By: Walker Rowe, March 13, 2017 (06:50 AM)

Wikileaks Vault 7 CIA Espionage Tools

Wikileaks Vault 7 CIA Espionage Tools

The worldwide media has widely reported on the loss of the CIA cyber arsenal to WikiLeaks. WikiLeaks calls this trove Vault 7. But the media, and most readers, are not IT people. So the articles do not give an exact view as to exactly what has been lost by the CIA, as the average newspaper reader will not understand that. Here we look at some of the details. We also point out what is missing, which is plenty. And there is the explosive charge not pursued by the press that the CIA broke an agreement they made with President Obama and the tech companies to disclose zero-day defects and quit hoarding those.

The CIA documents says the exploits they have in their arsenal were obtained from the NSA, Britain’s GCHQ, the American FBI and purchased from cyber weapon vendors: Anglerfish, Fangtooth, and others. They use the words “war” and “weapons” throughout their literature.

Where are the Zip Files?

There are no malware files attached to the WikiLeaks Vault 7 site. Instead there is the CIA org chart, meeting minutes, results of malware test plans, a Coding Style Book for programmers, technical explanations of the boot processes, instructions for system administrators, and code snippets of the malware. Much of the documentation is incomplete. Many pages actually say “incomplete” or “TODO” or “The referenced resource is currently not available.” This is the case even when there are multiple versions of the same document, and there are multiple versions of each doc. Also, the CIA appears to have redacted part of the docs, but not large sections. And WikiLeaks has removed all references to people’s names.

But the problem for regular programmers is the code snippets are not complete programs. The code snippets are for the most part written in C language. To make a working program from that you need header files and a make file, which is a file that collects and includes all the other pieces of code needed to compile a program. So it knows what are all the pieces needed to make it work.

Also the code snippets are snippets and not complete programs. In place you see a declaration like ClassName className = x where you cannot see the structure of the object ClassName because it is in a file that is not included. It is in a missing header (.h) file that is compiled at compile type.

What this means is the reader would have to have a deep working knowledge of the internals of Windows, Android, and OS internals to understand how and where the code can be applied and even how to attach it to a process. There are security measures built into these OS to prevent that. So Julian Assange is not holding onto the PirateBay of hacker tools that can be downloaded and used by anyone. But the tech companies who write this and security researchers and military hackers worldwide will study this to obtain working versions so they can understand how to fix their security flaws. And foreign spies might learn some CIA architectural design principles they could find useful. And since most many do not patch their home computers criminals can use these against those unpatched systems.

Julian Assange started his career as a hacker as a teenager in Australia and was jailed. So he knows his trove in incomplete. He said the day after the publication of the leak that more information would be going online. But there still is no section with zipped up code projects, make files, and headers that one would need to create a complete program, .dll (Windows subroutine), .apk (Android app), .so (Oracle Solaris subroutine). So while much has been written by The New York Times and others about how the CIA can turn a Samsung TV into a listening device, the question remains: how exactly do you do that?

CIA Lies to Tech Companies about Zero-Day Defects Despite Promise to Obama

One thing the media has not mentioned is that after the Edward Snowden episode the intelligence agencies promised they would not longer keep American software and hardware manufacturers in the dark about what zero-day defects they have created or purchased. President Obama promised that the Vulnerabilities Equities Process would be a formal way to let these companies know what security problems have been found with their products so the tech companies can fix them. Wikileaks in an its analysis that, “‘Year Zero’ documents show that the CIA breached the Obama administration’s commitments.”

This is no small gesture. It shows the spy agencies have lied to the manufacturer’s again, as they did under Bush.

Org Chart

The org chart is there. The CIA hacker groups are mainly broken into the Mobile Development Branch, iOS Group, Windows and Linux, Embedded Development Branch (EDB), Android Group, (C//NF) Network Operations Division, and Network Devices Branch (NDB).

Dump Memory on an iOS device

Let’s look at some of what Julian Assange has collected.

Below is a graphic showing some of the exploits obtained by the iOS group, where they came from, the type, etc. The complete list is too long to fit on the screen here.

