Vault 7: Projects
This publication series is about specific projects related to the Vault 7 main publication.
• Should we store a hash of files in the covert storage area? This would avoid
corruption.
Debugging Instructions:
• Type this in Windbg: .reload /f wc.sys=0x<image_start_address>
• The image start address is printed out to the debugger, but you'll have to hit
F5 once to get it to print. If you need to debug code prior to this, you are
stuck looking at assembly.
Things to document:
• In XP, the process execution only works on PAE systems.
Things I would like in the next version of BadMFS
• Add directories
• Encryption on the whole file system
• Simplify it. I don’t think all of the locks are necessary.
• Make it easier to use different backing stores, such as registry, $boot, etc.
This will require abstraction of the reads and writes.
• Make it more intuitive to use. Get rid of the requirement to call initialize
every time.
• There should be an install function that creates the file system. If the file
system hasn’t been installed, then none of the other file system functions
should work.
• The users shouldn’t have to open a handle to the file or disk themselves.
• A function that sets the file pointer within a badmfs file. Currently there is
only a set file pointer for the file handle to the backing store.
• Add a compression option to the files.
• Add metadata to the files. For example, it would be nice to have time created,
modified, etc. – I’m not sure about this one.
• There needs to be an integrity check on the files.
• Get rid of the NDK.
• Add the ability to redirect Windows OS file system access (i.e. calls to
NtCreateFile, NtReadFile, etc) into badmfs. This would allow implants to
access badmfs without having to link the badmfs library into their code. This,
Wolfcreek-Docs-Notes.pdf