Vault 7: Projects
This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
2.0 (U) Prerequisites
2.1 (S//NF) A loader that can support the ICE v3 specification; specifically Fire
and Collect. (CouchPotato was tested during development using ShellTerm
2.9.2 as it was the only operationally ready ICE v3 loader.)
2.2 (S//NF) The module handler script requires python 2 (tested with python
2.7.3).
2.3 (S//NF) The module handler script should be run on a *nix host (tested with
Ubuntu 12.04.2 LTS).
2.4 (S//NF) The module handler script must be run on the same host as the
loader.
2.5 (S//NF) Identified a host process on the target, which is not critical to system
stability, to inject CouchPotato into that will not be blocked by a firewall to
send/recv data to the host machine serving the content.
3.0 (U) Usage
3.1 (S//NF) General usage
3.1.1 (S//NF) Before launching an instance of a CouchPotato ICE DLL
through a compatible loader, the handler will need to be started. To
start the handler, open a new shell and execute the cp_handler.py
script. This script should be started on the same host as the C2 loader.
It requires at least –o argument for the path to a directory to write its
output to. All collection files for the given run of CouchPotato are
written to this directory.
Example: $ cp_handler.py –o out_data
3.1.2 (S//NF) It is highly recommended to not launch out of a process
that is critical to system stability such as services.exe. There are
cases, beyond CouchPotato’s control, that can cause the ICE DLL
thread to exit ungracefully. It can leak memory and also leave file
handles open. (The background is ffmpeg’s code assumes it runs in its
own process and therefore has no concerns about exiting without
cleaning up memory or file handles as it assumes the process exits
and everything is free’d accordingly).
SECRET//NOFORN
Couch_Potato-1_0-User_Guide.pdf