All over the Internet can be found commands that use rundll32.exe to invoke a function inside a DLL. (LockWorkStation is the most common.) This is a Bad ThingTM, because rundll32 is deprecated, and has been since Windows Vista. Why?
It turns out that it's not a good plan to have any DLL's functions run under the environment of rundll32, which opts into all new Windows features like Data Execution Prevention and Terminal Services awareness. More shockingly, rundll32 always passes a window handle and other stuff to the function (since it assumes that the function pumps messages) even if, in reality, the function takes no arguments. Therefore, bogus parameters are passed or the memory after the stack is written over if the function's signature is not what's appropriate for rundll32 invocations.
So, please stop using rundll32 to invoke arbitrary pieces of OS functionality. There's almost certainly a better way - try normal programs, or PowerShell, or WMI, or just write your own program where you control the environment. For more information, see this Raymond Chen blog post.
No comments:
Post a Comment