Understanding the workings of rundll32.exe is important to avoid any mistakes while running the DLL. When you launch rundll32.exe using the command-line arguments mentioned previously, the following steps are performed by rundll32.exe:
- Command-line arguments passed to rundll32.exe are first validated; if the syntax is incorrect, rundll32.exe terminates.
- If the syntax is correct, it loads the supplied DLL. As a result of loading the DLL, the DLL entry point function gets executed (which in turn invokes the DLLMain function). Most malware implement their malicious code in the DLLMain function.
- After loading the DLL, it obtains the address of the export function and calls the function. If the address of the function cannot be determined, then rundll32.exe terminates.
- If the optional arguments are provided, then the optional arguments are supplied to the export function when calling it.
Detailed information about the rundll32 interface and its working is explained in this article: https://support.microsoft.com/en-in/help/164787/info-windows-rundll-and-rundll32-interface.