Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
PIQUE PoC Delivery
Final - Direct Kernel Object Manipulation (DKOM)
(U) The independent blog site, http://www.exploit-monday.com/, has updated a June 2013 blog
post on NtQuerySystemInformation() noting that the symbols available in
NtQuerySystemInformation() and subsequently contained in uxtheme.dll (64-bit) and
combase.dll (32-bit) have been removed and unavailable altogether beginning with Windows 8.0.
Figure 2. Independent Blogger Confirms Deprecation in Windows 8.0
(U) Current Status
(U) We have the skeleton user-mode DKOM application written and compiled (the current
version Microsoft Visual Studio 2013 solution was attached to the January 23, 2015 Interim
Report II – PIK_DKOM.sln).
Note: we’ve written custom _vsprint, memset, and DBGPRINT routines in order to run tests on
Windows XP SP2 and earlier to preclude having to pull in the CRT.
(U) Next Steps
(U) Now that NtQuerySystemInformation() has been decremented, the scope of developing the
user-mode DKOM exceeds that of a PoC. The development of a user-mode DKOM capability
will likely require detailed research into Windows kernel structures and finding an
undocumented method for obtaining the KernelBase and KPCR. We recommend the project be
allocated, but outside the context of a PoC development due to technical difficulty and
anticipated scope of effort.
Raytheon Blackbird Technologies, Inc.
4
26 January 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED