Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
Dumbo User Guide
1.0 (U) Introduction
(S) Dumbo runs on a target to which we have physical access, attempts to disable all network
adapters, suspends any processes using a camera recording device, and attempts to corrupt any
files to which those processes were actively writing.
1.1 (U) Requirement
(S) The Intelligence Community has identified the need (requirement # 2015-0150) for a
capability to suspend processes utilizing webcams and corrupt any video recordings that could
compromise a PAG deployment.
1.2 (U) Purpose
(S) This User Guide describes how to use Dumbo v2.0.
2.0 (U) System Overview
(S) The tool is meant to be executed on a target machine directly from a USB thumb drive. The
application will require being run as SYSTEM. The tool will output details on disabling the
network adapters, suspending processes using any camera devices, and corrupting those
processes’ associated files that have write-permission. The output will also be logged in a file
called “log.txt” in the same folder as the tool’s execution.
(S) Note, although the tool attempts to disable all Bluetooth adapters, it does not explicitly check
for the success of the operation. The tool will, however, report the success or failure of disabling
network adapters.
Runner.exe: Main executable for Dumbo v2.0. Takes no parameters, and should be run
from a SYSTEM cmd.exe shell.
scanner.sys: Driver necessary for tool to run correctly on Windows XP 32 bit. Driver
will automatically be installed and removed, if necessary. Driver must be named
“scanner.sys” and located in the same folder as Runner.exe to be installed correctly.
Driver is not needed, and will not be installed, on any operating system other than
Windows XP 32 bit.
SECRET//NOFORN
1

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh