11

How exactly does RunDll32 call a function, without knowing the number/types of arguments that the function can take?

Does it have a built-in compiler or something of the sort?

Downvoter
  • 551
  • 4
  • 14

2 Answers2

15

RunDll32 is pretty much a thin wrapper that calls LoadLibrary to load the given DLL, calls GetProcAddress to get the function address of the desired function, and then calls the function.

It can't call just any exported function in the DLL, though—it assumes that the function has a very specific function signature of the following:

  void CALLBACK
  EntryPoint(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow);

where CALLBACK is a macro that expands to the __stdcall calling convention. See this knowledge base article for a more detailed description.

If your DLL's function does not have the correct signature or calling convention, lots of badness will ensue. See What can go wrong when you mismatch the calling convention? for lots of gory details. Fortunately (or perhaps unfortunately), RunDll32 is written in such a way to ameliorate those types of errors, but that still doesn't mean it's a good idea. Do not use RunDll32 to call functions that do not have the correct signature. It's just a ticking time bomb waiting to go off in the next version of Windows.

Cole Tobin
  • 9,206
  • 15
  • 49
  • 74
Adam Rosenfield
  • 390,455
  • 97
  • 512
  • 589
3

It can't call just any function, it can only call function specifically written to be called. Hence, there is no magic.

BenMorel
  • 34,448
  • 50
  • 182
  • 322
Petr Abdulin
  • 33,883
  • 9
  • 62
  • 96
  • SwapMouseButton inside of User32.dll is one example for a function, where "magic" is involved. This kind of magic is explained inside of that answer: http://stackoverflow.com/a/30285986/832220 – Norbert Willhelm Jun 05 '15 at 15:39
  • I just found SetSuspendState inside of PowrProf.dll serves as another example of this kind of magic. Just try the following command to demonstrate this kind of magic: rundll32.exe PowrProf.dll,SetSuspendState – Norbert Willhelm Jul 01 '15 at 15:29
  • LockWorkStation within User32.dll is just another example for functions callable by rundll32.exe. The command line is: rundll32.exe User32.dll, LockWorkStation – Norbert Willhelm Aug 02 '15 at 08:02
  • My last example is the function having the ordinal 105 within dwmapi.dll. It invokes the Flip 3D functionality. The command line for that function is: rundll32.exe dwmapi.dll #105 – Norbert Willhelm Aug 03 '15 at 13:00