{"id":10148,"date":"2025-09-19T23:13:50","date_gmt":"2025-09-19T23:13:50","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=10148"},"modified":"2025-09-19T23:13:50","modified_gmt":"2025-09-19T23:13:50","slug":"rundll-exporters","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2025\/09\/19\/rundll-exporters\/","title":{"rendered":"RunDll Exporters"},"content":{"rendered":"\n<p>One of the most interesting classes of functions that are exported by DLLs are functions that use the RunDll interface (this <a href=\"https:\/\/web.archive.org\/web\/20150109234931\/http:\/\/support.microsoft.com\/kb\/164787\">archived article<\/a> describes it).<\/p>\n\n\n\n<p>Thanks to traditional (today kinda old-school) programming conventions, many coders name their exported functions compatible with the RunDll interface in a way that makes them easy to identify. Basically, they often include the reference to &#8216;rundll&#8217; in a function name.<\/p>\n\n\n\n<p>Knowing that, we can make an attempt to comb through many &#8216;good&#8217; DLLs to discover a list of libraries where some of the APIs they export&#8230; follow this simple naming convention. Analysis of my small DLL repo gave me the results shown below.<\/p>\n\n\n\n<p>Looking at these results I can immediately see that some of them are very familiar Windows API names (f.ex. Control_RunDLL variants), but there are many others that are mostly unknown. And many of libraries that export these functions come from other vendors than Microsoft, the exported APIs have almost no documentation and a minimalistic footprint online &#8211; basically, googling some of them brings very limited results. <\/p>\n\n\n\n<p>I have a gut feeling that at least some of them are good lolbin potentials.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>549  _InfEngUnInstallINFFile_RunDLL@16\n485  InfEngUnInstallINFFile_RunDLL\n426  RunDLLEntryW\n353  RunDll32Interface\n252  ShowHidPropPageRunDll32\n252  BluetoothUpdateSendToRunDll32\n195  DelNodeRunDLL32\n167  RunDLL32EP\n133  ShowHidPropPageRunDll32W\n132  UninstADrvRunDll\n114  Rundll_Dial\n 62  RunDLLEntry\n 62  Control_RunDLL\n 60  SHHelpShortcuts_RunDLL\n 60  PrintersGetCommand_RunDLL\n 60  OpenAs_RunDLL\n 58  SRS_InitializeEndpoints_Rundll32\n 58  SRS_CleanupEndpoints_Rundll32\n 58  SHHelpShortcuts_RunDLLW\n 58  SHHelpShortcuts_RunDLLA\n 58  PrintersGetCommand_RunDLLW\n 58  PrintersGetCommand_RunDLLA\n 58  OpenAs_RunDLLW\n 58  OpenAs_RunDLLA\n 58  Control_RunDLLW\n 58  Control_RunDLLA\n 54  RunDllDoPreInstall\n 54  Control_FillCache_RunDLL\n 52  Control_FillCache_RunDLLW\n 52  Control_FillCache_RunDLLA\n 50  BTINS_RunDll\n 46  _RunDLLEntry@16\n 41  ShellExec_RunDLLW\n 41  ShellExec_RunDLLA\n 41  ShellExec_RunDLL\n 41  CplRunDll32\n 41  Control_RunDLLAsUserW\n 40  RunDll\n 39  RunDllW\n 38  SHCreateLocalServerRunDll\n 38  Options_RunDLLW\n 38  Options_RunDLLA\n 38  Options_RunDLL\n 38  AppCompat_RunDLLW\n 32  Activate_RunDLL\n 30  RunDll32ShimW\n 30  HomeNetWizardRunDll\n 25  TestRunDll\n 24  ctCVWUtilityRunDLL32EP\n 24  ctCVWIntroRunDLL32EP\n 24  RundllUninstallA\n 24  RundllInstallA\n 23  ctCVWConsoleRunDLL32EP\n 22  ctCVWParentalRunDLL32EP\n 22  RunDllPromptForReboot\n 20  SetupRunDll32Entry\n 20  SelectSetupRunDll32Ex\n 20  RunDllRegister\n 19  UpgradePrinterRunDll32Ex\n 18  RunDLL_InstallOEMDeviceEx\n 18  RunDLL_InstallOEMDevice\n 17  DelNodeRunDLL32W\n 17  DelNodeRunDLL32A\n 16  RunDLL_ExtractCabinetFile\n 16  RunDLL32_UnregisterApplication\n 16  RunDLL32_RegisterApplication\n 16  RunDLL32_FilterRunOnceExRegistration\n 15  RunDllEntryPoint\n 13  SxsRunDllInstallAssemblyW\n 13  SxsRunDllInstallAssembly\n 12  IID_IShellRunDll\n 11  usb_uninstall_service_np_rundll\n 11  usb_install_service_np_rundll\n 11  usb_install_driver_np_rundll\n 11  TestPrint_RunDLLW\n 11  RunDLL_InstallMultipleOEMDevicesEx\n 11  @Jvjclutils@RunDll32Internal$qqruix17System@AnsiStringt2t2i\n 11  @Jvjclutils@RunDLL32$qqrx17System@AnsiStringt1t1oi\n 10  usb_touch_inf_file_np_rundll\n  9  @Registryscan@TRegistryScan@HandleRundll32$qqr17System@AnsiStringo\n  9  @PRunDLLCommand@saveGuts$xqr6RWFile\n  9  @PRunDLLCommand@restoreGuts$qr6RWFile\n  9  @PRunDLLCommand@newSpecies$xqv\n  9  @PRunDLLCommand@myAtom\n  9  @PRunDLLCommand@isA$xqv\n  9  @PRunDLLCommand@copy$xqv\n  9  @PRunDLLCommand@classIsA$qv\n  9  @PRunDLLCommand@binaryStoreSize$xqv\n  9  @PRunDLLCommand@UnExecute$qv\n  9  @PRunDLLCommand@SetThirdParam$qrx9RWCString\n  9  @PRunDLLCommand@SetSecondParam$qrx9RWCString\n  9  @PRunDLLCommand@SetFunctionType$q12ERunDLLTypes\n  9  @PRunDLLCommand@SetFunctionName$qrx9RWCString\n  9  @PRunDLLCommand@SetFirstParam$qrx9RWCString\n  9  @PRunDLLCommand@SetDLLName$qrx9RWCString\n  9  @PRunDLLCommand@GetVersion$xqv\n  9  @PRunDLLCommand@GetThirdParam$xqv\n  9  @PRunDLLCommand@GetSecondParam$xqv\n  9  @PRunDLLCommand@GetFunctionType$xqv\n  9  @PRunDLLCommand@GetFunctionName$xqv\n  9  @PRunDLLCommand@GetFirstParam$xqv\n  9  @PRunDLLCommand@GetDLLReturnValue$xqv\n  9  @PRunDLLCommand@GetDLLName$xqv\n  9  @PRunDLLCommand@Execute$qv\n  9  @PRunDLLCommand@$beql$xqrx11MPersistent\n  9  @PRunDLLCommand@$bdtr$qv\n  9  @PRunDLLCommand@$bctr$qv\n  9  @PRunDLLCommand@$bctr$qrx14PRunDLLCommand\n  9  @PRunDLLCommand@$basg$qrx14PRunDLLCommand\n  8  _Java_com_sun_java_accessibility_AccessBridge_runDLL@8\n  8  InstallSecurityPromptRunDllW\n  8  DeviceProperties_RunDLLW\n  8  DeviceProperties_RunDLLA\n  7  DriverStoreRunDllW\n  7  DeviceProblenWizard_RunDLLW\n  7  DeviceProblenWizard_RunDLLA\n  7  ?runDll@SV_HttpdAPI@@AAE_NPBD@Z\n  6  extract_RunDLL\n  6  WOW64Uninstall_RunDLLW\n  6  UsersRunDll\n  6  SxspRunDllDeleteDirectoryW\n  6  SxspRunDllDeleteDirectory\n  6  S3Disp_RunDll\n  6  Rundll32RegisterServer\n  6  RunDllProcW\n  6  RunDllProcA\n  6  RunDllEntry\n  6  RunAsNewUser_RunDLLW\n  6  PrepareDiscForBurnRunDllW\n  6  LaunchMSHelp_RunDLLW\n  6  AddNetPlaceRunDll\n  6  @Jcldotnet@RunDll32ShimW$qqsxuixuipbxi\n  5  RunDll_SetDefaultPrinter\n  5  RunDll32Main\n  5  PublishRunDll\n  5  PassportWizardRunDll\n  5  CscPolicyProcessing_RunDLLW\n  5  CSCOptions_RunDLLW\n  5  CSCOptions_RunDLLA\n  5  CSCOptions_RunDLL\n  4  update_start_rundll_old\n  4  update_start_rundll\n  4  