Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//NOFORN
Example
(gh) add component serviceproxy
–p “c:\windows\system32\example.dll”
-n LanmanServer
--hijack
-k “%temp%\killme.txt”
--payloadpath "%SYSROOT%\payload.dll"
2.2 Supported Payload Types
ServiceProxy accepts input payloads in EXE or DLL formats for the x86 or x64
architectures. If a payload DLL supports the NOD Persistence Specification, the stub
will memory load it during execution if using Stub A otherwise it is written to disk
and loaded. ServiceDLL is a terminating component and does not output a payload.
Input Type Output Type(s)
x86 DLL nod-persist None
x64 DLL nod-persist None
x86 DLL None
x64 DLL None
x86 EXE None
x64 EXE None
2.3 Supported Variant Stubnames
As part of the ServiceDLL component version 1.3, variant stubs were added. Six
stubs are available the default stub A, and stub B, stub C, stub D, stub E, and stub F.
1. The default stub A uses the CRT and uses resources data to store
configuration information as well as the obfuscated payload(using xor with
random key). Stub A uses a payload file name specified in command line
option or if none specified will use stubname dll filename except with a
stubname{cpl}.extension. Stub A also supports NOD-persist dlls and
performs memory loading of the payload when NOD persist dlls are specified.
2. Stub B stub uses alternate resource ids....
3. Stub C stub uses ....
2.4 Uninstall Procedure
Manual
The manual uninstall procedure consists of the following steps:
1. Edit
HKLM\SYSTEM\CurrentControlSet\Services\<PROXIED_SERVICE_NAME>\Param
eters registry and replace with original dll for this service
2. Reboot the target.
3
SECRET//NOFORN