Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//NOFORN
1 Description
ServiceDLL is a Grasshopper component that provides a way to persist a payload as
a Windows Service DLL.
The ServiceDLL component installs a stub Service DLL to the Net Services (netsvcs)
Service Host using manual registry modifications. The stub is configured to run the
input payload whenever the service starts. The stub is stored at a user specified
location on the target file system.
The payload is stored as a resource of the ServiceDLL stub. If the payload adheres
to the NOD Persistence Spec v1 Interface, the stub will load and execute the
payload from memory if using stub A or stub B. If not, the stub will write the payload
to the filesystem and load or run it normally. The payload will be placed adjacent to
the stub with a
.tlb file extension for default stub A or DLLNAMEhlp.{dll|exe} for
stub type stub B, or stub type stub C DLLNAMEext.{dll|exe}.
Due to caching by the Service Control Manager, the service cannot be started
directly when first installed. The ServiceDLL component can, optionally, hijack an
existing, stopped service DLL’s entry in the SCM database to gain immediate
execution. This requires that the component write an “Unhijack DLL” to the
filesystem, which is deleted by the stub during the first run.
2 Usage
2.1 Builder Command Line
add component servicedll -n NAME –p PATH [–d DESC] [-u PATH]
-n/--name NAME cover name of the service dll
-p/--path PATH target path of the service dll stub
-d/--description DESC cover description of the service dll
-u/--unhijack PATH target path of the unhijack dll
--stubname STUBNAME alternate stubname to use {A|B|C} [default A]
-k/--killfile PATH kill file path which causes persistence and payload to be
uninstalled [default no kill file]
Example
(gh) add component servicedll
-n ExampleService
–p “c:\windows\system32\example.dll”
-d “An example of how to create a service dll component.”
-u “%temp%\examplehelper.dll”
2.2 Supported Payload Types
ServiceDLL accepts input payloads in EXE or DLL formats for the x86 or x64
architectures. If a payload DLL supports the NOD Persistence Specification, the stub
will memory load it during execution. ServiceDLL is a terminating component and
does not output a payload.
Input Type Output Type(s)
x86 DLL nod-persist None
x64 DLL nod-persist None
2
SECRET//NOFORN

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh