The dynamic-link library (DLL) is a kind of binary executable, so it can include codes to serve for spyware. When booting, Windows can load DLL files according to the relative settings in registry and autostart files as similar as run EXE files. For example, the following sub-keys are usually utilized to load DLL files.
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs: This subkey defines the set of dynamic-link libraries (DLLs) that are searched during system startup. Due to documents from Microsoft, the sub-key defines the set of dynamic-link libraries (DLLs) that are searched during system startup. In general, these are system DLLs that are loaded from disk into a section of memory and then checked for integrity. These DLLs consume some resources, even if no application loads them.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls: When booting, computer will map User32.dll into memory. In this procedure, the User32.dll would receive a message of DLL_PROCESS_ATTACH, then it queries the values of this entry and load each DLL files in it.
Obviously, to load DLL files on booting time is one of the formal functionalities of operating systems. Because of following reasons, it is exploited by spyware projects.
The first is this mechanism usually is used to loaded system DLLs, user programs or application programs have few chance to be loaded with it. So common users and even some administrators are not familiar with it. If developer change its settings, it is usually difficult for them to identify the modification quickly.
The second is to develop DLL needs more knowledge and stronger ability on software than to write pure EXE files. Therefore, less people have experience about DLL both on writing and on analyzing. Common users often think that DLLs only belong to operating system, because it is sure that most of DLL is a part of operating system. For this reason, they need more courage to delete a DLL when they doubt it is an invader.
The third is that DLL files generally do not run in process mode, but just is called by other processes. As we mention before, one of the most powerful methods to uncover spyware is to detect the activities of process. Because loading DLLs do not add any new process in memory, and the process that is responsible to load DLL usually will stop as soon as the loading is over, it is very difficult for detectors to track DLLs through monitoring process.
Now that we know that under the settings of relative registry DLL files can be loaded into memory automatically at computer booting, it is possible to launch spyware through these DLLs if they can run some codes when being loaded. Fortunately, the answer is positive. A DLL file is able to have a unique entrance function, which is named as DllMain, and it is activated by operating system. That is, this function is not like all other functions in DLLs that are called by applications of user. Because users cannot call it with its function name, developers of DLL usually avoid using it to provide functionalities for users. So, in many DLL files, there is no entrance function at all. Even if some development benches offer a framework, its content is almost always empty.
However, as far as spyware, the situation is very different from normal software. When developers use DLL files to implement automatic starting, they need it to execute codes with activating of operating system but not calling of users. The DllMain is just such a function. Basically, Windows will call it in many cases. But developers only utilize one of them: the DLL file is first mapped into memory. When the event happens, the function will be launched and its second parameter will be assigned as DLL_PROCESS_ATTACH. By switching this parameter, developer can arrange suitable code to run their real spyware.