Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20341105
3.4.3 (S) Re Installation (-ipr or -ipl)
(S) When reinstalling, first the –r option must be used to uninstall Angelfire. Then a
reinstall can be done with either the –ipr or –ipl option.
3.5 (S) Angelfire Update (-upr)
(S) The Angelfire SLD, package file, and container can be updated by using the -upr
option. Refer to the Angelfire Installation section for parameter definitions.
stp.exe -upr <package file> <SLD> <zf>
<container path>
3.6 (S) Angelfire Un-installation (-r)
(S) Angelfire is uninstalled by running the Installer with a command line option of -r.
After uninstall is performed, all drivers and processes started by Angelfire will continue
to run until reboot.
stp.exe –r
3.7 (S) Covert File System
(S) Angelfire uses the BadMFS covert file system. As noted in the
ZF section, it is
capable of either using slack space at the end of the disk or a file on the file system as a
backing store. In either case, the maximum size the file system can grow is 200mb.
There is no installation function for the covert file system, because it automatically
installs whenever a file operation is done (i.e. –f).
(S) The covert file system is not intended to hold large files (multi-mb). If a file write (-f)
for a large file fails, it is almost certainly due to resource constraints on the system.
3.8 (S) Covert File System Uninstallation (-c)
(S) The BadMFS covert file system can be removed by using the -c option from the
installer. This does not uninstall Angelfire, however, if BadMFS is not there on a system
reboot, Angelfire will exit. NOTE: If there are large files in the covert file system, this
command can take a bit longer to complete.
stp.exe –c
3.9 (S) Adding a File To The Covert File System (-f)
(S) To add a file to the BadMFS covert file system, you must use the -f option. Whenever
files are added to the covert file system, a 3 digit number is appended to the beginning of
the file name to encode information about the file for internal Angelfire use. In the cases
of .exe's and .sys files, an additional file is also created (with a similar name) that
af+mainrepo+wolfcreek+Docs+Angelfire_UserGuide
10 of 21
SECRET//20341105

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh