Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20341105
<container path> - This should be the full path
starting with a SLASH ONLY. This parameter specifies
where the container file will be created.
3.4.2 (S) -ipl
(S) The -ipl option performs a driver-based install. The advantage of this is that Angelfire
will begin executing immediately. The disadvantage is the driver increases Anglefire's
footprint on the system and if executing on a 64 bit machine, will need to be signed with
a Class 3 code signing certificate. The driver is only needed for installation and can be
deleted immediately after.
(S) When installing Angelfire on 64-bit systems with the -ipl option, the SolarTime driver
(default name of nvlmi.sys) must be signed with a code signing certificate from a
Certificate Authority approved by Microsoft for driver signing. The company name on
the certificate probably won't match the company name in the file details tab when
viewing the file on disk. The file details can be modified by EDG to match the certificate
used.
Parameters for a -ipl based installation
stp.exe -ipl <package file> <SLD> <zf> <container
path> <solartime driver>
Example of doing an -ipl install with default binary
names:
stp.exe –ipl xqlmi.dat tdbsip.sys zf
\Windows\twill.log nvlmi.sys
Notes:
<container path> - This should be the full path
starting with a SLASH ONLY. This parameter specifies
where the container file will be created.
Table : (S) -ipr and -ipl command line options
Command Line Option Default Name Can be renamed
<package file> xqlmi.dat Yes
<SLD> tdbsip.sys Yes
<zf> zf No
<container path> User specified – no drive letter allowed Yes
<solartime driver> nvlmi.sys Yes
af+mainrepo+wolfcreek+Docs+Angelfire_UserGuide
9 of 21
SECRET//20341105

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh