Modules
Search for functions by disassembling executable regions and finding
call
instructions.Parse the PE Control Flow Guard function table.
This table contains an entry for each function that may be invoked
dynamically. When present, it tends to cover a large percentage of the
functions in a module.
Parse the PE header for the entry point (if present).
Parse the PE export table (if present) to find entries in find exports in
executable sections.
Scan the file looking for pointer-sized values that fall within an
executable section. Then, step backwards and ensure that the target
looks like either:
Parse the PE SafeSEH table for references to valid exception handler
functions.