Rundll32 decrypt [Author: Heelen | Posted by: Site author | Hits: 45 | Updated: 2005-2-20 | article entry: Heelen]
I usually hear some friends say: Yeah, the registry launch project of my system has rundll32.exe, the system process also has rundll32.exe, is it a virus? This is not understanding the Rundll32.exe interface. In fact, its principle is very simple, understanding and mastering its principle is very useful for our usage applications, especially some of the DLL parameter application skills introduced later, understand the principle. We can mine command parameters . First, Rundll32.exe and Rundll.exe said so called RundLL, we can guess it into two parts, Run (running) and DLL (dynamic database), so the function of this program is to run the DLL that cannot be run as a program. File; and Rundll32 is a program running 32-bit DLL. Winnt, Windows2000 and Windowsxp are NT kernel systems, and their code is pure 32-bit, so in these two systems, there is no rundll.exe. Instead, the Windows98 code is mixed with 16 bits and 32, so there is two programs of Rundll32.exe and Rundll.exe. So this is the main system folder why the Windows98's System folder is the primary system folder, and when the WinNT, Windows2000, WindowsXP becomes the System32---system folder (at this time the SYSTEM folder is set up for the 16-bit code), Rundll32.exe or rundll.exe, independent run is no effect, you want to load the DLL file later. In the Task Manager for Windows, we can only see the Rundll32.exe process, and its essence is called DLL, so you need to use ProceXP.exe and other software to see which DLL files. Some Trojans are running in the form of Rundll32.exe, but most cases rundll32.exe are DLL files that load the system, you can not worry too much. In addition, it is, some viral Trojans use the name and the system common process similar to or the same characteristics, seating the user. So determine that the running rundll32.exe is below the% systemroot% / system32 directory. Second, excavate the command parameters of the DLL. I believe everyone often saw some of the parameters given by the masters, such as rundll32.exe shell32.dll, control_rundll, replaced the "Start" - "Settings" - "Control Panel", as the rookie I'm tickle in my heart. Analyze the above commands We can know, actually running the Rundll32.exe program, specifying it loads shell32.dll file, and the comma is behind the DLL access point, which can be said to be the parameter. Understand the principles, let's take yourself to dig many of the usual hammonic parameters. Step1: Run EXESCOPE, open a DLL file, such as shell32.dll, select "Export" - "Shell32.dll", you can see the parameters of this DLL file (Figure 1). Step2: The role of these parameters We can generally be known from the literal, so do not need expertise. It should be noted here that the parameter is case sensitive, so it must be entered correctly at runtime, otherwise it will be wrong. Now we will find a parameter, such as RESTARTDIALOG, and understand the restart dialog from literally. The combination is a command, which is Rundll32.exe shell32.dll, restartDialog, you can see the usual familiar restart confirmation box after running.
