Comprehensive analysis of RUNDLL32.EXE file

We have used the computer system for so long, but we rarely pay attention to what its system files do. The system files are also diverse. The functions of different types of files are different. Today, this tutorial focuses on RUNDLL32. .EXE.

As the name implies, "execute the 32-bit DLL file”. Its role is to execute the internal functions in the DLL file, so in the process, there will only be Rundll32.exe, there will be no DLL backdoor process, so that the process is hidden. If you see multiple Rundll32.exes in the system, don't panic, this proves how many DLL files are started with Rundll32.exe. Of course, what these DLL files are executed by Rundll32.exe, we can all find them from the place where the system is automatically loaded.

Now, let me introduce the Rundll32.exe file, which has already been said. The function is to call the dynamic link library in the command line. There is also a Rundll.exe file in the system, which means "execute the 16-bit DLL file", so pay attention here.

Let's take a look at the function prototype used by Rundll32.exe: Void CALLBACK FunctionName ( HWND hwnd, HINSTANCE hinst, LPTSTR lpCmdLine, Int nCmdShow );

The usage of the command line is: Rundll32.exe DLLname, Functionname [Arguments] DLLname is the name of the DLL file to be executed; Functionname is the specific export function of the DLL file to be executed before;

[Arguments] is the specific parameter of the export function. Slightly talk about the role of Rundll32.exe (I am a rookie) Common Windows9x friends must be familiar with the two files Rundll32.exe and Rundll.exe, but because the functions of these two programs were originally limited to internal use within Microsoft So friends who really know how to use them will not have much. So good, if you still don't know, then let me tell you. First of all, please do a small experiment (please save the results of the program you are executing, otherwise...):

Click “Start-Program-Ms-Dos Method” to enter the Dos window Then type rundll32.exe user.exe, restartwindows, and press Enter. You will see that the machine has been restarted! How is it interesting? Of course, Rundll is more than just restarting you. Machine.

In fact, Rundll, as the name suggests, execute Dll, its function is to call Windows dynamic link library in the command line mode, the difference between Rundll32.exe and Rundll.exe is that the former is calling 32-bit. The link library, which is used for the 16-bit link library, their command format is: RUNDLL.EXE,,

There are three points to note here:

1.Dll file The name cannot contain spaces. For example, the file is located in the c:ProgramFiles directory. You should change this path to c:Progra~1;

2. The comma between the Dll file name and the Dll entry point must not be less. Otherwise The program will go wrong and will not give any information!

3. This is the most important point: Rundll can not be used to call Dll with return value parameters, such as GetUserName(), GetTextFace() in Win32API, etc. . In Visual Basic, an instruction shell for executing an external program is provided, in the format: Shell “command column> If you can use the Shell command with Rundll32.exe, it will make your VB program difficult or impossible to achieve by other methods. The effect: still take the restart as an example, the traditional method requires you to create a module in the VB project, then write the declaration of WinAPI, and finally can call in the program. And now only one sentence: Shell “rundll32.exe user.exe, restartwindows” is done! Is it more convenient? In fact, Rundll32.exe has a unique advantage in calling various Windows control panels and system options.

Below, I will list the instructions on Rundll that I collected on the Internet as follows (useful, can save you a lot of time calling Windows API!!), for everyone to quote in programming:

Command line: rundll32.exe shell32.dll, Control_RunDLL Function: Display Control Panel

Command line: rundll32.exe shell32.dll, Control_RunDLL access.cpl,,1 Function: Display “ Control Panel - Auxiliary Options - Keyboard > Options Window

Command Line: rundll32.exe shell32.dll, Control_RunDLL access.cpl,, 2 Function: Display "Control Panel - Accessory - Sounds" option window

Command line: rundll32.exe shell32.dll, Control_RunDLL access.cpl,, 3 Function: Display & ldquo; Control Panel - Accessibility - Display & rdquo; Options Window

Command Line: rundll32. Exe shell32.dll, Control_RunDLL access.cpl,, 4 Function: Display "Control Panel - Auxiliary Options - Mouse" option window

Command line: rundll32.exe shell32.dll, Control_RunDLL access.cpl, , 5 functions: display “ control Board - Accessibility - traditional & rdquo; option window

command column: rundll32.exe shell32.dll, Control_RunDLL sysdm.cpl @ 1 Function: Execute & ldquo; Control Panel - Add new hardware & rdquo; wizard.

Command line: rundll32.exe shell32.dll, SHHelpShortcuts_RunDLL AddPrinter Function: Execute “Control Panel - Add New Printer & Wizard;

Command line: rundll32.exe shell32.dll, Control_RunDLL appwiz.cpl,,1 Function: Display “Control Panel - Add/Remove Programs - Install/Uninstall & Panels.

Command line: rundll32.exe shell32.dll, Control_RunDLL appwiz.cpl,, 2 Function: Display “Control Panel - Add/Remove Programs - Install Windows”

Command line: rundll32.exe shell32.dll, Control_RunDLL appwiz.cpl,, 3 Function: Display “Control Panel - Add/Remove Programs - Startup Disk & rdquo; panel. Command line: rundll32.exe syncui.dll, Briefcase_Create Function: Create a new “My Briefcase on the desktop”.