Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Execution Vectors
SECRET//NOFORN
Stash Repository: Execution Vectors Library
Interface Description:
The interface for the Execution Vectors Library specifies an Infect function be written. The prototype is as follows:
EVRET Infect(WCHAR *wcPath, PVOID pvClassStruct);
wcPath: Path to be infected (drive/directory)
pvClassStruct: A per class structure that contains further configuration arguments. Since execution vectors vary more than other libraries a PVOID was chosen to allow for greater flexibility amongst modules. The User Is responsible for allocating and de-allocating all of the arguments passed to the function. Module pages will declare the structure that should be passed into pvClassStruct.
Library Conventions:
Naming convention of classes in the Execution Vectors library:
- Prefix EVExecution Vector (Execution Vector)
- Indication that the class is for Infection (Infecting a file, path, etc), or Execution (code to be implemented post execution)
- Medium of delivery to target (file, removable media, network share, etc)
- Infection label (link file, word document, pdf, trojan, etc)
- _ Crypt specifying tool/technique, abbreviated to 2-3 letters (EZC = EZCHEESE, Rap = Raptor, etc)
Example:
EVIRemovableMediaLink_EZC
EV = Execution Vector
I = Infection class
Removable Media = Execution gained by infecting removable media
Link = Link File Exploit
_EZC = EZCHEESE Exploit
All modules should be compatible with Windows XPWindows operating system (Version) through the current version of Windows. This does not mean that all functionality be present. It does mean, however, that code should not crash the parent process of the library when running on Windows XPWindows operating system (Version) or greater.
Execution Vector List:
Removable Media Link File Exploitation (EZCHEESE) - Class Name: EVRemovableMediaLink_EZC
Execution Vector Library Error Code Descriptions:
typedef int EVRET; //Return Code Type For Execution Vector Library
Error codes 30 through 50 and -30 through -50 are reserved for per class error codes.
Error codes >= 0 are successful. The return codes will work with the SUCCESS() and FAILED() macros.
//General Error codes for Execution Vectors Library (does not include per class error codes)
#define EVRET_FILE_ALREADY_EXISTS 10 //File Already Exists
#define EVRET_SUCCESS 0 //Generic success
#define EVRET_UNKNOWN -1 //Unknown Failure : Unimplemented or undefined
#define EVRET_INVALID_ARGS -2 //Invalid Arguments
#define EVRET_BAD_PATH -3 //Path not valid
#define EVRET_INSUFFICIENT_MEM -4 //Out of memory
Code Sample Using The Library Interface:
ExecutionVectors *evVector = new EVIRemovableMediaLink_EZC(); //Replace EVIRemovableMediaLink_EZC with the module you are using
//TODO: Create Execution Vector specific structure
evVector->Infect(L"E:\\MyDrive\\Test", pvClassStruct);
SECRET//NOFORN