In the Microsoft Windows ecosystem, DLLs (Dynamic Load Libraries) are PE files like regular programs. One of the main differences is that they export functions that can be called by programs that load them. By example, to call RegOpenKeyExA(), the program must first load the ADVAPI32.dll. A PE files has a lot of headers (metadata) that contain useful information used by the loader to prepare the execution in memory. One of them is the EntryPoint, it contains the (relative virtual) address where the program will start to execute.<\/p>\n
The second parmeter\u00a0indicates why the DLL entry-point function is being called:<\/p>\n Note that this function is optional but it is usually implemented to prepare the environment used by the DLL like loading resources, creating variables, etc… Microsoft recommends also to avoid performing sensitive actions at that location.<\/p>\n Many maware are deployed as DLLs because it’s more challenging to detect. The tool regsvr32.exe[2<\/a>] is a classic attack vector because it helps to register a DLL in the system (such DLL will implement a DllRegisterServer() function). Another tool is rundll32.exe[3<\/a>]\u00a0that allows to call a function provided by a DLL:<\/p>\n When a suspicious DLL is being investigated, the first reflex of many Reverse Engineers is\u00a0to\u00a0look at the exported function(s) but don’t pay attention to the entrypoint. They look at the export table:<\/p>\n This DllMain()\u00a0is a very nice place where threat actors could store malicious code that will probably\u00a0remains below the radar if you don\u2019t know that this EntryPoint exists. I wrote a proof-of-concept\u00a0DLL that executes some code once loaded (it will just pop up a calc.exe). Here is the simple code:<\/p>\n <\/p>\n And now, a simple program used to load my\u00a0DLL:<\/p>\n <\/p>\n Let’s compile the DLL, the loader and execute it:<\/p>\n When the DLL is loaded with LoadLibraryA(), the calc.exe process is spawned automatically, even if no DLL function is invoked!<\/p>\n Conclusion: Always have a quick look at the DLL entry point!<\/p>\n [1]\u00a0https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/dlls\/dllmain<\/a> Xavier Mertens (@xme) (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20251212-1.png?ssl=1\")
\nIn case of a DLL, there is also an entry point called logically the DLLEntryPoint.\u00a0The code located at this address will be executed when the library is (un)loaded. The function executed is called DllMain()[1<\/a>] and expects three parameters:<\/p>\n\nBOOL WINAPI DllMain(\n\u00a0 _In_ HINSTANCE hinstDLL, \n\u00a0 _In_ DWORD fdwReason, \n\u00a0 _In_ LPVOID lpvReserved\n);\n<\/pre>\n
\n
\nC:> rundll32.exe mydll.dll,myExportedFunction<\/pre>\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20251212-3.png?ssl=1\")
<\/p>\n\n\/\/ evildll.cpp\n#include <windows.h>\n#pragma comment(lib, \"user32.lib\")\n\nextern \"C\" __declspec(dllexport) void SafeFunction() {\n \/\/ Simple exported function\n MessageBoxA(NULL, \"SafeFunction() was called!\", \"evildll\", MB_OK | MB_ICONINFORMATION);\n}\n\nBOOL APIENTRY DllMain(HMODULE hModule,\n DWORD ul_reason_for_call,\n LPVOID lpReserved) {\n switch (ul_reason_for_call) {\n case DLL_PROCESS_ATTACH:\n {\n \/\/ Optional: disable thread notifications to reduce overhead\n DisableThreadLibraryCalls(hModule);\n\n STARTUPINFOA si{};\n PROCESS_INFORMATION pi{};\n si.cb = sizeof(si);\n char cmdLine[] = \"calc.exe\";\n\n BOOL ok = CreateProcessA(NULL, cmdLine, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);\n if (ok) {\n CloseHandle(pi.hThread);\n CloseHandle(pi.hProcess);\n } else {\n \/\/ optional: GetLastError() handling\/logging\n }\n break;\n }\n case DLL_THREAD_ATTACH:\n case DLL_THREAD_DETACH:\n case DLL_PROCESS_DETACH:\n break;\n }\n return TRUE;\n}<\/pre>\n\n\/\/ loader.cpp\n#include <windows.h>\n#include <stdio.h>\n\ntypedef void (*SAFEFUNC)();\n\nint main()\n{\n \/\/ Load the DLL\n HMODULE hDll = LoadLibraryA(\"evildll.dll\");\n if (!hDll)\n {\n printf(\"LoadLibrary failed (error %lu)n\", GetLastError());\n return 1;\n }\n printf(\"[+] DLL loaded successfullyn\");\n\n \/\/ Resolve the function\n SAFEFUNC SafeFunction = (SAFEFUNC)GetProcAddress(hDll, \"SafeFunction\");\n if (!SafeFunction)\n {\n printf(\"GetProcAddress failed (error %lu)n\", GetLastError());\n FreeLibrary(hDll);\n return 1;\n }\n printf(\"[+] SafeFunction() resolvedn\");\n\n \/\/ Call the function\n SafeFunction();\n\n \/\/ Unload DLL\n FreeLibrary(hDll);\n\n return 0;\n}<\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20251212-2.png?ssl=1\")
<\/p>\n
\n[2]\u00a0https:\/\/attack.mitre.org\/techniques\/T1218\/010\/<\/a>
\n[3]\u00a0https:\/\/attack.mitre.org\/techniques\/T1218\/011\/<\/a><\/p>\n
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
\n
<\/BR><\/p>\n