Windows Explored

In an earlier blog, I spoke about Windows services and how they are hosted by svchost.exe so that functionality within these dll files can be executed. But what about non-Windows services? How do they execute functions within dynamic link libraries without the need to execute the program that it belongs to? By using the rundll32.exe process (commonly described as Run DLL as an App). An example can be easily demonstrated by opening any Control Panel extension such as the Internet Explorer options panel for IE (inetcpl.cpl).

When rundll32.exe starts, it looks into shell32.dll and launches the function (or executes the code) that is responsible for opening the Internet options panel with no need for Internet Explorer to open. You can see this by adding the Command Line column to the Windows Task Manager:

You can do the same with Process Explorer by looking at the stack for run32dll.exe:

You read the stack from the bottom to the top, so rundll32.exe calls three functions inside shell32.dll in (frames 22, 21, and 20), which then starts inetcpl.cpl, and eventually calls into itself for the LaunchInternetControlPanelAtPage function.

Rundll32 resides in the Windows\System32 folder. When you suspect you are dealing with malware, check the image path of rundll32.exe and make sure it is not starting outside this location. Additionally, malware can run under the guise of a valid rundll32 process so you also want to check the command line for any suspicious dlls being run as an application. And last (although I have not myself run into this or can recall), I can imagine a scenario where rundll32.exe could become a performance hog because it is calling a buggy dll. Again, check the command line to see what dll it is calling and investigate.