Vault 7: Projects
This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20341105
examine the error log in a hex viewer. The log is filled with contiguous 2 byte error
codes. To get the error code, take the 2 bytes and swap them. Take that value (which is
in hexadecimal and convert it to decimal. The error codes can be referenced here to
determine the cause of the error.
5. (S) OS Compatibility List
(S) Angelfire is compatible with the following 32-bit systems: XP, Server 2003, Vista,
Server 2008, Server 2008 R2, and Win7.
(S) Angelfire is compatible with the following 64-bit systems: Vista, Server 2008, Server
2008 R2, Win7.
6. (U) Known Issues
(U) While Angelfire attempts to provide a robust environment for the user, there are some
limitations that a user should be aware of prior to use. Table lists those issues that are
currently known to the Angelfire development team.
Table : (S) Known Issues
Issue Cause Remediation
Solartime does a heuristic check of
the operating system at boot time to
determine if it is possible to patch it.
It is possible that this heuristic
check will succeed, yet the OS has
changed in a manner that would
cause a crash if patched.
The heuristic algorithm is
imperfect and can still have
false positives.
Solartime has a more restrictive
setting that will only allow the
patch to proceed if the OS has
not changed. The downside is,
that if a new service pack or
hotfix is applied, Solartime will
not launch on bootup.
SEH doesn't work in drivers started
by Angelfire.
The SEH environment is not
configured correctly during
driver load.
This will be fixed in a future
version of Angelfire.
When viewing an Angelfire-started
process in Task Manager or another
process viewer, the command line
string will display whatever the user
passed as the command line when
the file was added to the covert file
system.
Process viewers display
whatever command line was
passed to the executable.
Executables that are started by
Angelfire should not use a
command line if possible. This
will allow Angelfire to display a
svchost.exe appropriate
command line, allowing it to
blend in with everything else.
To start processes, Angelfire must
know some internal structures of
Windows. All precaution has been
taken to ensure those structures are
exactly what Angelfire expects them
to be. If Angelfire detects a change
in the structures, it will not attempt
to start processes.
OS updates can cause the
internal structures to change.
Keep Angelfire updated with the
latest OS structures.
af+mainrepo+wolfcreek+Docs+Angelfire_UserGuide
15 of 21
SECRET//20341105
Wolfcreek-Docs-Angelfire_UserGuide.pdf