Autodial DLL

Location:

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AutodialDLL

Classification:

Criteria	Value
Permissions	Admin
Security context	System¹
Persistence type	Registry
Code type	DLL
Launch type	Automatic²
Impact	Non-destructive³
OS Version	All OS versions
Dependencies	OS only
Toolset	Scriptable

Description:

When Winsock library connects to the internet it 'talks' to various service providers and probes them for connectivity services. [...] At some stage it attempts to load a DLL as specified by the following Registry key: HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\AutodialDLL This key is quite obscure and Microsoft only describes it in a context of a very old vulnerability MS06-041. Turns out that the AutodialDLL entry points to a DLL that WinSock will load anytime it connects to the internet. The DLL needs to export 3 functions:

WSAttemptAutodialAddr

WSAttemptAutodialName

WSNoteSuccessfulHostentLookup

References:

https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/

Credits:

@Hexacorn

Remarks:

Footnotes

Requires confirmation but it should be possible ↩
Requires confirmation ↩
Requires confirmation ↩

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

autodialdll.md

autodialdll.md

Autodial DLL

Location:

Classification:

Description:

References:

Credits:

See also:

Remarks:

Files

autodialdll.md

Latest commit

History

autodialdll.md

File metadata and controls

Autodial DLL

Location:

Classification:

Description:

References:

Credits:

See also:

Remarks:

Footnotes