Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Elsa User Manual.doc
16
SECRET//NOFORN
example and requires customization by the operator. For example, it uses WScript.Echo
messages that the operator may wish to comment out or remove.
1) Run the patcher with the appropriate processor architecture specified:
1. Select DllHost as the Mode
2. Select dllhost.exe as the target process filename
3. Complete the remaining patcher options
2) Rename the install script <dll name without '.dll' extension>.install.vbs
3) Edit the install script to set Action.ClassId equal to the GUID used in the patcher
4) Edit the install script task schedule options as desired - these options will be
visible to the target user in the Task Scheduler
5) Make sure the edited install script runs by double clicking it on a local machine. A
Task should appear in your local Task Scheduler, which you can delete
6) Place the patched dll and the install script on the target machine in the same
directory
7) Substituting the patched dll's name and path, silently register the dll using the
RegSvr32 utility:
> RegSvr32 /s C:\ELSA.DLL
8) You should see the install script disappear
9) Check to see that the task has been scheduled using the schtask utility and the
selected test name:
> schtasks /query /tn "Test Daily Trigger"
10) Elsa will load and run at the time you've prescribed in the install script
5.3 (S) RunDll32 Mode Installation
(S) RunDll32 is the simplest mode in which to run Elsa. Unlike SvcHost and DllHost, no
system process like the Services panel or Windows Task Scheduler is configured to load
Elsa automatically on startup. This means that the operator will need to use some other
tool to restart Elsa across reboots.
1) Run the patcher with the appropriate processor architecture specified:
1. Select RunDll32 as the Mode
2. Select rundll32.exe as the target process filename
3. Complete the remaining patcher options
2) Place the patched dll on the target machine
3) Substituting the patched dll's name and path, silently load the dll using the runll
32 utility. Include the Control_RunDLL flag as shown:
>
rundll32 C:\elsa.dll,Control_RunDLL