Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
x86 DLL None
x64 DLL None
x86 EXE None
x64 EXE None
2.3 Supported Variant Stubnames
As part of the ServiceDLL component 1.1 version, variant stubs were added. Two
stubs are available the default stub A, and stub B.
1. The default stub A uses the grasshopper common code base and uses
resources data to store configuration information. Stub A uses a payload file
name identical to service dll filename except with a .tlb extension.
2. Stub B stub uses alternate resource ids, and uses deleteservice function to
remove service entries vs. using registry manipulation in standard stub,
additionally it does not use grasshopper common code. Stub B uses a
payload file name identical to service dll filename except with a hlp.{exe|dll}
suffix and extension.
2.4 Uninstall Procedure
Manual
The manual uninstall procedure consists of the following steps:
1. Stop the service, if it is running.
sc stop <SERVICE_NAME>
2. Delete the service from the Service Control Manager.
sc delete <SERVICE_NAME>
3. Reboot the target.
4. Delete the stub and payload executables from the filesystem.
del /F <SERVICE_PATH> <PAYLOAD_PATH>
Autonomous
The autonomous uninstall procedure consists of the following steps:
1. Delete the payload from the filesystem while the stub is running.
When the stub detects that the payload has been deleted, it will execute the
autonomous uninstall. The stub checks for the payload every 5 seconds. The
autonomous uninstall will perform the following steps:
1. Remove the service from the Windows registry.
2. Delete itself from the filesystem.
Kill File
The kill file uninstall procedure consists of the following steps:
1. Create a file on the file system at path specified for kill file parameter at
build time.
3
SECRET//NOFORN