To determine the malware's behavior and to monitor its activity using dynamic analysis, it is essential to understand how to execute the DLL. As previously mentioned, a DLL needs a process to run. On Windows, rundll32.exe can be used to launch a DLL and to invoke functions exported from the DLL. The following is a syntax to launch a DLL and to invoke an export function using rundll32.exe:
rundll32.exe <full path to dll>,<export function> <optional arguments>
The parameters associated with rundll32.exe are explained as follows:
- Full path to DLL: Specifies the full path to the DLL, and this path cannot contain spaces or special characters.
- Export function: This is a function in the DLL that will be called after the DLL is loaded.
- Optional arguments: The arguments are optional, and if supplied, these arguments will be passed to the export function when it is called.
- The comma: This is put between the full path to the DLL and the export function. The export function is required for the syntax to be correct.