0x00 Preface
---
In the previous article 'CIA Hive Testing Guide – Source Code Acquisition and Brief Analysis', we studied the documents codenamed Vault 8 released by WikiLeaks, providing a brief analysis of the server remote control tool Hive.
This article will continue analyzing the CIA-related materials released by WikiLeaks, introducing the Windows backdoor exploitation methods mentioned in the Remote Development Branch (RDB) of Vault 7.
Material address:
https://wikileaks.org/ciav7p1/cms/page_2621760.html
0x01 Introduction
---
This article will analyze the following backdoor exploitation methods:
- VBR Persistence
- Image File Execution Options
- OCI.DLL Service Persistence
- Shell Extension Persistence
- Windows FAX DLL Injection
0x02 VBR Persistence
---
Used to execute backdoors during the Windows system startup process, capable of hooking kernel code
VBR stands for Volume Boot Record (also known as the Partition Boot Record)
The corresponding tool is Stolen Goods 2.0 (not publicly released)
Documentation address for Stolen Goods:
https://wikileaks.org/vault7/document/StolenGoods-2_0-UserGuide/
Features:
- Can load drivers during the Windows startup process (drivers do not require signatures)
- Compatible with WinXP (x86), Win7 (x86/x64)
This method is sourced from https://github.com/hzeroo/Carberp
Note:
The source code included in https://github.com/hzeroo/Carberp is worth in-depth study
0x03 Image File Execution Options
---
Redirecting executable programs through registry configuration
Modification method (hijacking notepad.exe):
Registry path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Create new key notepad.exe
Create new string value, name: notepad.exe, path "C:\windows\system32\calc.exe"
Corresponding cmd command:
reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\calc.exe" /f |
When starting notepad.exe, the actual executed program is "C:\windows\system32\calc.exe"
Note:
Typically, modifying registry at this location will be intercepted by antivirus software
0x04 OCI.DLL Service Persistence
---
Utilizing MSDTC service to load dll for achieving auto-start
A backdoor used by Shadow Force in domain environments, documentation suggests CIA also discovered this method can be used in non-domain environments
I introduced this exploitation method in a previous article, the address is:
https://some-open-source-project/Use-msdtc-to-maintain-persistence/
The method used in my article is to save the dll in C:\Windows\System32\
The method used by the CIA is to save the dll in C:\Windows\System32\wbem\
Both locations are viable; the MSDTC service will search these two locations in sequence upon startup
0x05 Shell Extension Persistence
---
Hijacking the startup process of explorer.exe via COM dll
I have also introduced this approach in a previous article, the address is as follows:
https://some-open-source-project/Use-COM-Object-hijacking-to-maintain-persistence-Hijack-explorer.exe/
Note:
This method has been used by several well-known malware, such as COMRAT, ZeroAccess rootkit, and BBSRAT
0x06 Windows FAX DLL Injection
---
Hijacking Explorer.exe's loading of fxsst.dll through DLL hijacking
Explorer.exe loads c:\Windows\System32\fxsst.dll at startup (service enabled by default for fax services)
Saving payload.dll as c:\Windows\fxsst.dll enables DLL hijacking, hijacking Explorer.exe's loading of fxsst.dll
An earlier publicly disclosed exploitation method, reference link as follows:
https://room362.com/post/2011/2011-06-27-fxsstdll-persistence-the-evil-fax-machine/
0x07 Summary
---
This article analyzes the Windows backdoor exploitation methods mentioned in the Remote Development Branch (RDB) of Vault7, showing that this content draws on publicly disclosed exploitation methods
I have systematically collected publicly disclosed Windows backdoor exploitation methods (including my own disclosed methods), address as follows:
An open-source project