Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
PIQUE PoC Delivery
Direct Kernel Ob
ject
Mani
p
ulation
(
DKO
M)
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 3 29 December 2014
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
UNCLASSIFIED
3.0 (U) Current Status
(U) We’ve reverse engineered the Windows 8.1 64-bit data structures and have determined the
EPROCESS offsets for the elements of that structure we need to modify the target FLINKs and
BLINKs in order to hide the processes of interest.
(U) We’ve designed and coded both the DKOM device driver and the user application that
interacts with the device driver to hide the processes. Both projects are compiling correctly and
the device driver is loading properly on the Windows 8.1 64-bit target.
(U) The DKOM device driver and the user application have been written in C language and
compiled with Microsoft’s Visual Studio 2013. We used Microsoft’s WDK 8.1. We use Visual
Studio 2013’s integrated driver testing facilities to connect to a remote (VMWare image)
Windows 8.1 64-bit target.
(U) Although both the device driver and the user application are compiling properly and the
device driver installs properly on the target, when the user application is executed we get a hard
bugcheck, which results in BSOD. We are in the process of tracking down the bugcheck and
expect to have the PoC working in January.
Figure 3. DKOM Device Driver Compiles and Loads on Target Correctly

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh