Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Transfer Data By Appending To An Existing File (DTFile_PICT - PICTOGRAM)
SECRET//NOFORN
OSB Library: Data Transfer
Module Name: DTFile_PICT (PICTOGRAM)
Module Description: This module transfers or stores data by appending the data to an already existing file such as a jpg or png. PICTOGRAM requires a 32-byte signature (in the constructor) that is used to identify the start of the data storage. Multiple chunks (calls to DumpData) and multiple programs can store data in the same file.
PSP/OS Issues: No known issues.
('excerpt' missing)
Sharing Level: Unilateral
Technique Origin: In-house
Notes:
- wcPath is a path of an already existing file that the data should be appended to.
- The progam id should be unique and should not be 0. The program id is used to identify the owner of the chunk.
- Multiple program ids can be written to the same file.
- A read index is stored for optiimization. Upon changing the file path or program id, the read index is reset to 0.
- A signature is used to identify the storage portion of the file starts (hex 32 bytes). If the signature is not present, one is written to the file.
- Verify files you are appending to will not be corrupted by the addition of data.
Module Specific Structures:
Header used for storage of data.
struct DATA_HEAD_PICT
{
DWORD dwProgramId;
DWORD dwDataLen;
};
/*
Constructor takes path to the file you wish to store data in. The signature is a 32 byte buffer
that identifies a file as a carrier of data and identifies the start position of the data.
*/
DTFile_PICT(WCHAR *wcFilePath, LPBYTE lpbSig);
Example Code:
WCHAR wcDrivePath[] = L"H:\\sloth.jpg";
CHAR cSig[] = "Test1234Test1234Test1234Test1234Test1234";
IDataTransfer *dtTransfer = new DTFile_PICT(wcDrivePath, (LPBYTE)cSig);
//Write one chunk, find file, read file, delete file
DWORD dwChunkSize = 0;
DWORD dwFileProgID = 0;
//Add the file to storage file
DataTransErr dtErr = dtTransfer->addFile(5, byData1, dwData1Len);
//find first file - no header
dtErr = dtTransfer->findFirstFile(5, dwChunkSize, &dwFileProgID, 0, NULL);
//Allocate memory - read in file just identified by findFirstFile
LPBYTE lpbData = (LPBYTE)malloc(dwChunkSize);
DWORD dwBytesRead = dtTransfer->readFile(lpbData, dwChunkSize);
free(lpbData);
//Delete file identified by findFirstFile
dtErr = dtTransfer->deleteFile();
//No more file - that was the only chunk
delete dtTransfer;
SECRET//NOFORN