Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
4.4.3 (U) Inject Fire and Forget From Memory (32-bit and 64-bit DLLs)
(S) Payload is injected directly into explorer.exe if 32-bit OS or svchost if 64-bit, and
never touches disk. DLLMain is executed, ordinal one is executed according to the
specification in a new thread, and is NOT waited for.
4.4.4 (U) Launch EXE from disk (32 or 64-bit EXE)
(S) Payload is dropped to disk, and CreateProcess is executed with the binary. The
dropped payload is securely deleted upon exit.
4.4.5 (U) Load Fire and Collect from Memory (BK module)
(S) Uses Brutal Kangaroo Fire and Collect Specification:
Loads DLL directly from memory and calls ordinal 1.
Ordinal 1 prototype is as follows:
typedef bool(*FIRE_AND_COLLECT_FUNC_PROTO) ( void* ptr, BYTE* pubKey, DWORD
pubKeySize, FILETIME colTime, BYTE* payloadParams, DWORD payloadParamSize );
(S) Parameters are as follows:
Void* ptr: A function pointer to a function that takes as input a buffer and size,
and subsequently passes the data to a specified DataTransfer module.
BYTE* pubKey: The public key to encrypt the data with
DWORD pubKeySize: The size of the public key
FILETIME colTime: The FILETIME when the collection began
BYTE* payloadParams: parameters that the payload requires to be passed in
DWORD payloadParamSize: Size of the parameters
(S) This specification is just the most efficient for handling memory, compression, and
encryption since everyone utilizes the IBuffer OSB Library. However, others are free to
create their own BK Modules if they desire.
4.4.6 (U) Drop Payload to Disk (Any files)
(S) Drops payload locally on disk as specified by the user.
SECRET//NOFORN
13

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh