Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
2.1 Installation
AM is a DLL that acts as a Service DLL running from inside the netsvcs svchost.exe
process. Whenever the AM DLL is loaded it will check the local registry to see if it is
installed as a service.
If it is not already a service, it will create itself as service, and continue execution
from the current process. On next reboot it will be loaded in the correct process.
Once running, AM locates and loads the Midnight Core file. This file is created by
the console aong with the Service DLL. It must be placed at the expected location
manually prior to executing AM. If this file is not present, AM will uninstall
immediately.
Important: AM must know its own path to be able to self-install, and can therefore
NOT be memory-loaded to install. The AM service DLL must be dropped to disk and
loaded with a NOD Persist-Spec tool that calls LoadLibrary(). This will allow AM to
install correctly.
15
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh