Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
Pg. 07
Boot PersistenceBoot PersistenceBoot
Persistence
Data Persistence
Most targets rely on the data being processed from within the host executable. This type of
tool can be sent to the cloud and processed without requiring a secondary file. By placing
target code (engine/command/uninstall) in the data area, forces reverse engineers to explore
one additional file to process while reviewing the inner workings of the tool. This means that
data persistence module has code blocks and configuration data.
Config
Engine
Command
Uninstall
DynConfig – dynamic data at the end of this file or in registry.
DATA LOCATION: c:\windows\system32\codeintegrity\dns.cache
(masked/encrypted binary file)