The Windows Process Journey — rundll32.exe (Windows Host Process)

<p>&ldquo;rundll32.exe&rdquo; is an executable aka the &ldquo;Windows Host Process&rdquo; (based on the description field of the PE file), which is located at &ldquo;%windir%\System32\rundll32.exe&rdquo;. On a 64 bit-system the file still has the same name (including the number 32) and a 32-bit version is located at &ldquo;%windir%\SysWOW64\rundll32.exe&rdquo;.</p> <p>Overall, the goal of &ldquo;rundll32.exe&rdquo; is to load a DLLs (Dynamic Link Libraries) and run a functionality stored in those files (<a href="https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32" rel="noopener ugc nofollow" target="_blank">https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32</a>). The DLLs are loaded using &ldquo;LoadLibraryExW&rdquo; (<a href="https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code" rel="noopener ugc nofollow" target="_blank">https://www.cybereason.com/blog/rundll32-the-infamous-proxy-for-executing-malicious-code</a>). &ldquo;rundll32.exe&rdquo; is digitally signed by Microsoft and shipped by default with the operating system. By the way, there are also places that say &ldquo;rundll32.exe&rdquo; means &ldquo;Run a DLL as an App&rdquo; (<a href="https://www.file.net/process/rundll32.exe.html" rel="noopener ugc nofollow" target="_blank">https://www.file.net/process/rundll32.exe.html</a>).</p> <p>The way is which we can call a function from a &ldquo;*.dll&rdquo; file is by passing the name of the file and the name of the function.</p> <p><a href="https://medium.com/@boutnaru/the-windows-process-journey-rundll32-exe-windows-host-process-415132f1363"><strong>Read More</strong></a></p>