Vault7: CIA Hacking Tools Revealed
Navigation: » Latest version
COM + Junction Folder User Persistence (PSDComJunction_HCLS - HighClass)
SECRET//NOFORN
OSB Library: Persistence
Module Name: PSDComJunction_HCLS (HighClass)
Module Description: This module is a user-privilege-level persistence technique. The technique makes modifications to the HKEY_CURRENT_USER registry hive. Upon logon, a dll is loaded (via ProcessAttach). Only tools or shims that do all of their work in dllmain should use this persistence mechanism. The persistence technique works for Windows XPWindows operating system (Version) through Windows 8.1, 32 and 64-bit OSs. Upon logon, the persisted dll is loaded by Explorer.exe (a user process). To understand more of the tecnique, see CLSIDs and Junction Folders (Persistence and then some) SECRET. This module places the junction folder in different places for different OSs. In Windows XP, Windows Vista, and Windows 8.0, a junction folder is placed inside the start-menu folder structure (Start Menu\Programs\Accessories). On Windows 7 and Windows 8.1, the junction folder is placed in Appdata\Roaming\Microsoft and a modification to a library file is made (Appdata\Roaming\Microsoft\Windows\Libraries). If there are no library files present, the technique used in XP, Vista and 8 is used instead. The junction folder has no subfolders/files. The library file is modified to add the path of the junction folder, triggering the loading of the dll. Be aware that on different OSs, the dll may be loaded (process attach is called) multiple times. The user of this persistence mechanism should use this technique only on tools aware of already running instances.
PSP/OS Issues: No known issues (XPWindows operating system (Version) - 8.1)
('excerpt' missing)
Sharing Level: Unilateral
Technique Origin: In-house
Notes:
- Should only be used to persist user-level-privilege applications.
- Requires that the CLSID you choose to use is not already being used. The function should return ePERSIST_CLSID_ALREADY_EXISTS if the CLSID already exists on the system.
- The persistence is only a process attach to an architecture specific dll - the dll being persisted should always match the architecture of the OSOperating System regardless of the architecture of the application setting the persistence.
- The dll may be loaded multiple times in one session
- Navigation inside of the junction folder causes the loading of the dll
- Two different code paths are used for full coverage, one manipulates library files while the other places the junction folder inside of the Start Menu heirarchy
- If Start Menu\Programs\Accessories does not exist, the junction folder is placed directly underneath "Start Menu"
- Modifications are made specifically to HKEY_CURRENT_USER
Module Specific Structures:
enum eArch
{
x86 = -1, //mix up numbers so we don't look like a shared struct with other modules
x64 = 1
};
struct ComJunction_HCLS
{
WCHAR *wcCLSID; //COM CLSID - can be derived using Visual Studios Create GUIDGlobally Unique Identifier (registry format)or Windows APIApplication Programming Interface UuidCreate
WCHAR *wcClassName; // The name of the COM class - this can be left empty
WCHAR *wcFolderName; //The name of the junction folder.
eArch xArch; // Architecture of the dll being persisted
};
Example Code:
IPersistence *pPersist = new PSDComJunction_HCLS();
ComJunction_HCLS cjArgs;
cjArgs.wcClassName = wcClassName;
cjArgs.wcFolderName = wcFolderName;
cjArgs.wcCLSID = wcCLSID; //Use CreateGuid to get CLSID - check return to see if it's already been used
cjArgs.xArch = x64;
PersistErr peErr;
//Setup Persistence
peErr = pPersist->PersistPayload(wcPayloadPath, (PVOID)&cjArgs);
//Remove persistence
peErr = pPersist->RemovePersistence((PVOID)&cjArgs);
SECRET//NOFORN