CIA Vault7 iOS Exploits

There are these specific instructions as well. This shows how to dump memory on an iOS device into a file which can then be read:

python redux execute – Build/Release-iPhoneOS/elutil/12/el_read -rs 0xffffff8002002000 0x1800000 > /tmp/kernelcache_ascii

0xffffff8002002000 is the address of the kernel in memory. Redux is a container for iOS apps. A container is a Linux concept now ported to Windows AND iOS that runs processes in memory that do not have access to items outside of their process. his is for security reasons. It is supposed to be an anti-hacking measure, but here it is being used by hackers. There is irony here.

In order use this the hacker would connect an iPhone to a Mac with a USB cable and use the Swift development environment (Swift is the language used to program iOS.) to obtain a command prompt on the iPhone.

Notice the first command “python.” The Python programming language and interpreter is included with almost all versions of Unix. Mac OS x, Android, Linux are all based on Unix and Linux. The Python command line is running the Python program redux (not sure who wrote this or if it is an iOS tool). The argument > /tmp means save the output to that file. That is the the memory contents.


There are some examples we can look at on the Android exploits section.

As you can see, they have their own list:

CIA Vault7 Android Tools

RoidRage Debuggerd Startup (kitkat)

The CIA uses code it wrote, the manufacturer’s own code, and open source code on the internet to hack devices. For example they use Android rild subroutine to interact with the Samsung radio. Obviously a cell phone is a radio receiver and transmitter as it sends all its cellular traffic that way.

The CIA recommends that their employees read the book “Android Internals: A Confectioner’s Cookbook” so they will be able to understand exploits like Roid Rage. Like many of the other exploit kits, this uses tools built into the OS, in this case Debuggerd. The source code for Debuggerd (Debugger remote daemon, which can attach to an debug a remote process) is right here, since Android is opensource. The hackers study that and look for a subroutine they can instantiate to gain access to memory and cause their own code to run. The most advanced hacking is always some variation of exploiting memory.

In this case, they hacker loads their own library in the init function in Debuggerd. They fork a process that they cause to crash so they can get register value. (Register is memory located right on the CPU. Each holds one instruction or one value at a time). Then they move an array of objects from memory to Ramdisk where Android kicks in and decrypts it for them as a natural function of Android. Then they use pstate to restart the crashed process, but with the new address of the code to load, their code.

Remote Development Branch (RDB)

The networking section does not have a lot of details. If one is looking there for code to snatch the WEP or WPA code for a wireless router they will be disappointed. But there are instructions on how to replace the boot code on the Linksys WAG200G using a LAN cable without requiring a password. When you plug in the PC to the router you get an IP address and a prompt. So set it up on the Linksys WAG200G turn off DHCP and WLAN. Then upload the mod-clients shell and replace linksys.cfg

Nero DVD and CD Burner Exploit

Hamerdrill is 32 bit code that attaches itself to the nero.exe DVD and CD burning software. It replaces the Nero subroutine that reads data to write with code it has injected into a running Windows process that Hammerdrill has created.

Windows: DirectInput Keylogger

This one uses a joystick ActiveX control DirectInput function in the Direct X multimedia library in Microsoft windows. It uses the function which gives it keyboard state so that is can record keyboard strokes. It saves the position of the keys as 1 (yes, pressed) no (0, not pressed) in a 256 bit array. So that is a view of the whole keyboard at any one time.

Below is the C code shown it polling all of 255 keys (There are 255 characters in the ASCII character set.) and checking state. It declares a byte array keystate to store the values. BYTES are just 1s and 0s.

BYTE keystate[256];

for (int i = 0; i < 256; i++)
if (keystate[i] != 0)
wsprintf (temp, L”%d(%d) “, i, keystate[i]);
lstrcat(pState, temp);

Walker Rowe
Walker Rowe is an American freelance tech writer and programmer living in Chile. He specializes in big data analytics, cybersecurity, and IoT and publishes the website

Notice: The views expressed here are those of the authors and do not necessarily represent or reflect the views of Cursive Security.

Be Informed. Stay One Step Ahead.

Sign up for our newsletter and stay up to date with the latest industry news, trends, and technologies