Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20341105
contains the command line parameters to be passed to the .exe. To delete an .exe or .sys
file, both of the files matching the implant name should be deleted.
Parameters for using the -f option:
stp.exe –f <file to add> <file type options>
3.9.1 (S) Adding a driver to the covert file system (-f)
(S) To add a device driver to the covert file system, it must have a .sys file extension.
After specifying the driver name, the user must specify if they wish to have it start at boot
time (-b), system start time (-s), or automatic start time (-a). Note that currently, -b and -s
both result in the driver being started during system start time.
Example of adding a driver to the covert file system:
stp.exe –f c:\tmp\mydriver.sys -s
3.9.2 (S) Adding an executable to the covert file system (-f)
(S) To add an executable to the covert file system, use the -f option. The executable must
have an .exe file extension. After specifying the file name, the user can optionally add
command arguments by specifying the -c option.
Limitations on what types of executables can be run:
No applications with Graphical User Interfaces (GUI) can be run. This is because
the parent process is always services.exe. Services executes in a different window
station than the logged on user, so there is no way for it spawn the GUI.
The executable must match the architecture it is being run on (i.e. a 64 bit version
of Bulldozer on a 64 bit version of Windows). This also means that you cannot
run a 32 bit executable on 64 bit Windows. Note: If a mismatched binary (i.e. 32
bit executable on a 64 bit OS) is run, it will fail gracefully.
The application cannot interact with the console (such as cmd.exe).
The application cannot be compiled to user side-by-side assemblies. This is a
feature in Windows that tries to eliminate “dll hell” by storing what specific
versions of Windows dll’s are required in a manifest which is compiled into the
binary. When Windows starts the executable, it pulls those specific versions of
the dll’s from a dll database on the machine.
The application cannot require that a specific user dll be loaded with it. If this is a
requirement, the application should either pack the dll in a resource and extract it
at run-time, or use the BadMFS library to pull the dll from the BadMFS covert
file system.
Example of adding an executable with command arguments to the covert file system
(note that all parameters after -c are arguments for xserver.exe):
stp.exe –f c:\tmp\xserver.exe -c -a 10.3.2.130 -p 1999
af+mainrepo+wolfcreek+Docs+Angelfire_UserGuide
11 of 21
SECRET//20341105

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh