Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Pg. 07
Boot PersistenceBoot PersistenceBoot
Persistence
The custom loader has to support custom (AXE) and third party DLLs. PE DLLs will be
downloaded from the LP for execution. AXE DLLs will be stored only on the local system, they
will not be sent down from the LP.
Executable code that is sent down to the loader for execution from the LP will be in the form of
standard Windows DLLs with all headers and fields left intact (as generated by the VS linker).
For test purposes these DLLs will make calls to APIs in ADVAPI32.dll and WSOCK32.dll. The
DLLs loaded by the custom loader cannot call into the engine since they are engine agnostic
and may be used in other deployments that use different engines.
The difference between DLLs and AXEs are listed below. AXE must adhere to the following
rules:
No PE/MZ Header
No Import Function Names
No Module Names
No Date/Time Stamp
Imported function names are replaced with Alder32 hashes and sizes. Imported modules
names must also be replaced by Alder32 hashes and sizes. Some scanners try to detect the
hashing algorithm used by executables by scanning for signature (magic numbers) used by the
hash. In case of Adler32 the hash is 65521.