Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20341105
3.7 (S) Getting the log file from covert store (get transitory file)
(S) Angelfire now includes a log file. This log file records basic information about the
successful execution of an implant located in the covert store. To retrieve the contents of
the log file, one must create and finalize a “get” transitory file. The contents of the log
file will be printed to stdout (if using the .exe installer) or written back to the text pipe (if
using the fire-and-collect .dll installer).
Example of creating a “get” transitory file:
wtpack.exe new get “get_transitory_file”
wtpack.exe update “get_transitory_file” –bp “BadMFS
location”
3.8 (S) Uninstalling Angelfire (uninst transitory file)
(S) To uninstall Angelfire, you must create and finalize an “uninst” transitory file. The
uninstallation process will remove wolfcreek and solartime, and will also delete the
covert store. N.B. After performing an uninstall, you will need to wait for a reboot before
reinstalling.
Example of creating an “uninst” transitory file:
wtpack.exe new uninst “uninst_transitory_file”
wtpack.exe update “uninst_transitory_file” –bp “BadMFS
location”
3.9 (S) Finalizing a transitory file
(S) To finalize a transitory file, you must run the “finalize” command on the transitory
file you wish to use. You must also specify the location of the Angelfire installer
executable you wish to use. The “finalize” command will place the transitory file you
have selected as a resource inside the installer (either the .exe or .dll version).
N.B. Only one transitory file can be placed inside an installer at a time. This means
only one “action” (inst, add, del, list, get, uninst) may be performed at any given
time.
4. (U) Operational Notes
4.1 (S) Using Angelfire To Start Drivers
(S) Angelfire is capable of starting kernel mode drivers. The driver must first be added to
the covert file system by using the “add” transitory file. See the section on adding file to
the covert store for more information. On reboot, the any files with a .sys extension will
be executed. There are some limitations to driver execution:
Drivers will not have Structured Exception Handling (SEH) available even if the
driver was built with SEH enabled. This will be added in a future version of
Angelfire.
Once started, drivers cannot be unloaded by Angelfire. However, drivers can
terminate execution themselves (exit).
af+mainrepo+Angelfire 2.0 UserGuide 10 of 15
SECRET//20341105

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh