Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Pique PoC Outline
Direct Kernel Object Manipulation (DKOM)
(U) We plan to write PoCs for both 32-bit and 64-bit versions of Windows. There are some code
listings in “The Art of Memory Forensics” that were apparently generated by an IDA Pro
examination of a malware sample that implements DKOM to hide itself (Prolaco) and
decompiled with Hex-Rays decompiler. We will take as much as we can from the Prolaco
decompiled code listing in the “Art of Memory Forensics” to enlighten our development of the
PoC.
(U) Conclusion
(U) The DKOM PoC appears to be straightforward and presents low to moderate risk due to
complexity. This PoC should provide an effective and robust process hiding capability. However,
there are known techniques for discovering this type of DKOM-based hiding method. The code
listing in Figure 5 will detect DKOM-based process hiding.
Raytheon Blackbird Technologies, Inc.
8
21 November 2014
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh