{"id":2782,"date":"2015-01-13T14:37:32","date_gmt":"2015-01-13T14:37:32","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=2782"},"modified":"2015-01-13T15:46:38","modified_gmt":"2015-01-13T15:46:38","slug":"beyond-good-ol-run-key-part-24","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2015\/01\/13\/beyond-good-ol-run-key-part-24\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 24"},"content":{"rendered":"

Ability to load a DLL of your choice anytime someone is connecting to the internet is something that definitely deserves some attention. This is why I will describe here yet another obscure mechanism that can be abused for malicious purposes. Courtesy of Winsock 2 library (ws2_32.dll).<\/p>\n

When Winsock library connects to the internet it ‘talks’ to various service providers and probes them for connectivity services. It’s actually pretty complex and I won’t pretend that I fully understand what’s going on there yet there is one thing which this library does that I do understand \ud83d\ude42<\/p>\n

At some stage it attempts to load a DLL as specified by the following Registry key:<\/p>\n

HKLM\\SYSTEM\\CurrentControlSet\\Services\\WinSock2\\Parameters\\AutodialDLL<\/pre>\n
This key is quite obscure and Microsoft only describes it in a context of a very old vulnerability MS06-041<\/a>.<\/p>\n
Turns out that the AutodialDLL entry points to a DLL that WinSock will load anytime it connects to the internet.<\/p>\n
The DLL needs to export 3 functions:<\/p>\n