Category Archives: Anti-Forensics

Yet another secret of hosts file

Posted on by

In my old post I mentioned not a very well known hosts.ics file. Today I cover one more secret that I stumbled upon while digging inside DNS API internals.

Turns out that dnsapi.dll and dnsrslvr.dll use an internal function called Util_IsRunningOnXboxOne to determine if the DLL is loaded on a XBOX system. And if it is, the path to hosts and host.ics files will not be resolved as relative to the path retrieved via GetSystemDirectory API, but by using a hard-coded XBOX path below:

s:\windows\system32

So, in theory, if you patch Util_IsRunningOnXboxOne function to return 1 (XBOX) you should be able to redirect local DNS requests via hosts(.ics) files to the following paths, respectively:

s:\windows\system32\drivers\etc\hosts
s:\windows\system32\drivers\etc\hosts.ics

Last, but not least – in case you don’t know, the hosts files can be saved using UTF-8, Unicode16-LE, and Unicode16-BE encoding (BOM is being checked).

Beyond good ol’ Run key, Part 131

Posted on by

This is a bunch of legacy and not so popular anymore Registry locations that could have at some stage in the past support persistence by pointing to various editors associated with ‘viewing source of web pages’, and using Microsoft Office for editing HTML documents:

  • HKCU\Software\Microsoft\Shared\HTML\Default Editor
  • HKCU\SOFTWARE\Microsoft\Shared\HTML\Old Default Editor
  • HKLM\SOFTWARE\Microsoft\Shared\HTML\Old Default Editor
  • HKCU\Software\Microsoft\Internet Explorer\Default HTML Editor
  • HKCU\Software\Microsoft\Internet Explorer\Default MHTML Editor
  • HKLM\Software\Microsoft\Internet Explorer\Default HTML Editor
  • HKLM\Software\Microsoft\Internet Explorer\Default MHTML Editor
  • HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor
  • HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor

All the entries use the very same shell entries as shown on the below example: