Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
6.4 HasExactlyLoaded
Description
The “has_exactly_loaded” verb works with either a named process (ie,
wireshark.exe) or with *, meaning any process on the system. It takes a
comma-seperated list of DLLs to look for. HasLoaded returns True if all of
those (and only those) DLLs are present in a given set of processes.
Note that this fact is very sensitive and will likely only make sense in very
restricted circumstances. There are many reasons a process may slightly
change it’s set of loaded DLLs during execution. Consider using
has_loaded
unless substantial testing has been done.
Usage
process(<process name>|*).has_exactly_loaded(<dll_1>,<dll_2>,...)
Example
process(kasperksy.exe).has_exactly_loaded(some_dll.dll,some_other_dll.dll)
The above example checks to see if the “kasperksy.exe” process has both
some_dll.dll and some_other_dll.dll loaded, and no other DLLs.
Return Values
Return
Code
Description
True A process exists and has exactly the given DLLs loaded
False No such process exists
Invalid A process exists, but none have the given DLLs loaded,
and at least one of the processes could not be
examined (likely due to permissions)
97
SECRET//ORCON//NOFORN