Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Privilege Escalation Library
SECRET//NOFORN
Stash Repository: Privilege Escalation
Interface Description:
The interfaces for the Privilege Escalation Library specifies the following functions be available:
Kernel Mode Privilege Escalation (IKernelPrivEsc):
virtual PrivEscErr elevatePrivs( DWORD dwPID ) = 0;
dwPID [in]: Specify the PIDProcess ID (process ID) of the process you wish to elevate.
Returns a PrivEscErr described in the Error Code Descriptions section.
User Mode Privilege Escalation (IUserPrivEsc):
virtual PrivEscErr elevatePrivs(WCHAR *wcPath, PVOID pvParams) = 0;
wcPath [in]: The path to the payload you wish to start as a privileged user (admin or system privileges). Depening on the module this could also be the command line that gets executed when starting an executable with privileges.
pvParams [in, opt]: A module specific structure that contains configuration options for the module. In some modules this argument can be left NULL. See module documentation for information regarding this argument.
Returns a PrivEscErr described in the Error Code Descriptions section.
Library Conventions: Describe any and all conventions submissions should adhere to for this library. Applying a naming convention can help with the organization of the library. Any organizational requirements or notes go here as well.
Naming convention of projects in the Privilege Escalation Library:
- Prefix PEPrivilege Escalation (Privilege Escalation)
- Exploit name/crypt
- _ architecture supported. x86, x64, x86&64
Example:
PEVanguard_x86&64
PE = Privilege Escalation
Vanguard = Exploit name
_x86&64 = This library supports both x86 and x64 processors.
Privilege Escalation Member List:
Technique/Class 1 with Link or Anchor to Technique - Class Name: xxxxxx
Example of technique/class in Survey Library: Get User Name(Link to Get User Name Windows APIApplication Programming Interface Module Page) - Class Name: GetUsersName_WinApi
Error Code Descriptions:
Return Code Type For Privilege Escalation Library: enum PrivEscErr: int.
Error codes >= 0 are successful. The return codes will work with the SUCCESS() and FAILED() macro
enum PrivEscErr : int
{
// Success:
ePE_ERROR_SUCCESS = 0,
// Errors:
ePE_ERROR_GENERIC = -1,
ePE_INVALID_ARGUMENTS = -2, //Invalid arguments were passed to the function
ePE_SW_FAILED_INF_GEN = -20 //Failed to generate the inf file
};
Code Sample Using The Library Interfaces:
SECRET//NOFORN