__declspec(dllexport) int Add(int a, int b) return a + b;
Understanding these differences is critical because disassembly tools must parse the header differently. 3. Methodology for DLL Disassembly 3.1 Static Disassembly (Offline Analysis) Static analysis examines the DLL file without executing it. disassembly dll
rundll32.exe target.dll, ExportedFunctionName 4.1 Position-Independent Code (PIC) DLLs use relative addressing because their base address changes due to ASLR (Address Space Layout Randomization). Disassemblers must correctly interpret RIP-relative addressing (x64) or rely on relocation tables. 4.2 No Single Entry Point Unlike an EXE, a DLL has many entry points (its exports). The analyst must manually determine which function is relevant, as DllMain often just returns TRUE . 4.3 Obfuscation & Packing Malicious DLLs are often packed (e.g., with UPX, Themida). The disassembler sees a tiny stub that unpacks the real DLL in memory. Solution: Use a unpacker or dump the process memory after unpacking. 4.4 Import Address Table (IAT) Fixups DLLs call functions from other DLLs (e.g., kernel32.dll ). During disassembly, these calls appear as jumps to placeholder addresses. A good disassembler automatically resolves these via the IAT. 5. Practical Case Study: Disassembling a Simple DLL Source (C): __declspec(dllexport) int Add(int a, int b) return a