Scribd
Upload
53 views

Grasshopper Module Guide - Wheat v1.0: Onfiguration River Ptions

This document provides an overview, installation instructions, and usage details for the Wheat persistence module. Wheat is meant to deploy and install Windows driver payloads by dropping the payload file to disk, installing it in the registry, and then exiting without further interacting with the payload. It supports 32- and 64-bit drivers and records information about the installed driver in an XML receipt for tracking purposes. The document also outlines the module's footprint on the target and provides an example of the XML receipt format.

Uploaded by

test
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views

Grasshopper Module Guide - Wheat v1.0: Onfiguration River Ptions

This document provides an overview, installation instructions, and usage details for the Wheat persistence module. Wheat is meant to deploy and install Windows driver payloads by dropping the payload file to disk, installing it in the registry, and then exiting without further interacting with the payload. It supports 32- and 64-bit drivers and records information about the installed driver in an XML receipt for tracking purposes. The document also outlines the module's footprint on the target and provides an example of the XML receipt format.

Uploaded by

test
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

SECRET//ORCON//NOFORN

Grasshopper Module Guide -


Wheat v1.0
June 2012
1OVERVIEW............................................................................................3
2INSTALLATION......................................................................................3
2.1CONFIGURATION..................................................................................................... 3
2.2DRIVER OPTIONS.................................................................................................... 3
3PAYLOAD EXECUTION............................................................................3
4FOOTPRINT..........................................................................................3
5RECEIPT...............................................................................................3
5.1XML EXAMPLE...................................................................................................... 3
5.2FIELD DEFINITIONS................................................................................................. 4

CL BY: 2355679
CL REASON: Section
1.5(c),(e)
DECL ON: 20370522
DRV FRM: COL 6-03
SECRET//ORCON//NOFORN
SECRET//ORCON//NOFORN

2
SECRET//ORCON//NOFORN
SECRET//ORCON//NOFORN

1 Overview
Wheat is a persistence module that deploys and installs a Windows Driver payload.
When a payload is chosen that uses this module, Wheat will drop the payload to
disk, install it, and exit immediately.
This module is meant to be used with existing drivers, and simply installs them. It
does not start them or interact with them.
The Wheat Module supports installing 32- and 64-bit drivers.

2 Installation
Wheat uses direct registry modification to register a payload as a Windows driver
using the user-provided configuration. If the module fails to install the payload, it
will delete any deployed components and remove the registry modifications.

2.1 Configuration
The following fields are configured at build time to specify Wheat's installation
behavior.
Defau Description
Field
lt
Driver Name None Overt name of the Driver registry key.

2.2 Driver Options


The following installation options are used when installing the driver.
Field Value Description
Type 0x01 Specifies the type of the service as 'Driver'
Start 0x02 Specifies the start time of the service as 'Auto Load' during
system startup
Error 0x03 Specifies the service as a Critical process
Control

3 Payload Execution
Whenever the system starts, the Windows OS will run the payload as a Windows
driver. Wheat has no more interaction with the payload/system after installation.
The payload is responsible for deleting itself from the target.

4 Footprint
Wheat writes the unobfuscated payload binary to the target filesystem at
%SYSTEMROOT%\System32\drivers\<DriverName>.sys.

A registry key will be placed in HKLM\System\CurrentControlSet\services\<DriverName>.

3
SECRET//ORCON//NOFORN
SECRET//ORCON//NOFORN

5 Receipt
Wheat's configuration is recorded in the Grasshopper receipt at build time under
build.xml. An example and description of the xml format is provided below.

5.1 XML Example


<PersistModule>
<UUID>9d03da02ab3a47d7bd28c9a776ba9806</UUID>
<DriverInstall>
<DriverName>Cover Name</DriverName>
</DriverInstall>
</PersistModule>

5.2 Field Definitions


UUID
The universally unique identifier for the module variant used in the build.
DriverInstall
The driver configuration information used by the Wheat module.
DriverName
The overt name of the driver created by the module. The driver name is used as
the key in the registry.

4
SECRET//ORCON//NOFORN
SECRET//ORCON//NOFORN

Appendix A: Change Log


Authorit
Date Change Description
y
05/2012 Document Initialization 235567
9
09/2012 Update for Grasshopper v1.0 Phase 2 Delivery 235567
9
11/2012 Update for Grasshopper v1.0.1 Delivery 235567
9

5
SECRET//ORCON//NOFORN

You might also like