RunDll32 — API calling

September 28, 2019 in Uncategorized

This is a quickie.

Using rundll32 to run stuff is well-known. You can load DLLs, and call APIs.

Sometimes tho, we may get confused about data format we need to provide to APIs. If your API accepts an ANSI, or a Unicode string, different rules apply.

The best way to test _any_ API executed via rundll32.exe is to call it by a ‘native’ name w/o a suffix (A or W). This way, it will go through a sequence of:

  • Loading our DLL
  • Retrieving an address of the API with a ‘W’ suffix (Wide/Unicode)
  • Retrieving an address of the API with a ‘A’ suffix (ANSI),
  • Retrieving an address of the API with no suffix at all (ANSI, assumed)

What it means (practically) is that if you supply an API name with a ‘A’ or ‘W’ suffix, the sequence of API name resolving is going to look like this:

  • FunctionNameAW
  • FunctionNameAA
  • FunctionNameA

or

  • FunctionNameWW
  • FunctionNameWA
  • FunctionNameW

Knowing the way rundll32.exe accepts and processes the API function names is actually very helpful – especially when you are calling functions that require Unicode strings as an argument…

Share this :)

Comments are closed.