1

I was searching why rundll32.exe process is running on my system, when I found out the information that it acts as a container to run dll as application / exe. I cannot comprehend a reason / use case in which I would want a dll to be run as application. Aren't libraries just meant to provide functional support rather than running as an individual application?

tryingToLearn
  • 10,691
  • 12
  • 80
  • 114
  • It is an applet for Microsoft code, not yours. It avoids the unpleasant alternatives, either a lot of beefy EXEs or having to export implementation details from DLLs. If you want to avoid the same unpleasantry in your code then that's fine, it has a well documented interface. – Hans Passant Jan 28 '16 at 12:07

2 Answers2

5

rundll32 isn't meant to generically "run dlls" (it actually would make no sense, dlls don't have a single entrypoint and "classic" dlls don't have enough meta-information to call correctly any of the exported symbols).

Instead, it allows to use dlls conforming to some well defined specifications to act as executables with multiple entrypoints; I think that the idea was either to allow coalescing multiple small utilities with much shared code into a single binary, and/or to provide extra "testing" entrypoints (to be invoked manually) to libraries mainly meant for consumption by other applications.

What rundll does is essentially loading the dll in memory and invoking the specified function, with the expectation that it has to have the same signature as that of the exe entrypoint.

More information is available in the relevant KB article.

Matteo Italia
  • 123,740
  • 17
  • 206
  • 299
3

This EXE can load any DLL and get the address of specified function, and call it. This avoids the need to write an EXE just to call a function on particular DLL (provided such function can be called directly after loading the DLL).

Load a DLL means calling LoadLibrary from EXE, which attempts to initialize the DLL in the current process (RunDLL32.EXE). Loading a DLL in memory means calling DllMain of given DLL, which is done by loader (OS). If all succeeds, the process gets a handle of loaded DLL.

On successfully gaining the DLL handle, it would then acquire the address of function using GetProceAddress and make a call to the function through the function's address.

For example (at command prompt):

    rundll32.exe user32.dll,LockWorkStation

would load user32.dll and then call LockWorkStation which will eventually lock the workstation.

I am not sure how RunDLL32 finds the prototype, required arguments, return type and calling convention.

Ajay
  • 18,086
  • 12
  • 59
  • 105
  • Just a quick clarification - Is `DllMain` function is found in both *.dll and *.exe type of files? Is `DllMain` function mandatory to be present for OS to be able to load it in-proc and subsequently providing a handle? Then, what is the difference between a *.dll and *.exe? Does a *.exe file has something additional on top of `DllMain` due to which they can be started on their own unlike *.dll files? – RBT Jun 18 '16 at 12:56
  • 1
    No EXE doesn't contain `DllMain` - it is entry point function only for DLLs (or .SYS, OCX for that matter). EXE entry point is generally `WinMain` or `main`, for GUI or console, respectively (ignoring `w` versions of these methods). DLL must have `DllMain` and must return `0` to indicate successful initialization. – Ajay Jun 18 '16 at 21:04