A dynamic-link library (DLL) is a shared library in the Microsoft Windows operating system. This is similar to Shared Object (.so files) on *nix systems. DLL files enable the modularization of code.
These typically have the file extension of .dll and are PE files.
Some DLLs are automatically loaded into every process because they export functions necessary for the process to execute (ntdll.dll, kernel32.dll, kernelbase.dll)
Windows uses a system-wide DLL bsae address to load some DLLs in order to optimize memory usage and system performance.
DLLs may be loaded by an application in a variety of ways. As such, DLLs can specify entry points that execute code depending on how it was loaded:
- DLL_PROCESS_ATTACH
- DLL_THREAD_ATTACH
- DLL_THREAD_DETACH
- DLL_PROCESS_DETACH
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch(ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
return TRUE;
}
DLLs can export functions that can be used by a calling application. In order to export a funciton, it must be defined using `extern` and `__declspec(dllexport)`:
extern __declspec(dllexport) void exported_function(){ ...code... }
The WinAPI functions LoadLibrary, GetModuleHandle, and GetProcAddress can be used to import functions from a DLL. This is known as “Dynamic Linking”.
rundll32.exe can be used to run exported functions of a DLL from the command line:
rundll32.exe user32.dll,LockWorkStation
More information about DLLs can be found here: https://en.wikipedia.org/wiki/Dynamic-link_library