Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
(even if no -s list is given). Blacklist will TRUMP the whitelist. Ex. A SID on -s
will be ignored if it also appears in --bbs
• --lf <log file path on target>: Path on target to save the log file to. The log will
contain a timestamp-SID entry for each read operation performed on the target PE
file by a targeted SID.
• --wt <MM/DD/YYYY HH:MM:SS>: Optional. Value used to set the log's write
time value after updating the log. If using --wt, you must include a date AND time
as shown above, you cannot use partial information. This will also be used as the
file's last Changed time.
• --ct <MM/DD/YYYY HH:MM:SS>: Optional. Value used to set the log's create
time value after updating the log.
• --at <MM/DD/YYYY HH:MM:SS>: Optional. Value used to set the log's access
time value after updating the log.
(S//NF) Pandemic_Builder will spit out the file pandemic_AMD64.bin (or
pandemic_x86.bin for 32-bit version). This file will be used by Shellterm for installation.
(S//NF) *NOTE* Pandemic_Builder does not do any checks on the replacement file
beyond that it exists. If the -r file does not exist, an error will be printed to screen. If the
file does exist, then the file is used. If you accidentally give a .txt file to replace an EXE,
that will cause issues. Make sure you double check which file you're using for
replacement.
3.4.1 (S//NF) Multiple replacement
(S//NF) Additional entries to the -t and -r options will allow for multiple replacements.
The first entry to -t will be replaced with the first entry to -r, the second entry to -t will be
replaced with the second entry to -r, etc. The number of arguments to -t must match the
number of arguments given to -r. Otherwise, the builder will throw an error and exit.
3.5 (U) Installation and Operation
(S//NF) Pandemic will install via Shellterm's shellcode installer. Included with Pandemic
is a sample python script that enables the shellcode installer functionality within
Shellterm. This script is not//not required to use Pandemic, but *some* script is required
to use Shellterm's shellcode loader functionality.
(S//NF) To use the sample python script, first drop it into Shellterm's script folder. This
folder is determined in Shellterm's configuration file. Once installed, attach to an active
session on the target, and make sure the .bin file generated earlier is on the Shellterm
machine. Run the following command to install Pandemic on target:
> kshellcode '<path to .bin file>/pandemic_AMD64.bin'
(S//NF) Pandemic can take ~10-15 seconds to install and return back. An error code in
the 500-550 range indicates that a required API function could not be loaded. This is an
issue that is likely to not resolve itself by re-trying the install, and you should talk to the
SECRET//NOFORN
5