Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
Component Library
The UMBRAGE team maintains a library of application development techniques borrowed from in-the-wild malware. The goal of this repository is to provide functional code snippets that can be rapidly combined into custom solutions. Rather than building feature-rich tools, which are often costly and can have significant CI value, this effort focuses on developing smaller and more targeted solutions built to operational specifications.
This page organizes this collection based on its functionality and captures relevant technical information. When possible, each item should include a working example of the technique (and/or pointer to code in the SVN repository), documentation describing application of the technique, and notes concerning our use of these techniques in delivered tools.
Data Collection Components
Component Reuse | Source | |
---|---|---|
DirectInput Keylogger | None | Known Malware |
Internet Explorer Password Collection | None | Known Malware |
SetWindowsHookEx WH_KEYBOARD and WH_KEYBOARD_LL Key Logger | UNKL 1.0/2.x | Known Malware |
Webcam Capture | None | Known Malware/Public Samples |
Windows API Keyloggers | None | Known Malware |
Data Destruction Components
Component Reuse | Source | |
---|---|---|
Wiped Locked Files | Rebound 1.0 | Shamoon |
Persistence Components
Component Reuse | Source | |
---|---|---|
Image File Execution Options | None | (Autoruns) |
OCI.DLL Service Persistence | None | HiKit Rootkit |
Shell Extension Persistence | Stepstool | Public Source Sample |
Windows FAX DLL Injection | Sandshark, UNKL | Known Malware |
TLS Library Injection | None | LL TLS |
Privilege Escalation Components
Component Reuse | Source | |
---|---|---|
Elevated COM Object UAC Bypass (WIN 7) | Sandshark | Public Sample |
Sticky Keys Process Launch | None | PIQUE 2014-10 Sticky Keys |
Sysprep UACUser Account Control Bypass using Process Injection | None | PIQUE 2014-11 Sysprep |
Windows File Protection Bypass using SFC | None | PIQUE 2014-11 Window File Protection |
Stealth Components
Component Reuse | Source | |
---|---|---|
Anti-Sandboxing: Wait for Mouse Click emote DLLDynamic Link Library Injection via Mapping | Duggernaut, Shellfish | LL - Archimedes Loader |
Remote DLLDynamic Link Library Injection via Reflection | None | LL - Odysseus Loader |
Process Hollowing Implementation #1 | None | Known Malware |
Process Hollowing Implementation #2 | None |
PIQUE 2014-10 Process Hollowing PIQUE 2014-12 Advanced Process Hollowing |
Process Injection using SetWindowsLong | None | PIQUE 2014-10 Sticky Keys |
DLL Memory Loading with Exception Support | Icepick, Shellfish | NPS 2012-11 |
Code Injection using ZwContinue | None | PIQUE 2014-12 ZwContinue Injection |
PSP/Debugger/RE Avoidance Components
Component Reuse | Source | |
---|---|---|
Anti-Sandboxing: Wait for Mouse Click | None | Upclicker |
API Memcpy | None | Known Malware (Nuclear Exploit Pack) |
Debug Print Debugger Detection | None | Public Source Examples, FineReader |
MBR File Handle | StolenGoods | Known FIO Tool |
Run Out The Clock (PSP Avoidance) | None | Known Malware |
API Obfuscation using Hashes | None | PIQUE 2014-10 Advanced Function Call Obfuscation |
Software Target Keying | None | NPS 2012-11 |
Disable System Tray Popups | None | PIQUE 2014-12 Disable AVAnti-Virus Popup |
Survey Components
Component Reuse | Source | |
---|---|---|
NetBIOS MACApple Operating System Enumeration | None | PIQUE 2014-09 NetBIOS MAC |
File/Registry Change Notification | The Hound | PIQUE 2014-09 Persistence |
Miscellaneous
Component Reuse | Source | |
---|---|---|
Blind File Handle Enumeration | None |
PIQUE 2014-10 File Handle Enumeration PIQUE 2014-11 Advanced File Handle Enumeration |