From the base of NTDLL - the address that you printed - you are now at the base of the PE file. Use your knowledge of the PE file format to walk the structure and identify the number of exports. For this part, all we want to do is print that value. There are a variety of resources in the project folder. In addition, you can use PE parsing utilities such as PE Studio and the 010 Editor to help understand the data/file format itself.

I am lost with this C program... I need to do something in the bold below

int main(void){

DWORD numExports = 0; DWORD dwNtdllBase = 0;

_asm{ xor ebx, ebx ; //clear ebx mov ebx, fs:[ 0x30 ] ; //get a pointer to the PEB mov ebx, [ebx + 0x0C ] ; //get PEB->Ldr mov ebx, [ebx + 0x1C ] ; //get PEB->Ldr InitializationOrder mov ebx, [ebx + 0x08 ] ; //get entries base address //mov dwNtdllBase, ebx

// find exports via PE file //xor eax, ebx //xor eax, ebx //Start with image base mov eax, [ebx + 0x10 ] add ebx, edx mov numExports, esi }

printf("NTDLL number of exports: %d/n,. numExports);

}