rundll64 is an arbitrary DLL procedure calling utility that is inspired by rundll32 but designed as a much more flexible and advanced alternative.
rundll64 user32.dll MessageBoxW ptr:0 wstr:"Hello From Hell!" wstr:"Called by rundll64" 0x10
- Call arbitrary exported functions by name without any signature limitations
- Supports multiple argument types (integers and pointers, floats, wide and narrow strings)
- No external dependencies, ready to build and run with Visual Studio
- x64 Windows calling convention
- x86
__cdecland__stdcall.
rundll64 <nameof.dll> [convention] <function> [type1:][value1] [type2:][value2] ...
Warning
- No function signature verification is done by this utility. Failing to call with conformance to function's signature will cause crashes.
- Integer and floating point arguments are native word size (i.e. 8 bytes on x64 (int64_t/double), 4 bytes on x86 (int32_t/float)
- On x64, Microsoft x64 calling convention is always used and this parameter is ignored.
- On x86,
__cdeclis used if no convention is given. Possible options are:__cdecl(used by C standard library and most external libraries)__stdcall(used by Windows API)
- If no type is explicitly given:
0xDEADand1234will be treated as integers3.14will be treated as a floating point number"Text"andTextwill be treated as narrow strings.
- Possible types of parameters:
int:integers (i.e.int:1234,int:0xFFFFFFFF)ptr:pointer (i.e.ptr:1234,ptr:0xFFFFFFFF)- Essentially same as the integer.
f:float (i.e.f:3.14)wstr:Wide char strings (i.e.wstr:"Text with spaces",wstr:TextWithoutSpaces,wstr:öçşığü)str:Narrow char strings (i.e.str:"Text with spaces",str:TextWithoutSpaces)- Console takes command line arguments as Unicode and converts it to UTF-8 narrow string before passing to the program
- When using Win32 functions, prefer Unicode versions as their ANSI counterparts will not give desired results.