Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//ORCON//NOFORN
6.3 HasLoaded
Description
The “has_loaded” verb works with either a named process (ie, wireshark.exe)
or with *, meaning any process on the system. It takes a comma-seperated
list of DLLs to look for. HasLoaded returns True if all of those DLLs are present
in a given set of processes.
Usage
process(<process name>|*).has_loaded(<dll_1>,<dll_2>,...)
Example
process(kasperksy.exe).has_loaded(some_dll.dll,some_other_dll.dll)
The above example checks to see if the “kasperksy.exe” process has both
some_dll.dll and some_other_dll.dll loaded
process(*).has_loaded(wireshark_signature.dll)
The above example checks every process to see if any has
wireshark_signature.dll loaded.
Return Values
Return
Code
Description
True A process exists and has the given DLLs loaded
False No such process exists
Invalid A process exists, but none has the given DLLs loaded,
and at least one of the processes could not be
examined (likely due to permissions)
96
SECRET//ORCON//NOFORN