Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Pg. 07
Boot PersistenceBoot PersistenceBoot
Persistence
Directory change notifications that indicate creation of a file with a specific name may be a
trigger to unload or uninstall the DLL engine. This is called the self-kill file.
The command dispatcher also implements an interface that AXEs for the following:
Request the dispatcher to unload itself.
Set the timer that the dispatcher will use to call the Beacon and Command module.
10.
11. Installer and Uninstaller
Installer
The host based installer is implemented as a DLL. The path to various files and registry keys is
hardcoded in the DLL image. The build and configuration tool modifies the installer to
customize these paths. The host based installer runs with Administrative or System
privileges.The host based installer performs the following steps:
Place the host DLL in c:\windows\system32\Microsoft\Crypto\DNS directory.
Place the host data file in c:\windows\system32\codeintegrity.
Replacing the DLL path in the DnsCache service's registry entry to point to the host DLL.
Stop and start the DNSCache service to ensure that the host DLL is loaded and its initialization
routine will be invoked.
The host DLL upon initialization will load the engine AXE into dynamically allocated memory
such that that host DLL can be unloaded while the engine is still running.
12.Uninstaller
Uninstall will have to unload and DnsClnt.dll, restore the registry key, overwrite the file on disk.
Uninstall does not necessary imply unload, the host DLL can be installed while the in-memory
copy will continue to run. The Uninstaller executes within the SvcHost process that runs in the
security context of NT AUTHORITY\NETWORK SERVICE (S-1-5-20). This process security
token is as shown below. This process does not have Administrative or System privileges and
hence the Uninstaller has to take special measures to write to file system and write to the
registry.