Vault 7: Projects
This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
3.0 (U) Getting Started
3.1 (U) Pre-deployment
(S) Note that the tool requires being run as SYSTEM, and should be executed from a
SYSTEM level cmd.exe shell. The tool will prevent itself from being run outside of such
conditions and produce output such as seem below in the “Sample Output” section.
(S) Windows XP 64 bit is not supported. If run on Windows XP 64, the tool will not attempt
to do any of its features, and will display a warning for 5 seconds before exiting. An
example of this can be seen in a screenshot below in the “Sample Output” section
(S) The tool requires that the user be logged in. This is achieved by blacklisting the
“LogonUI.exe” process that exists when a locked screen is present.
3.2 (U) Deployment
• (S) Run the tool from a SYSTEM level cmd.exe shell
• (S) The tool prompts for an exit timer once all of its steps are completed. The exit
timer will not begin until the thumb drive the tool is run from is ejected. If the drive
is ejected before the user manually inputs an exit time, the time is assumed to be 7
minutes.
• (S) The tool will clear and hide window once drive is ejected
• (S) The tool stores a text file back to the USB drive of all actions undertaken
3.3 (U) Additional Notes
(S) Dumbo works by discovering which processes have access to the physical camera device
and uses that information to corrupt video files. In some instances, programs emulate a
camera input to other programs; such is the case with Fujitsu’s YouCam.exe. When this
occurs, YouCam.exe will have control of the actual webcam, and feed input to other
processes that record images to files as needed. In this scenario, Dumbo will suspend
YouCam.exe but will not be able to detect the other processes to which YouCam.exe is
feeding images. Although the camera will not be able to record additional frames, Dumbo
will not be able to corrupt files that were written to prior, as it is unaware of the processes
writing the video files. If the operator sees a process using the camera device, but Dumbo
detects no files being written, the operator should manually search for video files.
(S) In some instances, video recording software has the ability to detect it is not responding,
and will restart itself; such is the case with iSpy.exe. When Dumbo detects a process using a
camera device, it also claims control of the device. If the recording software were to restart
itself, it would no longer be able to access the camera until Dumbo exits. In the case of iSpy,
although the program may restart, it will be unable to record any additional frames; it will
appear as if it was unable to access the camera, due to it already being in use.
SECRET//NOFORN
2
Dumbo-v2_0-User_Guide.pdf