{"id":9481,"date":"2024-09-21T22:43:06","date_gmt":"2024-09-21T22:43:06","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9481"},"modified":"2024-09-22T15:19:00","modified_gmt":"2024-09-22T15:19:00","slug":"rundll32-goes-to-hell","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/09\/21\/rundll32-goes-to-hell\/","title":{"rendered":"Rundll32 goes to hell…"},"content":{"rendered":"\n

Parsing command line invocations is fun, because it’s impossible to do it right (all the time).<\/p>\n\n\n\n

Imagine a test DLL that exports a function called foobar<\/em>. We place this DLL in c:\\test<\/em> directory and name it like this:<\/p>\n\n\n\n

test.dll, #666<\/pre>\n\n\n\n
We can then use rundll32.exe<\/em> to execute the foobar<\/em> function using the following syntax:<\/p>\n\n\n\n
rundll32 \"c:\\test\\test.dll, #666\", foobar<\/pre>\n\n\n\n
A different version can use the following name:<\/p>\n\n\n\n
test.dll,abcxyz<\/pre>\n\n\n\n
with the invocation:<\/p>\n\n\n\n
rundll32 \"test.dll,abcxyz\", foobar<\/pre>\n\n\n\n
We do need quotes, because rundll32.exe<\/em> does not accept file names with a ‘coma’ in them (for obvious reasons), and the full path is not needed if we are in the same directory, but the gist is that these are all proper DLL file names!:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
What your sophisticated regexes extracting DLL name and API’s ordinal number, or API name from this sort of invocations tell you today?<\/p>\n\n\n\n
And then here’s another case for your consideration – create a test DLL with the following exports:<\/p>\n\n\n\n