Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does RunDll32 work?

Tags:

c

rundll32

How exactly does RunDll32 call a function, without knowing the number/types of arguments that the function can take?

Does it have a built-in compiler or something of the sort?

like image 813
Downvoter Avatar asked Nov 21 '11 05:11

Downvoter


People also ask

Is Rundll32 a Trojan?

RunDll32 is a part of Windows that is used for many things, so by itself it's not malicious.

Is Rundll32 an application?

The rundll32.exe application is a native Windows application used to launch the shared . dll files. The process itself is harmless and is a regular part of the Windows operating system.

What is Rundll32.exe malware?

Rundll32.exe is a program used to run program code in DLL files which is part of Windows components. There are viruses that uses this name also that's why it's commonly mistaken as a real virus. There are also times that the file gets replaced with a malware infected one.

Is it safe to disable Windows Host process Rundll32?

The official Windows Rundll32.exe is safe and cannot harm your computer; there is no need to remove it or stop the process from running. Rundll32.exe is a critical Windows process that launches other 32-bit DLLs that reside on your computer.


2 Answers

RunDll32 is pretty much a thin wrapper that calls LoadLibrary to load the given DLL, calls GetProcAddress to get the function address of the desired function, and then calls the function.

It can't call just any exported function in the DLL, though—it assumes that the function has a very specific function signature of the following:

  void CALLBACK
  EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);

where CALLBACK is a macro that expands to the __stdcall calling convention. See this knowledge base article for a more detailed description.

If your DLL's function does not have the correct signature or calling convention, lots of badness will ensue. See What can go wrong when you mismatch the calling convention? for lots of gory details. Fortunately (or perhaps unfortunately), RunDll32 is written in such a way to ameliorate those types of errors, but that still doesn't mean it's a good idea. Do not use RunDll32 to call functions that do not have the correct signature. It's just a ticking time bomb waiting to go off in the next version of Windows.

like image 170
Adam Rosenfield Avatar answered Sep 21 '22 13:09

Adam Rosenfield


It can't call just any function, it can only call function specifically written to be called. Hence, there is no magic.

like image 30
Petr Abdulin Avatar answered Sep 21 '22 13:09

Petr Abdulin