How can security researchers systematically find exploitable DLLs for rundll32?

Researchers can use PowerShell scripts like `Get-Exports.ps1` to enumerate all DLLs in `%windir%\system32`, filter for export functions such as `OpenURL`, and check if they invoke `ShellExecute`. The article provides a modified script with error handling, successfully identifying `ieframe.dll` and `shdocvw.dll`. This method helps discover new execution vectors, complementing other techniques like Loading .Net Programs Using JS.