[align=center] [Paper: DLLs]
[Author: Chroniccommand]
[E-Mail: chroniccommand@gmail.com]
[iExploit]
[/align]

[Introduction]
Well, I'm back(I guess). I've been away for quite some time and I haven't really been in the security game lately, but I've decided to write a brief paper to get me started. This article is simply about DLLs in Windows. I'll start by explaining the basics of DLLs, how they work etc. I'll get into DLL hijacking and injecting near the end and provide some links to learn more about them.
------------------------------------------------

[DLLs]
The first thing you're going to know for DLL injecting/hijacking is what a DLL is. DLL stands for Dynamic Link Library. Basically a DLL is a shared library using Portable Executable(PE) file format. A DLL works sort of like an EXE, but cannot be executed if it is not linked to an executable program. The advantage to this is DLLs won't take up RAM while the program is running. Once the program needs something that is in the DLL, it runs it. If the code isn't needed, it isn't used. If the DLL needs to be updated at all, it will not need to be re-linked to the executable that uses it. Additionally, a DLL will run within the same space as the linked executable with similar permissions(unless otherwise granted).
DLLs are loaded either during load time or run time. During load time the program will call the DLL using a header file and a lib file. DLLs are generally created in C++ now a days, but can be created by a number of other programming languages.
If you look in a folder for some programs, you should notice some DLLs within the same folder.
Example:
http://desmond.imageshack.us/Himg138/scaled.php?server=138&filename=dll1.png&res=medium
The image is from a program known as Dolphin(Gamecube/Nintendo Wii emulator).
Those DLLs will either be called at run or load time by dolphin to preform different tasks.

A program called resource hacker can actually analyze DLLs and EXEs for you and display some information about them. As an example I chose explorer.exe(Windows Explorer) located in

Explorer has many things you can view in resource hacker such as bitmaps for icons that are used:
http://img14.imageshack.us/img14/333/dll2.png
That is obviously the start icon, which can also be changed and customized to your liking with resource hacker.
Another example, the executable information viewed within resource hacker:
http://img14.imageshack.us/img14/7509/dll3.png
-----------------------------------------------------

[DLL hijacking]
DLL hijacking is something I won't go to in depth with, and I will leave you some good links to read up on it. But basically, DLL hijacking is the act of replacing an original DLL with a malicious DLL in the same working directory. When the linked executable runs the DLL it will run the attackers malicious code. When this exploit was discovered tons of zero days were unearthed in many major programs including Adobe reader and iTunes.
Links to read up on DLL hijacking:
Metasploit: Exploiting DLL hijacking flaws
Exploiting dll hijack in real world
DLL hijacking vulnerabilities
----------------------------------------------------
[DLL Injection]
DLL injecting is the process of injecting malicious code into a program by inserting your own DLL. Sound familiar? Yea, it's somewhat like Buffer Over-Flows where you rewrite the EIP to jump to code you would like to execute, but that's for a different paper. DLL injecting can be done in a variety of different ways. In a tutorial written by Robert Kuster, Robert lists 3 different techniques:
[list=1]
[*]Windows Hooks[/*:m]
[*]The CreateRemoteThread & LoadLibrary Technique[/*:m]
[*]The CreateRemoteThread & WriteProcessMemory Technique[/*:m][/list:o]
In this same tutorial, Robert creates a demo program which can gain hidden password text from a program and display it in plain text. It's most definitely worth a read for those interested, and is a great tutorial.

Three Ways to Inject Your Code into Another Process
DLL Injection and function interception tutorial
-----------------EOF-----------------