Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
4. (U) Operation
4.1 (S//NF) Important note for 2.1+
(S//NF) SG 2.1 added in a stealth component. SG2 will now 'hide' the disk sectors where
the payload data is written to inspection with tools such as WinHex. The sectors will
appear as 0's. Also, the infected IPL code in the VBR will be 'hidden' by SG2. When a
tool such as WinHex inspects the VBR's IPL code, it will see the original IPL code, not
SG2's IPL code. This, unfortunately, means that the SG2 installer cannot detect a
previous install of SG2 on a system if the system has been rebooted since the first install.
SG2 will still be able to prevent double installs before the first system reboot.
(S//NF) To compensate, SG2's Uninstall DLL will now have an additional feature, and
it's name changed to Control32 and Control64. Running the Control DLL on a target
after first reboot, with the '-c' argument, will instruct the Control DLL to verify whether
SG2 is installed on a machine. This will only work after the system has been rebooted
following installation. Therefore, there is complete coverage for installation detection. It
is very important to ensure that a machine does not have SG2 installed before
attempting installation of SG2. Double installs are very bad.
4.2 (S//NF) Payload Types
(S//NF) SG2 can persist up to 2 payloads: A driver payload (.sys) and a DLL payload
(.dll). The latter can come in 2 forms:
Standard Persistence Specification compliant DLLs
Grasshopper-1 interface compliant DLLs
(S//NF) The driver payload MUST//MUST match the bitness of the target, and should be
compatible with the target OS. No driver signing is required.
4.3 (S//NF) Grasshopper installation
(S//NF) The following steps describe how to install the SG2 persistence module to an
existing Grasshopper build:
1. Navigate to the main folder of an existing Grasshopper build. This is the folder
containing the Grasshopper builder scripts and other Grasshopper components.
2. There should be a “Modules” folder here. Copy the “StolenGoods2” directory to
the “Modules” folder.
3. In the Grasshopper build folder (where “Modules” was located) there should also
be a folder named “Payloads”. Copy the following provided folders into
“Payloads”: Generic_DLL, Generic_GH1
4.4 (U) Configuration
(S//NF) SG2 is unique compared to normal Grasshopper modules in it's ability to persist
two separate types of payloads. Because of this, SG2 has an odd build path when using
Grasshopper. Please pay careful attention as misconfiguration can cause at best a bad
install, and at worst a BSOD on the target box.
SECRET//NOFORN
- vii -

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh