Home
General
- Interesting Links
  - Curriculum
- Pentest Labs, Wargames Sites
  - How To Vulnhub with VirtualBox
Network Pentest
Web App Pentest
CTF
Network Security
Digital Forensics
- Autopsy - open-source digital forensics platform
Exploit Dev/Analysis
Shell
Hardware
- NAND2Tetris
Other
- K8s

Powered by GitBook

On this page

Imports
Unix and Linux: Turning C into Object Code
Static Linking
Runtime Linking
Dynamic Linking
Clues in Libraries
Dependency Walker - Shows Dynamically Linked Functions
Exports

Was this helpful?

Exploit Dev/Analysis

Static Analysis

Portable Executable File Format (PE)

Linked Libraries and Functions

PreviousTools NextPE File Headers and Sections

Last updated 4 years ago

Imports

Functions used by a program that are stored in a different program, such as library
Connected to the main EXE by Linking
Can be linked three ways
- Statically
- At Runtime
- Dynamically

Unix and Linux: Turning C into Object Code

Code in files p1.c p2.c
Compile with command: gcc -O p1.c p2.c -o p
Use optimizations (-O)
Put resulting binary in file p

Static Linking

Common in Unix and Linux
Rarely used for Windows executables
All code from the library is copied into the executable
Makes executable large in size

Runtime Linking

Unpopular in friendly programs
Common in malware, especially packed or obfuscated malware
Connect to libraries only when needed, not when the program starts
Most commonly done with the LoadLibrary and GetProcAddress functions

Dynamic Linking

Most common method
Host OS searches for necessary libraries when the program is loaded

Clues in Libraries

The PE header lists every library and function that will be loaded
Their names can reveal what the program does
URLDownloadToFile indicates that the program downloads something

Dependency Walker - Shows Dynamically Linked Functions

Normal programs have a lot of DLLs
Malware often has very few DLLs

Exports

DLLs export functions
EXEs import functions
Both exports and imports are listed in the PE header