0

Question

Could you tell me a way to debug an export function of a DLL with specific arguments through rundll32.exe using IDA pro?

rundll32.exe calls an export function with unintentional arguments.

Detail

I used following settings in process options to debug a 32bit DLL in Windows10(x64).

Application: C:\Windows\SysWOW64\rundll32.exe

Input file: C:\Users\xxxx\AppData\Local\Temp\92D7.dll

Directory: C:\Users\xxxx\AppData\Local\Temp

Parameters: C:\Users\xxxx\AppData\Local\Temp\92D7.dll, abc arg1 arg2

After starting debugging, I can see the arguments passed from rundll32 in the stack.

1st arg: Window handler return from CreateWindowExA()

2nd arg: BaseImage of the DLL

3rd arg: Pointer to "arg1 arg2"

4th arg: Size of "arg1 arg2"

enter image description here

That's why, the export function is called as below.

abc(hwnd, baseImage, "arg1 arg2", sizeof("arg1 arg2"));

I'd like to know how to call it as the following.

abc("arg1", "arg2");

I will compile a simple binary to call it as above if there's no way through rundll32.

Igeta
  • 1
  • 4
  • You should edit your question and include the full command you use for executing rundll32.exe (with all arguments in excactly the way you execute it). – Robert Apr 10 '20 at 15:22
  • I changed the command in process options from abstraction to real one. – Igeta Apr 15 '20 at 23:10
  • If an exported function requires 5 arguments you can't just provide two of them. I agree with you that building an own binary is a good alternative solution. – Robert Apr 16 '20 at 11:17
  • IDA might not be able to specify arguments of exported function in process options while debugging the function through rundll32. I will build my own binary to do it as you recommended. – Igeta Apr 19 '20 at 00:42

0 Answers0