{"id":4344,"date":"2017-10-05T22:57:44","date_gmt":"2017-10-05T22:57:44","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=4344"},"modified":"2017-10-05T22:57:44","modified_gmt":"2017-10-05T22:57:44","slug":"beyond-good-ol-run-key-part-66","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2017\/10\/05\/beyond-good-ol-run-key-part-66\/","title":{"rendered":"Beyond good ol\u2019 Run key, Part 66"},"content":{"rendered":"<p>I discussed Winsock-based persistence in the <a href=\"https:\/\/www.hexacorn.com\/blog\/2015\/01\/13\/beyond-good-ol-run-key-part-24\/\">past<\/a>.<\/p>\n<p>There is one more.<\/p>\n<p>It is a bit unusual, as it has to do with automatic proxy configuration, so it&#8217;s a bit tricky to reproduce. I have honestly not made an attempt to fully understand the logic winsock uses to determine how to find the proxy, plus it&#8217;s pretty late and I only discovered it now so maybe some other time&#8230;<\/p>\n<p>For the purpose of this post, one thing that is interesting is this key:<\/p>\n<ul>\n<li>HKCR\\AutoProxyTypes<\/li>\n<\/ul>\n<p>The two standard entries underneath are:<\/p>\n<ul>\n<li>Application\/x-internet-signup<\/li>\n<li>Application\/x-ns-proxy-autoconfig<\/li>\n<\/ul>\n<p>It turns out you can add your own e.g.:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/AutoProxyTypes.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4345\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/AutoProxyTypes.png\" alt=\"\" width=\"500\" height=\"159\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/AutoProxyTypes.png 662w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/AutoProxyTypes-300x95.png 300w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n<p>Winsock will enumerate the AutoProxyTypes key children nodes while trying to find the proxy and will load DLLs located underneath.<\/p>\n<p>I had luck reproducing it on Windows 7 while tinkering with the Internet Options\/Lan Settings (enabling\/disabling it), but could not make it work on Windows 10. I may come back to do some more testing later on, but for now this screenshot should suffice:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/AutoProxyTypes2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-4346\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/AutoProxyTypes2.png\" alt=\"\" width=\"500\" height=\"447\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/AutoProxyTypes2.png 673w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/10\/AutoProxyTypes2-300x268.png 300w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I discussed Winsock-based persistence in the past. There is one more. It is a bit unusual, as it has to do with automatic proxy configuration, so it&#8217;s a bit tricky to reproduce. I have honestly not made an attempt to &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2017\/10\/05\/beyond-good-ol-run-key-part-66\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,35,15,19],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4344"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=4344"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4344\/revisions"}],"predecessor-version":[{"id":4347,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/4344\/revisions\/4347"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=4344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=4344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=4344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}