Linked Libraries and Functions

Imports

• Functions used by a program that are stored in a different program, such as library

• Connected to the main EXE by Linking

• Can be linked three ways

  • Statically

  • At Runtime

  • Dynamically

Unix and Linux: Turning C into Object Code

• Code in files p1.c p2.c

• Compile with command: gcc -O p1.c p2.c -o p

• Use optimizations (-O)

• Put resulting binary in file p

Static Linking

• Common in Unix and Linux

• Rarely used for Windows executables

• All code from the library is copied into the executable

• Makes executable large in size

Runtime Linking

• Unpopular in friendly programs

• Common in malware, especially packed or obfuscated malware

• Connect to libraries only when needed, not when the program starts

• Most commonly done with the LoadLibrary and GetProcAddress functions

Dynamic Linking

• Most common method

• Host OS searches for necessary libraries when the program is loaded

Clues in Libraries

• The PE header lists every library and function that will be loaded

• Their names can reveal what the program does

• URLDownloadToFile indicates that the program downloads something

Dependency Walker - Shows Dynamically Linked Functions

• Normal programs have a lot of DLLs

• Malware often has very few DLLs

Exports

• DLLs export functions

• EXEs import functions

• Both exports and imports are listed in the PE header