uninstall_start_rundll_old\n  4  uninstall_start_rundll\n  4  rundll32_shellexec\n  4  Wizard_RunDLL\n  4  Rundll_EntryPoint\n  4  DiskCopyRunDllW\n  4  DiskCopyRunDll\n  4  CI3_CreateShortcut_RUNDLL_32\n  3  fnRunDll32\n  3  _rundll32_shellexec@16\n  3  WdipLaunchRunDLLUserHost\n  3  Rundll32\n  3  RunDll_UpdateDriver\n  3  RunDll_Reenumerate\n  3  RunDllHardwareTest\n  3  RunDllA\n  3  News_RunDLL\n  3  NdfRunDllHelpTopic\n  3  NdfRunDllDuplicateIPOffendingSystem\n  3  NdfRunDllDuplicateIPDefendingSystem\n  3  NdfRunDllDiagnoseWithAnswerFile\n  3  NdfRunDllDiagnoseNetConnectionIncident\n  3  NdfRunDllDiagnoseIncident\n  3  Mail_RunDLL\n  3  LogOffRunDLL\n  3  Java_com_sun_java_accessibility_AccessBridge_runDLL\n  3  CreateRegWizard_RunDll\n  3  BoxedAppSDK_RunDll32_Callback\n  2  rundll_analyze\n  2  rundllIsAdmin\n  2  _RunDll\n  2  _RunDLLReport@16\n  2  ShowRunDLLW\n  2  ShowRunDLL\n  2  ServiceRunDll\n  2  RunDll32\n  2  RunDLL_SaveImageFile\n  2  RunDLL_RemoveDevice\n  2  RunDLL_MountFileW\n  2  RunDLL_MountFile\n  2  RunDLL_DoCleanupW\n  2  RunDLL_DoCleanupA\n  2  RunDLLReport\n  2  NotifyDevicesNeedRebootRunDllW\n  2  ICRemoveByRundll\n  2  ICInstallByRundll\n  2  GetRunDllModule\n  2  FromRunDll\n  2  DllUnregisterServer_RunDll\n  2  DllRegisterServer_RunDll\n  2  DllIsRegisterServer_RunDll\n  1  rundll_install_npq2f_srv2003\n  1  rundll_install_npq2f\n  1  rundll_install_ex\n  1  rundll_install\n  1  rundll_config\n  1  dtuSerialRunDll\n  1  dpuRunDllXML\n  1  _RunDLL_SaveImageFile@16\n  1  _RunDLL_RemoveDevice@16\n  1  _RunDLL_MountFileW@16\n  1  _RunDLL_MountFile@16\n  1  UsersRunDllW\n  1  Rundll32Call\n  1  RunDllUnregisterMAPI\n  1  RunDllRegisterMAPI\n  1  RunDllInterfaceW\n  1  RunDLLCommand\n  1  RunDLL\n  1  RegisterRunDll\n  1  NetAccWizRunDll\n  1  MigrateRunDll32\n  1  ManageCardSpace_RunDll\n  1  InstallReg_RunDLL\n  1  ImportInformationCard_RunDllW\n  1  ImportInformationCard_RunDllA<\/code><\/pre>\n\n\n\n<p>I don&#8217;t include sample hashes this time as I don&#8217;t want to make your life easier.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>One of the most interesting classes of functions that are exported by DLLs are functions that use the RunDll interface (this archived article describes it). Thanks to traditional (today kinda old-school) programming conventions, many coders name their exported functions compatible &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2025\/09\/19\/rundll-exporters\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[53,109,21,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10148"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=10148"}],"version-history":[{"count":3,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10148\/revisions"}],"predecessor-version":[{"id":10160,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/10148\/revisions\/10160"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=10148"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=10148"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=10148"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}