Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20341105
3.4.2 (S) Limitations for binary files
No executable with Graphical User Interfaces (GUI) can be run. This is because
the parent process is always services.exe. Services executes in a different window
station than the logged on user, so there is no way for it spawn the GUI.
Any binary must match the architecture it is being run on (i.e. a 64 bit version of
Bulldozer on a 64 bit version of Windows). This also means that you cannot run a
32 bit executable on 64 bit Windows. Note: If a mismatched binary (i.e. 32 bit
executable on a 64 bit OS) is run, it will fail gracefully.
The application cannot interact with the console (such as cmd.exe).
The application cannot be compiled to user side-by-side assemblies. This is a
feature in Windows that tries to eliminate “dll hell” by storing what specific
versions of Windows dll’s are required in a manifest which is compiled into the
binary. When Windows starts the executable, it pulls those specific versions of
the dll’s from a dll database on the machine.
The application cannot require that a specific user dll be loaded with it. If this is a
requirement, the application should pack the dll in a resource and extract it at run-
time.
No .dll can be added to the covert store on Windows XP. This is due to .dll
injection not being currently supported on Windows XP.
3.5 (S) Deleting a file from the covert file system (del transitory
file)
(S) To delete an executable from the covert file system, one must create and finalize a
“del” transitory file. The file name specified must match the file name in the covert file
system exactly. Note, that to delete an executable, you might also have to delete its
command line file (see the “add” transitory file section).
N.B. You may delete multiple files in one “del” transitory file.
Example of creating a “del” transitory file:
wtpack.exe new del “del_transitory_file”
wtpack.exe update “del_transitory_file” –bp “BadMFS
location”
wtpack.exe update “del_transitory_file” –f “file for
deletion”
3.6 (S) Listing the contents of the covert file system (list
transitory file)
(S) To list the names of all files in the covert file system, one must create and finalize a
“list” transitory file.
Example of creating a “list” transitory file:
wtpack.exe new list “list_transitory_file”
wtpack.exe update “list_transitory_file” –bp “BadMFS
location”
af+mainrepo+Angelfire 2.0 UserGuide 9
of 15
SECRET//20341105

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh