Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED//FOUO
<target name="lazy">
<parallel>
<antcall target="debug" />
<antcall target="release" />
</parallel>
<antcall target="publish" />
</target>
</project>
Boot Persistence
There must be a way to execute as a service that will be allowed access to the
internet. One way would be to add a new service and update the firewall to provide
external access. Another way would be to create a new srvhost service that resides
in Network or Local Service group. Each of these techniques are easily enumerated
via the service control manager/service registry keys and process explorer. A better
approach may be to extend the functionality of an existing service that resides in a
service group that will allow beacon/transport features.
Method 1: Hijack DNS srvhost
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\ServiceDll
Original: %SystemRoot%\System32\dnsrslvr.dll
Target: %SystemRoot%\System32\dnsclnt.dll
NOTE: This new dll will take over the functionality of the original dll by forwarding
existing function to the original and loading the engine into memory during the call
to dllman. A benefit of forwarding and not proxying is that the DLL can be unloaded
dynamically without interfering with normal processing. The problem with
unloading is that the server may do a GetProcAddress on the module that is no
longer loaded. This situation would need to be tested for uninstall to work properly.
The following is the .def file required to create a forwarding dll. It is required to
create some stub functions that are local to ensure that PSP do not detect the
forwarding heuristic.
.def file
LIBRARY dnsclnt
EXPORTS
LoadGPExtension=dnsrslvr.LoadGPExtension @1
Reg_DoRegisterAdapter= dnsrslvr.Reg_DoRegisterAdapter @2
ServiceMain=dnsrslvr.ServiceMain @3
SvchostPusServiceGlobals=dnsrslvr.SvchostPusServiceGlobals @4
Method 2: sudo-hijack DNS srvhost
HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\extension
Original: %SystemRoot%\System32\dnsext.dll
Target: %SystemRoot%\System32\Microsoft\DNS\dnsext.dll
This approach works because the full path for a specific component is stored in the
registry. By changing the path, in this case the path can be anywhere but
UNCLASSIFIED//FOUO

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh