# Linked Libraries and Functions ### Imports * Functions used by a program that are stored in a different program, such as library * Connected to the main EXE by **Linking** * Can be linked three ways * **Statically** * At **Runtime** * **Dynamically** ### Unix and Linux: Turning C into Object Code * Code in files p1.c p2.c * Compile with command: gcc -O p1.c p2.c -o p * Use optimizations (-O) * Put resulting binary in file p ![](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MF7ycU3cObu0jPquLCd%2F-MF7yiqs082OpaeNTHpB%2F1.png?alt=media\&token=5c7da6b5-5b33-495a-ad45-5b3bd05a915d) ### Static Linking * Common in Unix and Linux * Rarely used for Windows executables * All code from the library is copied into the executable * Makes executable large in size ### Runtime Linking * Unpopular in friendly programs * Common in malware, especially packed or obfuscated malware * Connect to libraries only when needed, not when the program starts * Most commonly done with the LoadLibrary and GetProcAddress functions ### Dynamic Linking * Most common method * Host OS searches for necessary libraries when the program is loaded ### Clues in Libraries * The PE header lists every library and function that will be loaded * Their names can reveal what the program does * **URLDownloadToFile** indicates that the program downloads something ### Dependency Walker - Shows Dynamically Linked Functions * Normal programs have a lot of DLLs * Malware often has very few DLLs ![](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MF7ycU3cObu0jPquLCd%2F-MF7zYwj22tra5dGpkDH%2F2.png?alt=media\&token=de4fd571-e21f-488c-bd39-0231cb1aab73) ![](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MF7ycU3cObu0jPquLCd%2F-MF7zbP2HQzbGGTQrUGW%2F3.png?alt=media\&token=37d483d4-95f6-4b30-9106-a3d42f81b2a0) ### Exports * DLLs **export** functions * EXEs **import** functions * Both exports and imports are listed in the PE header\ \