFED50A11E8 -> 17  15      00007FFED4FD5C60        AlpcRundownCompletionList
        00007FFED50A11EC -> 18  16      00007FFED4FD5C80        AlpcUnregisterCompletionList
        00007FFED50A11F0 -> 19  17      00007FFED4FC50D0        AlpcUnregisterCompletionListWorkerThread
        00007FFED50A11F4 -> 20  18      00007FFED4FC6D90        ApiSetQueryApiSetPresence
        00007FFED50A11F8 -> 21  19      00007FFED4FB90A0        ApiSetQueryApiSetPresenceEx
        00007FFED50A11FC -> 22  20      00007FFED4F58D50        CsrAllocateCaptureBuffer
        00007FFED50A1200 -> 23  21      00007FFED4F58D00        CsrAllocateMessagePointer
        00007FFED50A1204 -> 24  22      00007FFED4F58850        CsrCaptureMessageBuffer
        00007FFED50A1208 -> 25  23      00007FFED4F58B40        CsrCaptureMessageMultiUnicodeStringsInPlace
        
...Ouput Omitted...

The following output demonstrates a part of the exported functions of the firefox.exe process with 3316 PID:

PreviousprocessNextimports

Last updated