Yet another secret of hosts file

February 18, 2021 in Anti-*, Anti-Forensics, Archaeology, Compromise Detection

In my old post I mentioned not a very well known hosts.ics file. Today I cover one more secret that I stumbled upon while digging inside DNS API internals.

Turns out that dnsapi.dll and dnsrslvr.dll use an internal function called Util_IsRunningOnXboxOne to determine if the DLL is loaded on a XBOX system. And if it is, the path to hosts and host.ics files will not be resolved as relative to the path retrieved via GetSystemDirectory API, but by using a hard-coded XBOX path below:

s:\windows\system32

So, in theory, if you patch Util_IsRunningOnXboxOne function to return 1 (XBOX) you should be able to redirect local DNS requests via hosts(.ics) files to the following paths, respectively:

s:\windows\system32\drivers\etc\hosts
s:\windows\system32\drivers\etc\hosts.ics

Last, but not least – in case you don’t know, the hosts files can be saved using UTF-8, Unicode16-LE, and Unicode16-BE encoding (BOM is being checked).

Comments are closed.