Dynamically Linked functions in Malware and what they do.

Dependency walker is an small program that helps you to find out all the dynamically linked data into a malware.

Obfuscated malware, use runtime linking to access libraries, instead of accessing the libraries at startup, they access them whenever they want. In order to find out about Dynamically linked malware, we use Dependancy Walker.


Kernel32.dll:-  Deals with memory management threads, syncing.

Advapi32.dll:- This Dynamic Library provides access services and registry components.

User32.dll:- This is the userinterface base, hacking this file allows external themes

Gdi32.dll:- This DLL contains functions for displaying and manipulating graphics.

Ntdll.dll :- This DLL is not for programmer, is is an interface for the Native API, the language used by Windows to communicate itself, it is used during boot when other services and stuff have not loaded. When an application loads this, you can be nearly sure it is an malware.


WSock32.dll :- This is  networking DLL. Programs use this to hook into your internet connections and sniff passwords.

Wininet.dll :- For FTP, HTTP, NTP.

These are the basics DLL's used by any program that can be got using dependancy walker.

1EJ4Q1CmJKWNdZdSMTtjcyXGSJ4NE9ok3w

Twitter Delicious Facebook Digg Stumbleupon Favorites More