Understanding the workings of rundll32.exe is important to avoid any mistakes while running the DLL. When you launch rundll32.exe using the command-line arguments mentioned previously, the following steps are performed by rundll32.exe:
- Command-line arguments passed to rundll32.exe are first validated; if the syntax is incorrect, rundll32.exe terminates.
- If the syntax is correct, it loads the supplied DLL. As a result of loading the DLL, the DLL entry point function gets executed (which in turn invokes the DLLMain function). Most malware implement their malicious code in the DLLMain function.
- After loading the DLL, it obtains the address of the export function and calls the function. If the address of the function ...