Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
COM + Junction Folder User Persistence (PSDComJunction_HCLS - HighClass)
SECRET//NOFORN
OSB Library: Persistence
Module Name: PSDComJunction_HCLS (HighClass)
Module Description: This module is a user-privilege-level persistence technique. The technique makes modifications to the HKEY_CURRENT_USER registry hive. Upon logon, a dll is loaded (via ProcessAttach). Only tools or shims that do all of their work in dllmain should use this persistence mechanism. The persistence technique works for Windows XPWindows operating system (Version) through Windows 8.1, 32 and 64-bit OSs. Upon logon, the persisted dll is loaded by verclsid.exe (a user process). To understand more of the tecnique, see Junction Folders empty and CLSIDs and Junction Folders (Persistence and then some) SECRET. This module places the junction folder in different places for different OSs. In Windows XP, Windows Vista, and Windows 8.0, a junction folder is placed inside the start-menu folder structure (Start Menu\Programs\Accessories). On Windows 7 and Windows 8.1, the junction folder is placed in Appdata\Roaming\Microsoft and a modification to a library file is made (Appdata\Roaming\Microsoft\Windows\Libraries). If there are no library files present, the technique used in XP, Vista and 8 is used instead. The junction folder has no subfolders/files. The library file is modified to add the path of the junction folder, triggering the loading of the dll. Be aware that on different OSs, the dll may be loaded (process attach is called) multiple times. The user of this persistence mechanism should use this technique only on tools aware of already running instances.
PSP/OS Issues: No known issues (XPWindows operating system (Version) - 8.1)
('excerpt' missing)
Sharing Level: Unilateral
Technique Origin: In-house
Notes: Any information that could be useful to anyone maintaining the code or using the code. i.e. This module uses Alternate Data Streams which are only available on NTFSNT filesystem (Windows) volumes.
Module Specific Structures:
enum eArch
{
x86 = -1, //mix up numbers so we don't look like a shared struct with other modules
x64 = 1
};
struct ComJunction_HCLS
{
WCHAR *wcCLSID; //COM CLSID - can be derived using Visual Studios Create GUIDGlobally Unique Identifier (registry format)or Windows APIApplication Programming Interface UuidCreate
WCHAR *wcClassName; // The name of the COM class - this can be left empty
WCHAR *wcFolderName; //The name of the junction folder.
eArch xArch; // Architecture of the dll being persisted
};
Example Code:
IPersistence *pPersist = new PSDComJunction_HCLS();
ComJunction_HCLS cjArgs;
cjArgs.wcClassName = wcClassName;
cjArgs.wcFolderName = wcFolderName;
cjArgs.wcCLSID = wcCLSID; //Use CreateGuid to get CLSID - check return to see if it's already been used
cjArgs.xArch = x64;
PersistErr peErr;
//Setup Persistence
peErr = pPersist->PersistPayload(wcPayloadPath, (PVOID)&cjArgs);
//Remove persistence
peErr = pPersist->RemovePersistence((PVOID)&cjArgs);If Miscellaneous Modules were used in the creation of this module, include the tool list excerpt from this page inside the tool list excerpt of each Miscellaneous Module used. For example, if the CreateDirectoryWithAttributes Misc. Module was used, add an "Excerpt Include" macro inside of the Tool List Excerpt on the documentation page for the CreateDirectoryWithAttributes module. The tool list for this module should now always show up in the list of tools that use the CreateDirectoryWithAttributes.
SECRET//NOFORN