Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

Pg. 07
Boot PersistenceBoot PersistenceBoot
Persistence
The custom loader assumes that the target DLL is fully functional once the call to Address of
Entry Point (AoEP) returns control back to the loader. The target DLLs are free to create as
many threads as needed to perform their respective functions. It is the responsibility of the
target DLLs to cleanup these threads during their DllMain()'s handling of
DLL_PROCESS_DETACH.
When loading Win32 DLLs or AXE binaries, the custom loader does not need to create
LDR_DATA_TABLE_ENTRY structures that are otherwise created when DLLs are loaded by
the Windows loader.
The custom loader has to support DLL import forwarders, but does not need to support import
forwarders by ordinals like "kernel32!EncodePointer -> NTDLL.#865" neither does it have to
support import forwarders to DLLs like "api-ms-win-core-memory-l1-1-1.dll".
When loading target DLLs and AXE, the loader must first scan the module list in the hosting
process to determine if the system DLLs in the target DLL's or AXE's import list are already
loaded. In the event that these dependent system DLLs are not loaded, the custom loader can
load them using LoadLibrary(). However the function's that are imported from the system DLLs
must be processed using the customer loader's custom import functionality instead of
GetProcAddress().
The DLLs or AXEs that the loader processes are considered non-hostile. So other than basic
header validation and range checks, they don't need to perform any aggressive validation
when parsing the contents of DLLs or AXEs.
7. Non-requirements
The loader does not need to parse or perform any processing on the target DLLs or AXE's
.pdata (function exception table) section.
The loader does not install any table based exception handler for the X64 binaries.
The loader does not need to parse or perform any processing on the target DLLs or AXE's
.TLS (static thread local storage) section.
The loader does not need to support delayed imports, incremental linking or shared sections.
The loader function Athena_Load() will be provided with the address of the memory location
where the raw image of the target DLL or AXE is available as well as the size of the raw image.
It will also be told if the target module being loaded a DLL or AXE. Similarly the function to
unload modules i.e. Athena_Unload() will be called with a pointer to the memory where the
module is currently mapped and the size of the mapping.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh