Vault 7: CIA Hacking Tools Revealed
Navigation: » Latest version
Stash Repository: Execution Vectors Library
The interface for the Execution Vectors Library specifies an Infect function be written. The prototype is as follows:
EVRET Infect(WCHAR *wcPath, PVOID pvClassStruct);
The wcPath variable describes what should be infected (i.e. drive, directory, file). The pvClassStruct will be a per class structure that contains further configuration arguments. Since execution vectors vary more than other libraries a PVOID was chosen to allow for greater flexibility amongst modules. The User Is responsible for allocating and de-allocating all of the arguments passed to the function.
Naming convention of classes in the Execution Vectors library:
- Prefix EVExecution Vector (Execution Vector)
- Indication that the class is for Infection (Infecting a file, path, etc), or Execution (code to be implemented post execution)
- Medium of delivery to target (file, removable media, network share, etc)
- Infection label (link file, word document, pdf, trojan, etc)
- _ Crypt specifying tool/technique, abbreviated to 2-3 letters (EZC = EZCHEESE, Rap = Raptor, etc)
EV = Execution Vector
I = Infection class
Removable Media = Execution gained by infecting removable media
Link = Link File Exploit
_EZC = EZCHEESE Exploit
All modules should be compatible with Windows XPWindows operating system (Version) through the current version of Windows. This does not mean that all functionality be present. It does mean, however, that code should not crash the parent process of the library when running on Windows XPWindows operating system (Version) or greater.
Execution Vector List:
Removable Media Link File Exploitation (EZCHEESE) - Class Name: EVRemovableMediaLink_EZC
- Network Share Link File Exploitation (DRIFTINGSHADOWS) - Class Name: EVNetworkShareLink_DS
Execution Vector Library Error Code Descriptions:
typedef int EVRET; //Return Code Type For Execution Vector Library
Error codes 30 through 50 and -30 through -50 are reserved for per class error codes.
Error codes >= 0 are successful. The return code will work with the SUCCESS() and FAILED() macros.
//General Error codes for Execution Vectors Library (does not include per class error codes) #define EVRET_FILE_ALREADY_EXISTS 10 //File Already Exists #define EVRET_SUCCESS 0 //Generic success #define EVRET_UNKNOWN -1 //Unknown Failure : Unimplemented or undefined #define EVRET_INVALID_ARGS -2 //Invalid Arguments #define EVRET_BAD_PATH -3 //Path not valid #define EVRET_INSUFFICIENT_MEM -4 //Out of memory
Code Sample Using The Library Interface: