Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
1 Description
ServiceProxy is a Grasshopper component that provides a way to persist a payload
using an existing Windows Service DLL.
The ServiceProxy component installs a stub Service Proxy DLL to impersonate/shim
an existing auto start Net Services (netsvcs) Service Host using manual registry
modifications. The stub is configured to run the input payload whenever the service
starts and start the proxied service as it normally would start. The stub is stored at a
user specified location on the target file system.
You may choose a service to proxy using the -n/--name parameter from a choice of
Schedule, LanmanServer, NlaSvc, iphlpsvc, CryptSvc, or LanmanWorkstation. If no
selection is made for the -n/--name parameter, it will automatically select an
appropriate service to proxy.
You may also specify a -d/--disallowed parameter to prevent it from using a
particular service. You may specify any of the above services to not use. You may
specify multiple disallowed services to prevent it from using more than one service.
For Stub A the payload is stored as a resource of the ServiceProxy stub. If the
payload adheres to the NOD Persistence Spec v1 Interface, the stub will load and
execute the payload from memory. If not, the stub will write the payload to the
filesystem and load or run it normally. If a payload path parameter is specified the
payload will be written to that path, otherwise the payload will be placed adjacent
to the stub with a <stubname>cpl
.dll file extension.
For Stub B the payload is written to the filesystem at installation time. The is no
NOD Persistence Spec v1 Interface. If a payload path parameter is specified the
payload will be written to that path, otherwise the payload will be placed adjacent
to the stub with a <stubname>mgr.dll file extension.
Due to caching by the Service Control Manager, the service cannot be started
directly when first installed. The ServiceProxy component can, optionally, hijack an
existing, stopped service DLL’s entry in the SCM database to gain immediate
execution using the --hijack flag. Upon reboot it will use its proxied service.
2 Usage
2.1 Builder Command Line
add component serviceproxy –p PATH [-n NAME] [-u PATH]
-p/--path PATH target path of the serviceproxy dll stub
-n/--name NAME name of the service dll to proxy
--hijack hijack a stopped service for immediate execution
-k/--killfile PATH target path of the killfile
-d/--disallowed NAME exclude this service from proxy consideration
--payloadpath PATH target path of the payload
--stubname STUBNAME alternate stubname to use {A|B|C} [default A]
2
SECRET//NOFORN