DLLs - consoletornado.com

## Table of Contents - [[#What are DLL's?|What are DLL's?]] - [[#Why do we use DLL's?|Why do we use DLL's?]] - [[#How DLL's Work?|How DLL's Work?]] - [[#File Contents|File Contents]] - [[#File Structure|File Structure]] - [[#How are they relevant in Cyber Security and Reversing?|How are they relevant in Cyber Security and Reversing?]] - [[#How are they relevant in Cyber Security and Reversing?#DLL Attacks|DLL Attacks]] --- ## What are DLL's? - DLL - Dynamic Link Library - Type of file on Windows (`.dll`) - Contains reusable code, functions and resources to be shared amongst programs ## Why do we use DLL's? - Reduces the program size as multiple programs utilise them - i.e. they don't have to be shipped with this code or these functions. - Saves memory as multiple programs can access the same DLL at the same time. - Once DLL loaded in memory, it can be accessed by multiple applications at once without being loaded again. - Can extend program functionality by loading new DLL's at runtime to add new features ## How DLL's Work? - When an executable (`.exe`) program runs it loads required DLL's either: - At start up (static linking) - While running (dynamic linking) - Using functions like `LoadLibrary()` or `GetProcAddress()` ## File Contents - Functions | Windows API calls - Classes | Methods - Assets such as icons, images or UI elements - Config data - Drivers - Cryptographic routines - Network or file-handling logic ## File Structure - Structured like other Windows PE - DOS Header & Stub - MZ header - Pointer to PE header - PE Header (COFF Header) - COFF (Common Object File Format) - Small metadata block with information needed to load the PE - CPU arch - Number of sections - Build Timestamp - Characteristics - For DLL's normally `IMAGE_FILE_DLL` - Optional Header - Contains key info for loading and reversing - EntryPoint (`DllMain`) - entry point function that receives events such as: - Process attach/detach - Thread attach/detach - Data directories and tables - Import Table - APIs the DLL CALLS from other modules - Contains: - DLL name (e.g., `kernel32.dll`) - Function name (e.g., `CreateFileW`) - Export Table - The functions that OTHER programs can call - Resource Table - Exception Table - Relocations - Debug data - PE Sections - `.text` - Executable code (functions, logic, API calls). - Read-Execute perms - `.data` - Stores initialised global variables. - Read-Write perms - `.rdata` - Read-Only constants - Import/Export Tables - `.reloc` - Relocation table used if DLL loads at a different base address. - `.rsrc` - Icons, images, manifests, version info ## How are they relevant in Cyber Security and Reversing? Commonly abused by threat actors using different DLL attack times. ### DLL Attacks - DLL Sideloading [WIP] - DLL Search Order Hijacking [WIP] - Reflective DLL Injection [WIP] - DLL Persistence