June 2018
Beginner
510 pages
13h 7m
English
Content preview from Learning Malware Analysis
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
6.2.1 Working of rundll32.exe
Understanding the workings of rundll32.exe is important to avoid any mistakes while running the DLL. When you launch rundll32.exe using the command-line arguments mentioned previously, the following steps are performed by rundll32.exe:
- Command-line arguments passed to rundll32.exe are first validated; if the syntax is incorrect, rundll32.exe terminates.
- If the syntax is correct, it loads the supplied DLL. As a result of loading the DLL, the DLL entry point function gets executed (which in turn invokes the DLLMain function). Most malware implement their malicious code in the DLLMain function.
- After loading the DLL, it obtains the address of the export function and calls the function. If the address of the function ...