Vault 7: Projects
This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20341105
Issue Cause Remediation
SEH doesn't work in drivers started
by Angelfire.
The SEH environment is not
configured correctly during
driver load.
This will be fixed in a future
version of Angelfire.
When viewing an Angelfire-started
process in Task Manager or another
process viewer, the command line
string will display whatever the user
passed as the command line when
the file was added to the covert file
system.
Process viewers display
whatever command line was
passed to the executable.
Executables that are started by
Angelfire should not use a
command line if possible. This
will allow Angelfire to display a
svchost.exe appropriate
command line, allowing it to
blend in with everything else.
If the user chose to install BadMFS
at the end of the logical volume and
if there is insufficient space at the
end of the logical volume, the
covert file system won't install.
This is frequently the case with
VmWare guest OS'. This is usually
the case when install returns error
code 617. NOTE: this is only if
“PhysicalDrive” is specified in the –
bp option to indicate that the covert
file system is to be installed in the
drive slack space. This does not
apply to a file-based covert file
system.
The covert file system needs a
minimum of 2mb at the end of
the volume to install correctly.
Shrink the volume using 3rd
party disk tools. The covert file
system needs a minimum of 2mb
to install correctly.
If the container file is deleted, but
Angelfire has not been uninstalled,
it will continue to work on reboot
until the disk clusters that the
container file occupies are
overwritten by the file system. If
this happens, the integrity check of
the container file will fail and
Angelfire will allow the boot
process to continue as normal.
The Angelfire boot process
references the location of the
container file based on its file
ID, not the file name. Because
of this approach, it won't
recognize when the container
has been deleted.
None.
If Windows is installed on a non-
standard drive (i.e. D:), processes
started by Angelfire with a default
command line will have a
svchost.exe path of
"c:\windows\system32\svchost.exe"
. This would be inconsistent with
the actual svchost.exe path on the
system. NOTE: this only applies to
applications started with no
parameters.
Angelfire does not dynamically
determine the path of
svchost.exe.
A future version of Angelfire
will dynamically determine
svhost.exe's path.
If a driver start type of boot start
(boot) is specified, the driver will be
started at the same time as the
system start drivers (sys).
This is a limitation of the covert
file system.
This will be fixed in a future
version.
af+mainrepo+Angelfire 2.0 UserGuide 12 of 15
SECRET//20341105
Angelfire-2_0-UserGuide.pdf