Da Li’L World of DLL Exports and Entry Points, Part 3

August 21, 2013 in Batch Analysis, Malware Analysis

The third part of the series (Part 1, Part2) is just a list of as many types of DLL described on MSDN as I could find by quickly googling around. I am pretty sure these are not all, but cover at least the most common ones. If you see anything wrong, or missing, please let me know. Thx!

Component Object Model (COM) DLL

Provides COM functionality. These below are functions executed when you run “regsrv32.exe”  and “regsrv32.exe /u” and when programs communicate / use the COM objects implemented via the DLL.

  • How to recognize?
    • Subsystem: Windows
    • Typical file extension: DLL/OCX/VBX
    • Exported functions:
      • DllGetClassObject – Retrieves the class object from a DLL object handler or object application.
      • DllRegisterServer – Instructs an in-process server to create its registry entries for all classes supported in this server module.
      • DllUnregisterServer – Instructs an in-process server to remove only those entries created through DllRegisterServer.
      • DllCanUnloadNow – Determines whether the DLL that implements this function is in use. If not, the caller can unload the DLL from memory.
      • DllInstall – Not required, but may be present.

Kernel Mode DLL

These are best described in a “classic” document entitled “DLLs in Kernel Mode” written by Tim Roberts.

  • How to recognize?
    • Subsystem: Native
    • Typical file extension: SYS/DLL
    • Exported functions:
      • DllInitialize – The system calls a kernel-mode DLL’s DllInitialize routine immediately after the DLL is loaded.
      • DllUnload -The system calls a kernel-mode DLL’s DllUnload routine before it unloads the DLL.

Service DLL

These are hosted by svchost. Another ‘classic; on the subject is a document written by Geoff Chappell’s.

  • How to recognize?
    • Subsystem: Windows
    • Typical file extension: DLL
    • Exported functions:

Control Panel application DLL

Anytime you open Control Panel and change the system settings you are running a small applications called Control Panel Applets. They are implemented as DLL. They can be controlled either via Rundll32/Control_RunDLL or control.exe.

  • How to recognize?
    • Subsystem: Windows
    • Typical file extension: CPL
    • Exported functions:
      • CPlApplet – Serves as the entry point for a Control Panel application.

Installable Drivers DLL

Audio Compression Manager Drivers (ACM).

  • How to recognize?
    • Subsystem: Windows
    • Typical file extension: ACM, AX, DRV, DLL
    • Exported functions:
      • DriverProc – Serves as the entry point for a Control Panel application.
      • AboutDialogProc – Occasionally may be found in the installable drivers, but not required. Handles messages from ‘About’ window.
      • ConfigureDialogProc – Occasionally may be found in the installable drivers, but not required. Handles messages from ‘Configure’ window.
      • DriverDialogProc – Occasionally may be found in the installable drivers, but not required. Handles messages from ‘Configure’ window (alternative name).

Audio Device Messages for MIDI

These are same as installable driver DLLs, but have extra functions exported to process the window messages (some of them seem to be legacy and no longer documented on MSDN).

  • How to recognize?
    • Typical file extension: DRV, DLL
    • Exported functions:
      • DriverProc – Processes driver messages for the installable driver (note: MSDN has at least two pages about DriverProc).
      • modMessage – An entry-point function for musical instrument digital interface (MIDI) output drivers and for internal synthesizer drivers
      • modmCallback – An internal callback function provided to midi API that doesn’t need to be exported, but can be sometimes found.
      • wodMessage – Entry-point function for waveform output drivers.
      • widMessage – Entry-point function for waveform input drivers.
      • midMessage – Entry-point function for MIDI input drivers.
      • mxdMessage – Entry-point function for mixer drivers.
      • auxMessage- Entry-point function for auxiliary audio drivers.

File Manager Extension

This is a very old type of DLL – an extension to a File Manager.

  • How to recognize?
    • Typical file extension: DLL
    • Exported functions:

NetShell helper DLL

These support netsh.exe tool by providing a ‘coverage’ for a specific network functionality. See details here.

  • How to recognize?
    • Typical file extension: DLL
    • Exported functions:
      • InitHelperDll – Called by NetShell (netsh.exe) to perform an initial loading of a helper.

Credential Manager DLL

Called by Multiple Provider Router (MPR) and support Credential Manager (malware / hack tools can use it to sniff credentials). More details here.

  • How to recognize?

IIS Server Extension (ISAPI filter) DLL

I mentioned ISAPI filters in my older post.

  • How to recognize?

Web Filter DLL

Web filters detect and process HTTP request notifications. See MSDN for more details and information about what pairs of APIs listed below need to be exported.

  • How to recognize?
    • Typical file extension: DLL
    • Exported functions:
      • GetFilterVersion –  Called to register for event notifications.
      • HttpFilterProc – Called whenever an event for which the filter has registered in the GetFilterVersion function occurs.
      • GetWPXFilterVersion – Called to register for the event notifications that were introduced in ISA Server 2004.
      • HttpWPXFilterProc – Called whenever an event for which the filter has registered in GetWPXFilterVersion occurs.
      • TerminateFilter – Called to notify the filter that it will be removed from memory.
      • ReloadWPXFilterConfiguration – Called to notify the filter that changes to the configuration of the ISA Server administration COM objects have been applied.

RAS Administration DLL

The RAS Administration DLL exports functions that the RAS server calls whenever a user tries to connect or disconnect.See more details here.

Winlogon GINA DLLs

An ‘old -school’ (old, because no longer available on Windows Server 2008 and Windows Vista); it was a replacement for GINA DLL (another type of DLL that was often used to sniff passwords)

  • How to recognize?
    • Subsystem: Windows
    • Typical file extension: DLL
    • Exported functions:
      • WlxActivateUserShell – Activates the user shell program.
      • WlxDisplayLockedNotice – Allows the GINA to display information about the lock, such as who locked the workstation and when it was locked.
      • WlxDisplaySASNotice – Called when no user is logged on.
      • WlxDisplayStatusMessage – Called when the GINA DLL should display a message.
      • WlxGetConsoleSwitchCredentials – Called to read the currently logged on user’s credentials to transparently transfer them to a target session.
      • WlxGetStatusMessage – Called to get the status message being displayed by the GINA DLL.
      • WlxInitialize – Called once for each window station present on the computer. Currently, the operating system supports one window station per workstation.
      • WlxIsLockOk – Called before attempting to lock the workstation.
      • WlxIsLogoffOk – Called when the user initiates a logoff operation.
      • WlxLoggedOnSAS – Called when it receives a secure attention sequence (SAS) event while the user is logged on and the workstation is not locked.
      • WlxLoggedOutSAS – Called when it receives a secure attention sequence (SAS) event while no user is logged on.
      • WlxLogoff – Called to notify the GINA of a logoff operation on this workstation, allowing the GINA to perform any logoff operations that may be required.
      • WlxNegotiate – The WlxNegotiate function must be implemented by a replacement GINA DLL. This is the first call made by Winlogon to the GINA DLL. WlxNegotiate allows the GINA to verify that it supports the installedversion of Winlogon.
      • WlxNetworkProviderLoad – Called to collect valid authentication and identification information.
      • WlxRemoveStatusMessage – Called to tell the GINA DLL to stop displaying the status message.
      • WlxScreenSaverNotify – Called immediately before a screen saver is activated, allowing the GINA to interact with the screen saver program.
      • WlxShutdown – Called just before shutting down, allowing the GINA to perform any shutdown tasks, such as ejecting a smart card from a reader.
      • WlxStartApplication – Called when the system needs an application to be started in the context of the user.
      • WlxWkstaLockedSAS – Called when it receives a secure attention sequence (SAS) and the workstation is locked.

Resource DLL 

The Resource DLL functions allow the Cluster service to manage resources indirectly through a Resource Monitor and a resource DLL. See more on MSDN.

  • How to recognize?
    • Subsystem: Windows
    • Typical file extension: DLL
    • Exported functions:
      • Arbitrate – Allows a node to attempt to regain ownership of a quorum resource.
      • Close – Removes a resource instance from the cluster.
      • IsAlive – Determines if a resource is actually operational.
      • LooksAlive – Determines if a resource appears to be available for use.
      • Offline – Performs a graceful shutdown of the resource.
      • Online – Starts the resource and makes it available to the cluster.
      • Open – Creates a new resource instance.
      • Release – Releases a quorum resource from arbitration.
      • ResourceControl – Supports resource control codes.
      • ResourceTypeControl – Supports resource type control codes.
      • Startup – Receives the LogEvent and SetResourceStatus callbacks and returns a function table.
      • Terminate – Performs an immediate shutdown of the resource..

MAPI Service Provider DLL

These extend MAPI functionality. See more details here.

  • How to recognize?
    • Subsystem: Windows
    • Typical file extension: DLL
    • Exported functions:

WinRT Component DLLs

This is a relatively new type of DLL that is being used by Metro applications under Windows 8.

  • How to recognize?
    • Subsystem: Windows
    • Typical file extension: DLL
    • Exported functions:
      • DllGetActivationFactory – Retrieves the activation factory from a DLL that contains activatable Windows Runtimeclasses. A very enigmatic sounding description means that the DLL implements widgets for Metro.

Comments are closed.