The root of the DLL technology Trojan Horse Process insider disclosure

Many friends still do not know what "DLL Trojan" is what dongdong. What the hell is a "DLL"? What is the difference between it and the common Trojan? With these questions, let's start this revealing journey together!

The root of the word from the DLL

To understand what a "DLL" is, you must know what "DLL" means! When it comes to DLLs, it's not just about the long dos era. In the era of DOS, writing programs is a tedious thing, because each program's code needs to be independent, then in order to achieve a common function, even to write a lot of code. Later, with the development and progress of programming technology, programmers began to put a lot of common code collections (that is, common code) into a separate file, and the file called the library. When writing a program, adding the library file to the compiler, you can use all the functionality that the library contains without having to write a bunch of code yourself, a technique called static link. Static link technology Let the tired programmer sigh, everything seems to be beautiful. However, the biggest flaw in static link technology is the extreme consumption and waste of resources, when a program only want to use a library file contains a graphic effect, the system will carry the library file all the graphics effects are added to the program, which makes the program very bloated. While this is not important, these bloated programs block the road-static link technology makes the final program big, because the compiler loads the entire library file.

Technology is always in development, static link technology because of unavoidable drawbacks, can not meet the needs of programmers and programming, people began to find a better way to solve the problem of code duplication. With the advent of Windows systems, Windows systems use a new technology called the dynamic Link library, which also uses a library file, which is the name of the DLL. The dynamic link itself is not the same as the static link, but also the common code into a number of independent files, but in the compilation aspect, Microsoft has made the library file to have compiled the program file, gave them to develop a data exchange interface. When programmers write programs, once you want to use a function of a library file, the system puts the library file into memory, connects the task process that the program occupies, and then executes the function that the program uses, and returns the result to the program display. Once the required functionality has been completed, the DLL stops running and the entire call process ends. Microsoft makes these library files can be called by multiple programs to achieve a more perfect sharing, programmers no matter what program to write, as long as the code to add to the relevant DLL invocation declaration can use its full functionality. In this way, the written program can no longer carry a lot of useless rubbish.

The birth of DLL technology makes writing programs a simple thing, Windows provides us with thousands of functional interfaces enough to meet the needs of most programmers. Also, the Windows system itself is made up of thousands of DLL files that support each other and make up a large windows system. If Windows still uses static link technology, it would be unthinkable.

Second, what is API

What is the "interface" mentioned earlier? Because DLLs cannot be jammed into programs like static library files, how to let the program know that the implementation of the code and the file is a problem, Microsoft has made a standard specification for DLL technology, for each DLL file clearly labeled its function name, the program as long as the standard specification to find the relevant name to call on the line, This is the API (application programming Interface) application interface, with different interfaces for each DLL, minimizing duplication of program code. In Windows, the most basic 3 DLL files are kernel32.dll, User32.dll, and Gdi32.dll. Together, they form the basic system framework.

Third, DLL and Trojan

A DLL is a compiled code that doesn't make much difference to a normal program, except that it doesn't run independently and requires a program call. So what is the relationship between a DLL and a Trojan horse? If you learn to program and write a DLL, you will find that the DLL's code is almost the same as other programs, just the interface and startup mode, as long as the code portal changes, the DLL becomes a separate program.

Of course, DLL files are not program logic, in fact, DLLs are not equal to EXE. However, the DLL can still be seen as missing the main entrance of the program, the DLL with the functions of each function can be considered a program of several function modules. DLL is a realization of the Trojan Horse function code, plus some special code written DLL file, export related APIs, in other people's opinion, this is just a common DLL, but this DLL is carrying a complete Trojan function, this is the concept of the DLL Trojan. Some people may ask, since the same code can be implemented Trojan horse function, then directly to do the program can, why do you have to write a DLL? This is to hide, because the DLL runtime is directly hanging in the process of calling its program, and will not produce another process, so compared to the traditional EXE Trojan, it is difficult to find.

Four, the DLL's operation

Although DLLs cannot be run on their own, Windows requires a portal function when loading DLLs, just like main in EXE, otherwise the system cannot reference DLLs. So, according to the authoring specification, Windows must find and execute a function DllMain in the DLL as a basis for loading DLLs, which are not exported as APIs, but intrinsic functions. The DllMain function keeps the DLL in memory, and some DLLs have no DllMain functions, but can still be used, because Windows cannot find the DllMain You will find a default DllMain function that does nothing from the other runtime to start the DLL so that it can be loaded, not that the DLL can discard the DllMain function.