This document discusses static and dynamic linking of libraries in Windows. It explains how dynamic linking loads libraries into memory alongside applications rather than copying code into each executable. It then covers dynamic link libraries (DLLs) and how their exported functions can be accessed via name or index number. The document focuses on DLL injection techniques used by malware to manipulate process execution, including loading a malicious DLL via the LoadLibrary and GetProcAddress APIs or modifying registry entries.

1. DLLInjection

2. Static Linking
• Code libraries (.lib) include lots of functions to be copied to
your program when required.
• So, there is no need to reinvent the wheel and rewrite these
functions again.
• This is done by a program called a linker, which basically
copies the needed functions into a program and generates
the executable file with all the needed functions inside.
• This process is called the static linking.

3. Dynamic Linking
• Statically linked libraries lead to having the same code
copied repeatedly inside each program.
• That might lead to the loss of hard disk space and
increases the size of the executable files.
• Dynamic linking allows programs to expand more and
become more functionality-rich.
• Instead of storing the code inside each executable, any
needed library is loaded beside each application in the
same virtual memory.
• These libraries are named Dynamic Link Libraries (DLLs).

4. Dynamic link libraries
• Not all library functions are exported as some of them are for internal use.
• But the functions that are exported can be accessed through its name or its ordinal
number (index number).
• They are called Application Programming Interfaces (APIs).
• APIs are those exported functions in any library that any application can call or
interact with
• Some of known Windows DLLs:
• kernel32.dll
• ntdll.dll
• user32.dll
• advapi32.dll

5. Dynamic API Loading
• It's very common in malware code to obscure the name of the libraries
and the APIs that they are using to hide their functionality from static
analysis using what's called dynamic API loading.
• Dynamic API loading is supported by Windows using two very well-known
APIs :
• LoadLibraryA: This API loads a dynamic link library into the virtual
memory of the calling program and returns its address (variations
include LoadLibraryW, LoadLibraryExA, and LoadLibraryExW).
• GetProcAddress: This API gets the address of an API given its name
and the address of the library that contains this API.
• By calling these two APIs, the malware is able to access APIs that are not
written in the import table and are totally hidden from the eyes of the
reverse engineer.

6. DLL Injection
• The Windows operating system allows processes to load dynamic link libraries
into other processes for security reasons, sandboxing, or even graphics.
• DLL injection is used to manipulate the execution of a running process.
• DLL injection primarily tricks an application to call a malicious DLL file which
then gets executed as part of the target process.
• DLL injection can be divided into 4 steps:
• 1. Attach to the process
• 2. Allocate Memory within the process
• 3. Copy the DLL or the DLL Path into the processes memory and determine
appropriate memory addresses
• 4. Instruct the process to Execute your DLL

7. Windows Supported DLL Injection
• Windows has created registry entries for DLLs so that they can be loaded in every process that meets
certain criteria.
• Many of them allow the malware DLL to be injected into multiple processes, including browsers and
other legitimate processes.
• Most common ones:
HKEY_LOCAL_MACHINESOFTWARE
MicrosoftWindowsNTCurrentVers
ionWindowsAppInit_DLLs
• The libraries included in
this path are loaded
together with every
process that loads
user32.dll.

8. Windows Supported DLL Injection (Cont.)
• Other commonly misused registry key:
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSessionManagerAppCertDlls
• The libraries in this registry entry are loaded in each process that calls at least one of the following
Win32 API functions:
• CreateProcess
• CreateProcessAsUser
• CreateProcessWithLogonW
• CreateProcessWithTokenW
• WinExec
• This allows the malware to be injected into most browsers as many of them create child processes to
manage different tabs and other applications as well.

9. Windows Supported DLL Injection (Cont.)
Autoruns from Sysinternals, allows you to see whether any of these registry entries have
been exploited for malicious use on the current system.
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

10. Another DLL Injection Technique
• This technique uses the LoadLibrary API to load a
malicious library using Windows PE loader and execute its
EntryPoint.
• The main goal is to inject the path of the malicious DLL
into the process using the VirtualAllocEx API and
WriteProcessMemory.
• Then, it creates a thread into that process using
CreateRemoteThread, with the address of the LoadLibrary
API as the thread start address.
• When passing the DLL path as an argument to that thread
(which is passed to the LoadLibrary API), the Windows PE
loader will load that DLL into the process and execute its
code flawlessly.

11. Another DLL Injection Technique (Cont.)
• The exact steps the malware generally follows are like so:
1. Get the targeted process handle via its PID using the OpenProcess API. This
handle will be used to access, read, and write to this process.
2. Allocate a space in that process virtual memory using the VirtualAllocEx API.
This space will be used to write the full path of the malicious DLL file.
3. Write to the process using the WriteProcessMemory API. Write the path of
the malware DLL.
4. Load and execute this DLL using CreateRemoteThread and give
the LoadLibraryA address as the start address and the address of the DLL path
as an argument.

12. References
• http://blog.opensecurityresearch.com/2013/01/windows-dllinjection-basics.html
• https://www.packtpub.com/product/mastering-malware-analysis/9781789610789