Vault 7: Projects
This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20341105
implant files added to the covert file system may be deleted from the OS file system (i.e.
NTFS).
4.2 (S) Using Angelfire To Start Drivers
(S) Angelfire is capable of starting kernel mode drivers. The driver must first be added to
the covert file system by using the -f option. See the section on adding drivers to the
covert file system for more information. On reboot, the any files with a .sys extension
will be executed at the start time the user specified. There are some limitations to driver
execution:
• Drivers will not have Structured Exception Handling (SEH) available even if the
driver was build with SEH enabled. This will be added in a future version of
Angelfire.
• Angelfire can optionally create and pass a driver object to drivers. If no driver
object is used, the driver will be stealthier. If a driver is expecting a driver object
and none is passed, the system will blue screen. It is up to the operator to make
this determination on a driver by driver basis.
• Once started, drivers cannot be unloaded by Angelfire. However, drivers can
terminate execution themselves (exit) .
• If a driver start type of boot start (-b) is specified, the driver will be started at the
same time as the system start drivers (-s). This is a limitation of the covert file
system and will be fixed in a future version.
4.3 (S) Using Angelfire To Start Executables
(S) Angelfire is capable of starting executables. The executable must first be added to the
covert file system by using the -f option. See the section on adding executables to the
covert file system for more information. There are some limitations to starting
executables:
• When viewing an Angelfire-started process in Task Manager or another process
viewer, the image name will be svchost.exe. It has been determined that svchost
is the best (most reliable) process to use for process execution.
• When viewing an Angelfire-started process in Task Manager or another process
viewer, the command line string will display whatever the user passed as the
command line when the file was added to the covert file system. If no command
line string is specified, then Angelfire will use a default string
("c:\windows\system32\svchost.exe -k WerSvcGroup"). It is recommended, if
possible, to not specify a command line due to its visibility in process viewing
applications.
4.4 (S) Error Logging
(S) If any errors are encountered during the installation process, an error code will be
returned on the command line of the installation application. If errors are encountered
during operation of Angelfire, an error log is created in the covert file system with the
name "error_log". To see the errors, retrieve the error log using the -g option and
af+mainrepo+wolfcreek+Docs+Angelfire_UserGuide
14 of 21
SECRET//20341105
Wolfcreek-Docs-Angelfire_UserGuide.pdf