Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Owner: User #71473
System Monitoring and Manipulation
SECRET//NOFORN
The System Monitoring and Manipulation Library will be a set of classes designed to be used in two main scenarios:
- Go/No Go logic for installers/droppers (i.e., blacklist or PSPPersonal Security Product (Anti-Virus) avoidance). Immediate feedback at the time the member function is called
- Event notification/Change Detection
As an example, an implementation of the library would provide both on-demand process detection (is procmon.exe running now) and event driven call-back notification (alert me when procmon.exe starts or stops). This is not primarily intended for collection purposes, but rather to alter program behavior based on current system state or future events.
Stash Repository: Link to Stash Repository
Unit Tests Repository: Link to Unit Tests Stash Repository
Interface Description: The interface for the System Monitoring and Manipulation Library specifies on-demand detection of machine state using the Contains, DoesNotContain, IsEqual, IsNotEqual, IsLessThan, IsLessThanEqual, IsGreaterThan, IsGreaterThanEqual logic functions. The prototypes are as follows:
Library Conventions:
Naming convention of classes in the System Monitoring and Manipulation library:
- Prefix SM (System Monitoring)
- Type of system object or state to monitor + the word "Monitor" (e.g., "MediaMonitor", "ProcessMonitor", "RegistryMonitor")
- _ Optional crypt specifying APIApplication Programming Interface basis of technique, abbreviated to 2-3 letters (W32 = Win32 API, WMIWindows Management Instrumentation = WMI, MFC = MFC, PSX = Posix-style calls)
Example:
SM_MediaMonitor_W32
EV = System Monitoring and Manipulation
MediaMonitor = Class to monitor removable/fixed media
_W32 = Implementation based on Win32 APIApplication Programming Interface for core functionality
XXXXXX Member List: (ex: Execution Vector Member List where the library is execution vectors)
Technique/Class 1 with Link or Anchor to Technique - Class Name: xxxxxx
Example of technique/class in Survey Library: Get User Name(Link to Get User Name Windows APIApplication Programming Interface Module Page) - Class Name: GetUsersName_WinApi
Error Code Descriptions: List error codes with descriptions. Use either a bulleted list or the code block macro. Remember, error codes must be compatible with the SUCCEEDED() and FAILED() macros.
- Error Codes List
Code Sample Using The Library Interface:
SECRET//NOFORN