Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20341105
If a driver start type of boot start (boot) is specified, the driver will be started at
the same time as the system start drivers (sys). This is a limitation of the covert
file system and will be fixed in a future version.
4.2 (S) Using Angelfire To Start Executables
(S) Angelfire is capable of starting executables. The executable must first be added to the
covert file system by using “add” transitory file. See the section on adding files to the
covert file system for more information. There are some limitations to starting
executables:
When viewing an Angelfire-started process in Task Manager or another process
viewer, the image name will be svchost.exe. It has been determined that svchost
is the best (most reliable) process to use for process execution.
When viewing an Angelfire-started process in Task Manager or another process
viewer, the command line string will display whatever the user passed as the
command line when the file was added to the covert file system. If no command
line string is specified, then Angelfire will use a default string
("c:\windows\system32\svchost.exe -k WerSvcGroup"). It is recommended, if
possible, to not specify a command line due to its visibility in process viewing
applications.
5. (S) OS Compatibility List
(S) Angelfire is compatible with the following 32-bit systems (latest service pack): XP,
Windows 7.
(S) Angelfire is compatible with the following 64-bit systems (latest service pack): Server
2008 R2, Win7.
6. (U) Known Issues
(U) While Angelfire attempts to provide a robust environment for the user, there are some
limitations that a user should be aware of prior to use. Table lists those issues that are
currently known to the Angelfire development team.
Table : (S) Known Issues
Issue Cause Remediation
Windows XP does not currently
support .dll persistence.
Windows XP and below use a
different mechanism for
creating threads, which does not
allow the use of Keystone’s .dll
injection technique.
.dll persistence on XP will be
supported with a later version of
Angelfire.
Solartime does a heuristic check of
the operating system at boot time to
determine if it is possible to patch it.
It is possible that this heuristic
check will succeed, yet the OS has
changed in a manner that would
cause a crash if patched.
The heuristic algorithm is
imperfect and can still have
false positives.
Solartime has a more restrictive
setting that will only allow the
patch to proceed if the OS has
not changed. The downside is,
that if a new service pack or
hotfix is applied, Solartime will
not launch on bootup.
af+mainrepo+Angelfire 2.0 UserGuide 11 of 15
SECRET//20341105

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh