Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Pg. 07
Boot PersistenceBoot PersistenceBoot
Persistence
Loader
The custom loader, which is responsible for loading and executing DLLs and AXE files, resides
in two places – it is a part of the DLL shell that loads the Engine into memory and it also a part
of the engine that loads other DLLs and AXEs into memory. Since the DLL shell is unloaded
after initialization the loader also needs to be present in the engine which remains loaded
through the lifetime of the client. The following diagram illustrates this concept.
All the initialization work that will be performed by the target DLLs will be completed in
DLL_PROCESS_ATTACH, likewise all the teardown work will be performed in
DLL_PROCESS_DETACH. Consequently, the custom loader does not need to call DllMain()
with DLL_THREAD_ATTACH and DLL_THREAD_DETACH messages.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh