Hi, if you know what DLLs are or you just want to see how to make them and use them you can skip to (coming soon).
For the others, DLL files or Dynamic Link Libraries contain resources of an application needed to run. Many programs on Windows rely on these libraries to work as expected, so we can see this as a resource that many programs use.
I think of DLLs as airport screens and people as programs, in this context when a person (the program) needs the functionality to know what gate to go it will see the screen (the DLL). This allows for many people to use the screen, as many programs use a DLL at at the same time
Some of the advantages of this are:
- We can reuse code of different dll without needing to add those libraries to our file (less disk usage)
- Modular programs, now we can create specialice DLLs (graphics, math, network) so we can use them in a application
DLLs also have some disadvantages, like the environment for all DLLs is the same so no policy can be applied in a granular way. Also if we program DLLs in an incorrect way, like not following the convention to create functions to call using rundll32. Another disadvantage is that you cannot see what DLL was used in the task manager. It will appear as rundll32.exe so it’s difficult to find the exact DLL that was used.
Also, an interesting detail rundll32.exe is called like that because in windows 95 rundll.exe was the 16-bit version.
So with that we can see that rundll32 is important for programs, many of us may have gotten errors because a missing DLL shows that this is being used constantly. But should we use them? The answer will vary, if you are a programmer try to avoid this if possible, if you are a pentesters you must know how to use DLLs and rundll32 and if you are a defender know how they work will give you a better chance to detect abnormal behavior. In the next post we will dive into rundll32 and how it is used normally and some ways to use it as a pentester. Will se how DLLs and rundll is our friend.
More information:
- Rundll32 and not Rundll https://devblogs.microsoft.com/oldnewthing/20140408-00/?p=1303
- Use rundll: don’t use it https://devblogs.microsoft.com/oldnewthing/20130104-00/?p=5643
- Calling convention gore: https://devblogs.microsoft.com/oldnewthing/20040115-00/?p=41043
- Dont use rundll32 https://devblogs.microsoft.com/oldnewthing/20110909-00/?p=9683
- DLL data https://stackoverflow.com/questions/2959998/can-the-same-dll-data-be-shared-by-2-different-processes
- DLL documentation microsoft https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/dynamic-link-library