Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
1 Composition
A Grasshopper executable contains one or more installers. An installer is a stack of
one or more installer components. Grasshopper invokes each component of the
stack in series to operate on a payload. The ultimate purpose of an installer is to
persist a payload.
Grasshopper will optionally evaluate rules to determine whether to execute an
installation. Rules may be set on each installer and/or globally.
Executables
Grasshopper executables contain and run one or more installers on a target system.
An executable may have a global rule that will be evaluated before execution of any
installers. If a global rule is provided and evaluates to false the executable aborts
operation.
Executables may be constructed for both x86 and x64 architectures and in the
following formats:
DLL Microsoft Dynamic-Link Library
- Compliant with NOD Persistence Specification v1
- Executes in a thread created in the DLL entry point (DllMain)
- Memory-loadable (compliant with NOD Persistence v1)
ICE
DLL
ICEv3 Module
- Compliant with In-memory Code Execution (ICE) Specification v3
- Supports ‘Fire’ feature set
If no rules need to be evaluated by the executable, Grasshopper uses an alternate
executable, called a Cricket. A Cricket is equivalent to a Grasshopper, but has been
stripped of the rule processing engine.
Installers
Installers encapsulate the process used to install a payload on a target system.
Installers are constructed from one or more components that each contribute to the
installation process.
Installers run by passing a payload through each member of the component stack.
An installer may invoke a component at run time or build time, depending on
payload availability and the components’ execution time requirements. Installers
are biased toward build-time execution of components to minimize on-target
activity.
An installer may have a rule that will be evaluated before execution. If an installer
rule is provided and evaluates to false the associated installer is skipped.
Components
Components form the functional portion of installers. Components may be used to
introduce payloads to the installer stack, modify a payload on the stack, install a
payload on a target, etc.
Grasshopper users configure components individually before using them to
construct installers. Components may be used in multiple installers.
10
SECRET//NOFORN