Yet another secret of hosts file
2021-02-19 08:41:52 Author: www.hexacorn.com(查看原文) 阅读量:238 收藏

February 18, 2021 in Anti-*, Anti-Forensics, Archaeology, Compromise Detection

In my old post I mentioned not a very well known hosts.ics file. Today I cover one more secret that I stumbled upon while digging inside DNS API internals.

Turns out that dnsapi.dll and dnsrslvr.dll use an internal function called Util_IsRunningOnXboxOne to determine if the DLL is loaded on a XBOX system. And if it is, the path to hosts and host.ics files will not be resolved as relative to the path retrieved via GetSystemDirectory API, but by using a hardcoded XBOX path below:

s:\windows\system32

So, in theory, if you patch Util_IsRunningOnXboxOne function to return 5 (==XBOX) you should be able to redirect local DNS requests via hosts(.ics) files to the following paths, respectively:

s:\windows\system32\drivers\etc\hosts
s:\windows\system32\drivers\etc\hosts.ics

Last, but not least – in case you don’t know, the hosts files can be saved using UTF-8, Unicode16-LE, and Unicode16-BE encoding (BOM is being checked).


文章来源: https://www.hexacorn.com/blog/2021/02/18/yet-another-secret-of-hosts-file/
如有侵权请联系:admin#unsafe.sh