Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20341105
Issue Cause Remediation
When running on a 64-bit OS, if the
container path is in the
\Windows\system32 directory on
install, the container will actually
get placed in the SysWOW64
directory. This should not affect
Angelfire operation.
The Angelfire installer is a 32
bit application. When accessing
directories on a 64 bit system,
Windows will alias some
directories to their WOW
equivalents.
None.
If the user chose to install BadMFS
at the end of the logical volume and
if there is insufficient space at the
end of the logical volume, the
covert file system won't install.
This is frequently the case with
VmWare guest OS'. This is usually
the case when the -l option returns
error code 617. NOTE: this is only
if “PhysicalDrive” is specified in
the zf to indicate that the covert file
system is to be installed in the drive
slack space. This does not apply to a
file-based covert file system.
The covert file system needs a
minimum of 2mb at the end of
the volume to install correctly.
Shrink the volume using 3rd
party disk tools. The covert file
system needs a minimum of 2mb
to install correctly.
If the container file is deleted, but
Angelfire has not been uninstalled,
it will continue to work on reboot
until the disk clusters that the
container file occupies are
overwritten by the file system. If
this happens, the integrity check of
the container file will fail and
Angelfire will allow the boot
process to continue as normal.
The Angelfire boot process
references the location of the
container file based on its file
ID, not the file name. Because
of this approach, it won't
recognize when the container
has been deleted.
None.
If Windows is installed on a non-
standard drive (i.e. D:), processes
started by Angelfire with a default
command line will have a
svchost.exe path of
"c:\windows\system32\svchost.exe"
. This would be inconsistent with
the actual svchost.exe path on the
system. NOTE: this only applies to
applications started with no
parameters.
Angelfire does not dynamically
determine the path of
svchost.exe.
A future version of Angelfire
will dynamically determine
svhost.exe's path.
When installing Angelfire on 64-bit
systems with the -ipl option, the
SolarTime driver (default name of
nvlmi.sys) must be signed with a
code signing certificate from a
Certificate Authority approved by
Microsoft for driver signing. The
company name on the certificate
probably won't match the company
name in the file details tab when
viewing the file on disk.
The file details resource must be
compiled as part of the driver
file.
The file details can be modified
by EDG to match the certificate
used.
Alternatively a tool could be
developed that modifies the
details values in the resource.
af+mainrepo+wolfcreek+Docs+Angelfire_UserGuide
16 of 21
SECRET//20341105

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh