Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Pique PoC Outline
Direct Kernel Object Manipulation (DKOM)
(U) Naturally, the preferred approach to a DKOM PoC is via user-mode API calls to
ZwSystemDebugControl() as it obviates the need to install drivers on target.
(U) Description of the PoC Coding Approach
(U) We will write the DKOM PoC in C++ using Visual Studio 2013 using standard Microsoft
Windows APIs and libraries. We will write a user-mode application that will perform the
following:
Call SeDebugPrivilege() to enable calls to ZwSystemDebugControl()
Locate the base address of the kernel module via
ZwQuerySystemInformation(SystemModuleInformation) similar to the proof-of-concept (PoC)
code listed in Figure 2.
Raytheon Blackbird Technologies, Inc.
4
21 November 2014
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh