When tackling malware analysis especially static analysis, you may have come across ‘DLL’ a number of times. This is very evident even in my previous articles. Most of us may not understand what the term DLL means. So, in this article, I will help you tounderstand the term DLL, how it came about and also what DLL is in malware analysis. Before we dive deep into DLL, I will briefly explain how the link libraries came about.
Code libraries were introduced early to help speed up the process of software development and improve the cooperation between teams during the production process of a software. However, these libraries were always a known target for malware as they are easily injected into the memory of different applications and one can impersonate them so that they can perform malicious activities.
However, with the growth of technology around the world, there was an increasing demand in the number of applications for different operating systems. This led to developers realizing that a lot of code was being reused and rewritten over and over to support the same functionality in their programs. Hence the growth of code libraries.
Code libraries involved lots of functions being copied to a program when required, hence there was no need to reinvent and rewrite the function again. This was done by a program called a linker, which basically copies the required functions into a program and generates the executable file with all the needed functions inside it. This process was called static linking.
Static link libraries had their own disadvantages which was that the same code could be copied over and over again inside each program that may require it. This led to lots of hard disk space and it eventually increased the size of the executable files.
Due to the limitations that came about with static link libraries, dynamic linking grew. Dynamic linking allowed programs to expand more and be rich in terms of functionality.
The difference between static and dynamic linking is that with dynamic linking, instead of storing code inside each executable, any needed library is loaded beside each application in the same virtual memory. This is done so that the application can directly call the required functions. These libraries are what we call Dynamic Link Libraries (DLLs).
Dynamic Link Libraries
The DLL is a complete portable executable (PE) file that includes headers, sections, import and export tables.
The export table contains edata which constitutes of names and addresses of exported functions by the DLL. An import table will also contain the same information just that it will include idata which entails names and addresses of imported functions by the DLL.
Windows operating system provides lots of libraries that most malware developers use so as to ensure certain activities can be performed. Some of these libraries include:
kernel32.dll: this library entails the basic and core functionality of all programs including read and write permissions of a file.
ntdll.dll: this library exports windows native APIs. Kernel32.dll uses this library as a backend for its functionality. Malware writers also use this library to try and access the undocumented APIs such as LdrLoadDLL and make it hard for reverse engineers to understand the main functionality of the malware.
user32.dll: used mainly for windows Graphic User Interface (GUI).
advapi32.dll: used mainly for working with the registry and encryption.
shell32.dll: responsible for shell operations such as file execution and opening files.
gdi32.dll: used for simple graphic functionality.
wininet.dll: used for HTTP and FTP functions
ws2_32.dll: this library is responsible for all functionalities related to internet sockets and network communications.
Therefore, when you see a file with the file type DLL, this means that the target operating system of the file is windows. As an example, I have used this sample malware to show you try and explain the role Dynamic Link Libraries play in malware analysis. I used pestudio as my tool for this example.
From the screenshot above, we can see that the file type of this sample malware is a Dynamic Link Library hence from this we can conclude that the target operating system for this malware is a Windows OS. We can also see that the target architecture is a 32-bit machine.
Depending on the main functionality of the malware, it will target different libraries. Earlier in this article, I have taken you guys through the different libraries’ existent in a windows operating system and their functionality.
In the image below, we can see the different libraries the malware is trying to use so that it can successfully perform its main functionalities. Just from having a look at this, we can tell what this malware will try to do once it is installed or executed in your machine.
I went a step further to look at the imports and exports sections. I realized that this malware does not export any data to the outside network but it imports data. In the import section, the below image is a glimpse of what the malware does.
We can see that the malware will try and load the user’s profile, modify registries, duplicate socket references for target process and close the socket among others.
From the information collected, we can then go ahead and look at the strings as we have a glimpse of the functionality of the malware. By looking at the strings, we can confirm the information collected here. Dynamic analysis will then allow us to have a clear view of this as well as monitor the behaviour of the malware.
Article by Christine Wambiru. Wambiru is a final year student, Bachelors of Science (Mathematics and Computer Science), at Machakos University. She is passionate about tech, especially cybersecurity. She is a vibrant member of SheHacks KE and a trainer-she has trained on information gathering and social engineering. Engage with her on her socials; LinkedIn: Christine Wambiru, Twitter: @cwambiru