Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
Gyrfalcon Usage Gyrfalcon v1.0 User Manual
3 Gyrfalcon Usage
3.1 Running the Tool
Once you have a configuration tarball generated by the eyrie config tool, it is time to deploy gyrfalcon to
the target. This step is fairly straightforward.
1. Extract the files from the 'upload' directory in the tarball (see section 2.3.1). Both the gyr64-linux
(or gyr32-linux) and the encrypted config file (in the example, .gfconf) are needed. The
executable can be renamed to suit the operation.
2. Upload the files to the target using whatever means available. Place them in the 'Working
Directory' (as specified in the configuration).
3. Change to the working directory and execute gyrfalcon as root:
$ su – (if necessary)
# cd /gyrfalcon/working/directory
# ls -a
. .. .gfconf gyr64-linux
# ./gyr64-linux /dev/null
#
The gyrfalcon executable takes a single command line argument. /dev/null causes it to daemonize and
run in the background. (The normal usage). /dev/zero causes it to remain in the foreground, attached to
the controlling terminal (not recommended).
If gyrfalcon successfully parsed the configuration file, the config file is deleted and remains in memory.
It is also safe to unlink the executable from disk if desired.
3.2 Error Messages
Gyrfalcon performs a few preflight checks before it begins normal operation. If any of the checks fail,
gyrfalcon will terminate and report an error message on the terminal as follows:
Message Meaning
# C There was an error parsing the config file. (Either the file couldn't be found or was
corrupt). Remember, the config file should be placed in the gyrfalcon working directory,
and the filename should not be changed when reconfiguring the tool.
# M Gyrfalcon is unable to monitor process launch events. This can occur because the kernel
version is not supported (i.e., below 2.6.14), or if the kernel has not been compiled with the
CONFIG_PROC_EVENTS and CONFIG_CONNECTOR options set to true. (Notably a
Debian 6.0.6 default). Gyrfalcon will not work on this system.
# R Another instance of gyrfalcon is already running. Check the process list and shut that one
down if you wish to run the new one.
6 SECRET//NOFORN January 2013

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh