Parsing command line invocations is fun, because it’s impossible to do it right (all the time).

Imagine a test DLL that exports a function called foobar. We place this DLL in c:\test directory and name it like this:

test.dll, #666

We can then use rundll32.exe to execute the foobar function using the following syntax:

rundll32 "c:\test\test.dll, #666", foobar

A different version can use the following name:

test.dll,abcxyz

with the invocation:

rundll32 "test.dll,abcxyz", foobar

We do need quotes, because rundll32.exe does not accept file names with a ‘coma’ in them (for obvious reasons), and the full path is not needed if we are in the same directory, but the gist is that these are all proper DLL file names!:

What your sophisticated regexes extracting DLL name and API’s ordinal number, or API name from this sort of invocations tells you today?

And then here’s another case for your consideration – create a test DLL with the following exports:

• A
• W
• AA
• AW
• WA
• WW

When you run the following invocations:

rundll32 c:\test\test.dll, A
rundll32 c:\test\test.dll, W

– which of these 6 exported functions will get executed?

I have provided an answer to this question a few years ago, and here’s the DebugView output:

The bottom line is that you can’t use regexes for parsing command line invocations w/o running into many corner cases.