What is DLL? It's more than a new and improved .EXE file

Can you explain what dynamic-link libraries are and what effect they have on application security? Are malicious DLLs still a common attack vector?

Requires Free Membership to View

By submitting you agree to receive email communications from
TechTarget and its partners. Privacy Policy Terms of Use.

What is DLL? A dynamic-link library or DLL is Microsoft's implementation of the concept of shared libraries -- a common application development paradigm for sharing resources among applications -- and is usually a file type of DLL, OCX (for libraries containing ActiveX controls) or DRV (for system drivers). Just like an executable .EXE file, these files can contain code, data and resources such as images, but what differentiates the two is that a DLL can be used by more than one program at the same time.

There are many benefits to using shared libraries, including modularity, code reuse, reduced disk space, efficient memory usage and faster load time. A module is only loaded when its functionality or resources are requested. Importantly, modularity allows changes to be made to a DLL shared by several applications without having to make changes to each application individually. For example, the comdlg32 DLL handles opening a dialog box in Windows. Any application running on Windows can tap into that DLL to use that functionality, enabling Microsoft to ensure a consistent user interface with any changes it makes to comdlg32.dll by cascading through to every other application without forcing rebuilds or reinstallations of third-party programs.

When Microsoft first introduced DLLs, it led to problems of compatibility and dependency, which came to be known as "DLL hell." This situation was dramatically improved in Windows 95, in which every process runs in its own address space and Windows 2000, which introduced Windows File Protection to prevent applications from overwriting system DLLs. However, like any file containing executable code, hackers can manipulate DLLs to run malicious code.

In fact, the way DLLs are loaded has created a particular attack vector called "DLL preloading attacks," which hit the news this past summer. If an application dynamically loads a DLL without specifying a fully qualified path name, Windows attempts to locate the DLL by searching a well-defined set of directories. If an attacker can copy a malicious version of the DLL into one of these directories, the application will load and execute the malicious DLL. This illustrates how hackers will look to abuse any aspect of a system's design to create a new attack vector.

Note: Microsoft has published an update about this vulnerability on its Microsoft Security Response Center website and you can download a tool that modifies the DLL search sequence.

Latest Headlines

Featured

E-Books

E-Zines

E-Handbooks

Topics

Hot Topics

Advice & Tutorials

Technology Dictionary

Tips

Answers

Ask a Question

Research Library

Product Demos

Resource Centers

Blogs

What is DLL? It's more than a new and improved .EXE file

Requires Free Membership to View

More News and Tutorials

Articles

Related glossary terms

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

More from Related TechTarget Sites