This is a quickie.
Using rundll32 to run stuff is well-known. You can load DLLs, and call APIs.
Sometimes tho, we may get confused about data format we need to provide to APIs. If your API accepts an ANSI, or a Unicode string, different rules apply.
The best way to test _any_ API executed via rundll32.exe is to call it by a ‘native’ name w/o a suffix (A or W). This way, it will go through a sequence of:
- Loading our DLL
- Retrieving an address of the API with a ‘W’ suffix (Wide/Unicode)
- Retrieving an address of the API with a ‘A’ suffix (ANSI),
- Retrieving an address of the API with no suffix at all (ANSI, assumed)
What it means (practically) is that if you supply an API name with a ‘A’ or ‘W’ suffix, the sequence of API name resolving is going to look like this:
- FunctionNameAW
- FunctionNameAA
- FunctionNameA
or
- FunctionNameWW
- FunctionNameWA
- FunctionNameW
Knowing the way rundll32.exe accepts and processes the API function names is actually very helpful – especially when you are calling functions that require Unicode strings as an argument…