How exactly does RunDll32 call a function, without knowing the number/types of arguments that the function can take?
Does it have a built-in compiler or something of the sort?
RunDll32 is a part of Windows that is used for many things, so by itself it's not malicious.
The rundll32.exe application is a native Windows application used to launch the shared . dll files. The process itself is harmless and is a regular part of the Windows operating system.
Rundll32.exe is a program used to run program code in DLL files which is part of Windows components. There are viruses that uses this name also that's why it's commonly mistaken as a real virus. There are also times that the file gets replaced with a malware infected one.
The official Windows Rundll32.exe is safe and cannot harm your computer; there is no need to remove it or stop the process from running. Rundll32.exe is a critical Windows process that launches other 32-bit DLLs that reside on your computer.
RunDll32 is pretty much a thin wrapper that calls LoadLibrary
to load the given DLL, calls GetProcAddress
to get the function address of the desired function, and then calls the function.
It can't call just any exported function in the DLL, though—it assumes that the function has a very specific function signature of the following:
void CALLBACK
EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);
where CALLBACK
is a macro that expands to the __stdcall
calling convention. See this knowledge base article for a more detailed description.
If your DLL's function does not have the correct signature or calling convention, lots of badness will ensue. See What can go wrong when you mismatch the calling convention? for lots of gory details. Fortunately (or perhaps unfortunately), RunDll32 is written in such a way to ameliorate those types of errors, but that still doesn't mean it's a good idea. Do not use RunDll32 to call functions that do not have the correct signature. It's just a ticking time bomb waiting to go off in the next version of Windows.
It can't call just any function, it can only call function specifically written to be called. Hence, there is no magic.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With