Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
PoC Report
DLL Hi
ja
ck – PoC R
epo
rt
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 2 18 Au
g
ust 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
UNCLASSIFIED
(U) Figure 2: Locations containing mcutil.dll
(U) Non temp directories were chosen first; however, a copy of mcutil.dll was copied to all
directories.
(U) Attempting to copy the file to any of these locations requires Elevated Permissions; however,
after granting elevated permissions, access to modify the files is still denied. In an effort to rule
out any ACLs or DACLs from limiting our access, we took ownership of the folder, broke
inheritance, granted our user account full access, and stripped all accesses from all other users.
Despite these efforts, the same error was present when attempting to modify, add, or remove
anything in any of those directories.
(U) The presence of this protection suggests (though we did not confirm) that McAfee has
registered an Early Launch Anti-Malware (ELAM) filter driver that effectively prevents
modification of any DLLs it considers critical. Unfortunately, the presence of something over
and above ACLs effectively nullifies this technique.
(U) After disabling file system protections, we were able to copy files to the directory.
McVsMap.exe was launched after each copy of mcutil.dll was moved into place, but it never
appeared to load even when placing McUtil.dll in the same directory.
2.2 Symantec
(U) The file in question, RASTLS.exe was not found related to Symantec in any capacity during
testing.
2.3 Nvidia
(U) The latest Nvidia Graphics Driver was downloaded and extracted, but did not contain the
NvSmart.exe file.