Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
1 Description
ServiceDLL is a Grasshopper component that provides a way to persist a payload as
a Windows Service DLL.
The ServiceDLL component installs a stub Service DLL to the Net Services (netsvcs)
Service Host using manual registry modifications. The stub is configured to run the
input payload whenever the service starts. The stub is stored at a user specified
location on the target file system.
The payload is stored as a resource of the ServiceDLL stub. If the payload adheres
to the NOD Persistence Spec v1 Interface, the stub will load and execute the
payload from memory if using stub A or stub B. If not, the stub will write the payload
to the filesystem and load or run it normally. The payload will be placed adjacent to
the stub with a
.tlb file extension for default stub A, DLLNAMEhlp.{dll|exe} for stub
type stub B, DLLNAMEext.{dll|exe} for stub type stub C, DLLNAMEapi.{dll|exe} for
stub type stub D, DLLNAMElib.{dll|exe} for stub type stub E, or DLLNAMEres.{dll|
exe} for stub type stub F.
Due to caching by the Service Control Manager, the service cannot be started
directly when first installed. The ServiceDLL component can, optionally, hijack an
existing, stopped service DLL’s entry in the SCM database to gain immediate
execution. This requires that the component write an “Unhijack DLL” to the
filesystem, which is deleted by the stub during the first run.
2 Usage
2.1 Builder Command Line
add component servicedll -n NAME –p PATH [–d DESC] [-u PATH]
-n/--name NAME cover name of the service dll
-p/--path PATH target path of the service dll stub
-d/--description DESC cover description of the service dll
-u/--unhijack PATH uses service hijack technique and provides path for the
unhijack dll for resetting service cache
--hijack hijack a service for immediate execution without resetting
service cache
--stubname STUBNAME alternate stubname to use {A|B|C|D|E|F} [default A]
-k/--killfile PATH kill file path which causes persistence and payload to be
uninstalled [default no kill file]
Example
(gh) add component servicedll
-n ExampleService
–p “c:\windows\system32\example.dll”
-d “An example of how to create a service dll component.”
-u “%temp%\examplehelper.dll”
2.2 Supported Payload Types
ServiceDLL accepts input payloads in EXE or DLL formats for the x86 or x64
architectures. If a payload DLL supports the NOD Persistence Specification, the stub
will memory load it during execution if using Stub A or B otherwise it is written to
2
SECRET//NOFORN