Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Elsa User Manual.doc
30
SECRET//NOFORN
11. (U) Additional Operational Procedures
11.1 (S) InstallFromProcess Mode
(S) The InstallFromProcess configuration option can be used to configure the DLL to
install from a targeted process. With this option set when the DLL is injected into a
process it can be configured to run its installation routines to complete its setup. In most
cases the process would need to run in an elevated Administrator or SYSTEM context.
(S) The DLL looks for a trigger file as part of this action. After the DLL runs through the
install or uninstall procedures it deletes the trigger file to prevent repeat install operations.
The trigger file is a zero length file with the same name as the dll using a different file
extension as specified below.
Extension Notes
.install When the DLL is injected into a process matching the
InstallFromProcess and the zero length file is found in the same
directory then the DLL will run through its installation routines. If the
dll is named ‘foo.dll’ then the zero length file should be named
‘foo.install’ and reside in the same directory.
.uninstall When the DLL is injected into a process matching the
InstallFromProcess and the zero length file is found in the same
directory then the DLL will run through its installation routines. If the
dll is named ‘foo.dll’ then the zero length file should be named
‘foo.uninstall’ and reside in the same directory.
Figure 28 - (S) File extension information for Dll Injection.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh