The Windows Process Journey — rundll32.exe (Windows Host Process)
<p>“rundll32.exe” is an executable aka the “Windows Host Process” (based on the description field of the PE file), which is located at “%windir%\System32\rundll32.exe”. On a 64 bit-system the file still has the same name (including the number 32) and a 32-bit version is located at “%windir%\SysWOW64\rundll32.exe”.</p>
<p>Overall, the goal of “rundll32.exe” is to load a DLLs (Dynamic Link Libraries) and run a functionality stored in those files (<a href="https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32" rel="noopener ugc nofollow" target="_blank">https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32</a>). The DLLs are loaded using “LoadLibraryExW” (<a href="https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code" rel="noopener ugc nofollow" target="_blank">https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code</a>). “rundll32.exe” is digitally signed by Microsoft and shipped by default with the operating system. By the way, there are also places that say “rundll32.exe” means “Run a DLL as an App” (<a href="https://www.file.net/process/rundll32.exe.html" rel="noopener ugc nofollow" target="_blank">https://www.file.net/process/rundll32.exe.html</a>).</p>
<p>The way is which we can call a function from a “*.dll” file is by passing the name of the file and the name of the function.</p>
<p><a href="https://medium.com/@boutnaru/the-windows-process-journey-rundll32-exe-windows-host-process-415132f1363"><strong>Read More</strong></a></p>