This is a post that should have appeared here at least 10 years ago.

There is an enigmatic Registry entry:

HKLM\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\PeerDist\Extension\PeerdistDllName=peerdist.dll

that I came across many times before. The problem is that I, frankly, don’t know when it is being used, but it’s yet another location to keep an eye on, in case the default DLL file name has been replaced.

The wininet.dll library is using this location internally in its P2P_PEER_DIST_API::LoadPeerDist function.

Yes, I am not making it any clearer…

This is a neat persistence trick you can use… if you got access to TrustedInstaller…

The wininet.dll library in Windows 10+ extends the functionality of InternetErrorDlg function to reach out to a configurable Registry location that supports handling of unknown error messages. The function takes the error code as an argument and reaches out to the following location:

HKLM\SOFTWARE\Microsoft\Windows\
CurrentVersion\Internet Settings\LUI\<error>

It then reads the value in a form of an expandable string and extracts library name from it by splitting it from the exported API name using an exclamation mark as a separator. And if a given error code doesn’t have an entry the function defaults to value ‘0’ which by default points to:

%SystemRoot%\system32\wininetlui.dll!InternetErrorDlgEx

I was curious if I could force the loading of my own payload and after launching Process Monitor with a filter on \Lui path I was able to quickly trigger error 12040 (ERROR_INTERNET_HTTPS_TO_HTTP_ON_REDIR). I then added an entry for my own test library and was able to load my DLL 🙂

There are at least two caveats:

• You need TrustedInstaller rights to add/modify the registry entry
• User needs to use Internet Explorer (I couldn’t trigger it in Edge)