search

Linked Libraries and Functions

hashtag
Imports

  • Functions used by a program that are stored in a different program, such as library

  • Connected to the main EXE by Linking

  • Can be linked three ways

    • Statically

    • At Runtime

    • Dynamically

hashtag
Unix and Linux: Turning C into Object Code

  • Code in files p1.c p2.c

  • Compile with command: gcc -O p1.c p2.c -o p

  • Use optimizations (-O)

  • Put resulting binary in file p

hashtag
Static Linking

  • Common in Unix and Linux

  • Rarely used for Windows executables

  • All code from the library is copied into the executable

  • Makes executable large in size

hashtag
Runtime Linking

  • Unpopular in friendly programs

  • Common in malware, especially packed or obfuscated malware

  • Connect to libraries only when needed, not when the program starts

  • Most commonly done with the LoadLibrary and GetProcAddress functions

hashtag
Dynamic Linking

  • Most common method

  • Host OS searches for necessary libraries when the program is loaded

hashtag
Clues in Libraries

  • The PE header lists every library and function that will be loaded

  • Their names can reveal what the program does

  • URLDownloadToFile indicates that the program downloads something

hashtag
Dependency Walker - Shows Dynamically Linked Functions

  • Normal programs have a lot of DLLs

  • Malware often has very few DLLs

hashtag
Exports

  • DLLs export functions

  • EXEs import functions

  • Both exports and imports are listed in the PE header

PreviousToolsNextPE File Headers and Sections

Last updated