Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
Analysis Report
WMI Persistence Proof of Concept – Supplemental Report
(U) Analysis
(U) PIQUE report 189 describes a persistence technique using Windows Management
Instrumentation (WMI). Accessing WMI in C++ requires the use of Component Object Model
(COM) APIs. In essence, the technique requires the registration of a permanent event filter, the
registration of a consumer, and the binding of the two together. In other words, when an event
meets the criteria set forth by an event filter, the event consumer that it is bound to executes the
specified functionality. Because permanent WMI objects are stored in a special database that is
automatically loaded during startup and are not easily modified, this represents an ideal
persistence technique.
(U) After carefully searching the API documentation, Blackbird believes that it is not possible to
implement the entirety of the Proof of Concept (PoC) in C++. Additionally, Blackbird searched
the HKEY_CLASSES_ROOT registry hive to determine if an undocumented Class ID (CLSID)
exists that may provide the necessary functionality; unfortunately, none were found.
(U) Nevertheless, we did test a variety of techniques, but we were not able to implement a
permanent event provider or consumer in C++; only temporary ones. The difference between the
two can be summarized with two distinct points:
1. (U) A temporary event filter is created for the duration of the application that is
requesting it and is not registered in the WMI database.
2. (U) A temporary event consumer is created for the duration of the application and is also
not registered in the WMI database. Unlike a temporary provider, a temporary consumer
captures events by either polling or using blocking function calls.
(U) When both limitations are taken into account, the use of a temporary event provider and
consumer should be considered insufficient for a startup persistence technique. Due to these
limitations, Blackbird performed additional research to determine if a similar implementation
was possible that still enabled the desired functionality.
(U) After the additional research, Blackbird determined that the best solution was to generate a
Managed Object Format (MOF) file. An MOF file is a C-Style syntax file that defines a series of
WMI classes and objects to be installed.
(U) Typically, an MOF file is compiled using mofcomp.exe – an executable included with all
standard Windows builds. Mofcomp.exe can be used to generate a Binary MOF (BMOF) file or
it can be used to compile and install the MOF file into the WMI database. Fortunately, the C++
COM API contains the IMofCompiler interface which implements three methods that enable all
of the functionality typically found in mofcomp.exe.
Raytheon Blackbird Technologies, Inc.
3
26 June 2015
Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.
UNCLASSIFIED