Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED//FOUO
UCHAR bReserved[4];
PVOID pMutant;
PVOID pImageBaseAddress;
PPEB_LDR_DATA pLdr;
} PEB, *PPEB;
#else
typedef struct tagPEB
{
UCHAR bInheritedAddressSpace;
UCHAR bReadImageFileExecOptions;
UCHAR bBeingDebugged;
UCHAR bSpareBool;
PVOID pMutant;
PVOID pImageBaseAddress;
PPEB_LDR_DATA pLdr;
} PEB, *PPEB;
#endif
On Demand Loading
It should be possible to decrypt everything at runtime on-demand. Only the engine
would need to be in the clear in RAM while the tool is running. Dynamically load the
beacon code when the beacon must be called. The same for uninstall. This would
reduce the in-memory foot print.
Data Persistence
Most targets rely on the data being processed from within the host executable. This type of tool
can be sent to the cloud and processed without requiring a secondary file. By placing target code
(beacon/transport/uninstall) in the data area, forces reverse engineers to explore one additional
hop to process while reviewing the inner workings of the tool. This means that data persistence
module has code blocks and configuration data.
Beacon (NOTE: engine will be embedded within the host.dll)
Transport
Uninstall
Config
DynConfig – dynamic data at the end of this file or in registry.
DATA LOCATION: c:\windows\system32\codeintegrity\dns.cache (masked/encrypted binary file)
UNCLASSIFIED//FOUO

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh