Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//ORCON//NOFORN
8.1.1 Launching Assassin
The Injection Launcher follows the following steps to achieve soft persistence
and process injection for the Implant DLL:
1) Register as Windows Service
The Launcher persists itself as a Windows service that starts on boot. If it is
not currently persisted, the Launcher will register itself through direct registry
modification. The Launcher is setup as a service with a user-provided cover
name and description.
2) Inject Implant
If the Launcher has SYSTEM privileges, it will try to inject the Implant DLL into
one of the Windows SYSTEM processes. First, the Implant DLL is dropped to
the target disk with a user-defined name and location. The Launcher then
walks through the target processes until it finds a suitable host process. Once
an appropriate SYSTEM process is identified, the Implant DLL is injected using
a Windows hook.
3) Cleanup and Exit
The Launcher passes information about itself to the Implant DLL and
terminates.
54
SECRET//ORCON//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh