Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Todo
Testing
test with xbot
have the server connect back with option -a <addr> -p <port>
have the client listen with option -p <port> -l
the client must be listening prior to the server running.
Issues:
The Bulldozer server was connecting to the bulldozer client intermittently. I
traced the problem to the xConnect call in bulldozer. I never figured out what
the problem was. If other networked apps have the same issue, this might be
the problem.
The memory allocated for a driver will essentially be a memory leak. I have
no way to tell when a driver will be done executing, so I can't delete it.
Drivers can't be unloaded because the driver object has no section handle
associated with it. If this becomes a problem, I have code that's commented-
out in CreateDriverObject that is broken, but should create a section handle
that can be used.
C:\Windows\system32\svchost.exe is hardcoded. If windows is installed on
another partition (i.e. D:) then this would look strange in taskmanager.
The processes used in launching an implant with MagicWand were chosen
carefully. If the parent process goes away while an implant is running, the
system could crash. We also wait for explorer.exe to launch before we launch
any user processes. This has yielded the most reliable results and any
modification to this policy should be tested thoroughly.
Future Mods
Find a way to do exception handling.
Rewrite MagicWand
Provide a way to inject a dll into another process with Magic Wand
Put the covert storage area in a deleted (still allocated) registry key/value.
We could also put it in an NTFS attribute.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh