实现 Rundll.exe 的功能，代码很简单：

 

#include "stdafx.h"

#include <tchar.h>
#include <windows.h>
#include <iostream.h>

int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
    HMODULE hModule;
    LPVOID lpvfn;

    if (argc < 3) 
    {
        cout << "Not enough parameters passed." << endl;
        return -1;
    }

    hModule = ::LoadLibrary(argv[1]);
    if (hModule == NULL)
    {
        cout << "Load DLL \"" << argv[1] << "\" failed!" << endl;
        return (int)GetLastError();
    }

    lpvfn = ::GetProcAddress(hModule, argv[2]);
    if (lpvfn == NULL)
    {
        cout << "Can't found specific function \"" << argv[2] << "\"!" << endl;
        return (int)GetLastError();
    }

    int iRetCode;

    int arg = argc - 1;
    TCHAR* szArg;

    __asm push esp  // save current 'esp'

    while (arg > 2)
    {
        szArg = argv[arg];

        bool bstring = false;
        while(*szArg != _T('\0'))
        {
            if (!_istdigit(*szArg))
            {
                bstring = true;
                break;
            }
            szArg ++;
        }

        if (bstring)
        {
            szArg = argv[arg];
            __asm push szArg
        }
        else
        {
            long argl = _ttol(argv[arg]);
            __asm push argl
        }

        arg --;
    }

    __asm call lpvfn
    __asm pop  esp
    __asm mov  iRetCode, eax

    ::FreeLibrary(hModule);
    return iRetCode;
}

  

 

只支持 LONG 和 String 两种参数而且 String 中间不能有空格(不然会被认为是两个参数)，如果要写的好一点应该自己判断参数类型及转换参数。

我测试的参数如下:

 

test.exe user32.dll MessageBoxA 0 This'sOK Caption 0

 

相当于调用：MessageBoxA(NULL, "This'sOK", "Caption", MB_OK);