README.md

BOAZ Evasion Tool (for educational purpose)

Features | Installation | Usage | Evasion Module

Description

BOAZ (Bypass, Obfuscate, Adapt, Zero-Trust) evasion was inspired by the concept of multi-layered approach which is the evasive version of defence-in-depth (Swinnen & Mesbahi, 2014). It was developed to aid the security testing and antivirus defence evaluation.

BOAZ aims to bypass the before and during execution phases that span signature, heuristic and behavioural-based detection methods. BOAZ supports x64 binary (PE) or raw playload (.bin) as input. It has been tested on separated Window-11 VMs with 14 Desktop AVs. The design of BOAZ evasion is modularised so users can add their own toolset, encoding or new techniques to the framework at will. It is written in both C and C++, and uses Python as the main program to link all modules together.

For students and researchers in offensive security, no advanced programming or scripting knowledge or skills are required to use BOAZ to generate undetectable polymorphic samples.

This tool has an alternative use: it can function as a packer or obfuscator.

Features

• Modular Design: Easily extendable with new tactics and techniques by adding scripts.

• Signature Evasion:

  • LLVM IR level Obfuscation: Pluto and Akira LLVM-based obfuscation including string encryption and control flow flattening.
  • CodeBase obfuscation:
    • Function name and string obfuscated from chars: [0-9a-zA-Z_] by 3 randomly selected algorithms: Mt19937, MinstdRand and ranlux48_base.
    • Shikata Ga Nai (SGN) encoding.
  • Payload encoding (T1132):
    • UUID (Universally Unique Identifier)
    • MAC
    • IP4 format
    • base-64
    • base-45
    • base-58
    • Chacha20
    • AES
    • AES with divide and conquer to bypass logical path hijacking
  • Compilation time obfuscation (LLVM, T1140, T1027):
    • Pluto:
      • bcf: Bogus Control Flow
      • fla: Control Flow Flattening
      • gle: Global Variable Encryption
      • mba: Mixed-Boolean Arithmetic expressions (MBA)
      • sub: Instruction Substitutions
      • idc: Indirect Call Promotion
      • hlw: Hide LLVM IR Level Warnings
    • Akira:
      • Indirect jumps and encrypted jump targets
      • Encrypted indirect function calls
      • Encrypted indirect global variable references
      • String encryption
      • Procedure-related control flow flattening
  • Stripped binary (T1027.008)
  • Two methods to reduce entropy to below threshold by padding Pokémon names or null bytes
  • Signed certificate (T1036.001)
  • Metadata copied from window binary (T1036)

• Heuristic Evasion:

  • Anti-Emulation (T1497): checks based on file system operation, process and network information and “offer you have to refuse” [15, 38]. A simple heuristic that if 2 or more checks are failed, execution will stop.
  • Junk API instructions (“no-op” calls, or mimicry attack): 5 benign API functions to vary the API call sequences
  • API Unhooking:
    • 1. Read the syscall stub from the original ntdll and rewrite the loaded ntdll’s stub
    • 2. Custom Peruns’ Fart unhooking
    • 3. Halo’s gate (TartarusGate)
  • Sifu Memory Guard
    • New memory guard inspired by hardware breakpoints hooking techniques (Loader 48, 48, 51, 52, 57)
  • Sleep obfuscation: Custom Ekko (CreateTimerQueueTimer) with arbitrary sleep time invoked at run time
  • Stack encryption sleep: Local variables and shellcode were being stored on stack. This part of memory is available for scanning both in emulator pre-execution and post-execution.
  • PIC convertor (T1027.009, T1027.002, T1620):
    • The donut (The Wover)
    • PE2SH (hasherezade)
    • RC4 encrypted convertor
    • Amber (by Ege Balcı)
    • Shoggoth (by frkngksl)

• Behavioral Evasion:

  • Various code execution and process injection loaders (T1055, T1106, T1027.007): A variety of loaders for different evasion scenarios
  • Two LLVM-obfuscation compilers (T1027)
  • Output DLL/CPL (side-loading) (T1574.002, T1218.011/002)
  • ETW-patching (patch ETW stub with “xor rax, rax; ret”) (T1562.006)
  • API name spoofing via IAT, using CallObfuscator by d35ha

Prerequisites

• Linux environment with Wine configured. Kali Linux or other Debian prefered.
• CMake, Git, GCC, G++, MingW, LLVM and other build essentials installed.

Installation

1. Install required packages::

git clone https://github.com/thomasxm/Boaz_beta/
cd Boaz_beta

bash requirements.sh

2. Cavets:

It should be noted that SGN encoder sometimes can generate bad characters, use with caution. requirements.sh will install LLVM, which takes a while to complete. BOAZ can be run without the -llvm handle; however, it is not optimised without the latter.

Usage

Example usage:

python3 Boaz.py -f ~/testing_payloads/notepad_64.exe -o ./alice_notepad.exe -t donut -obf -l 1 -c pluto -e uuid -g

Use a built ELF executable in Linux environment:

./Boaz -f ~/testing_payloads/notepad_64.exe -o ./alice_notepad.exe -t donut -obf -l 1 -c pluto -e uuid -g

Refer to the help command for more details on usage:

python3 Boaz.py -h 

./Boaz -h 

usage: Boaz [-h] -f INPUT_FILE [-o OUTPUT_FILE] [-divide] [-l LOADER] [-dll] [-cpl] [-sleep]
            [-a] [-etw] [-j] [-dream [DREAM]] [-u] [-g] [-t {donut,pe2sh,rc4,amber,shoggoth}]
            [-sd] [-sgn] [-e {uuid,xor,mac,ipv4,base45,base64,base58,aes,chacha,aes2,ascon}]
            [-c {mingw,pluto,akira}] [-mllvm MLLVM] [-obf] [-obf_api] [-w [SYSWHISPER]]
            [-entropy {1,2}] [-b [BINDER]] [-wm [WATERMARK]] [-s [SIGN_CERTIFICATE]]

Process loader and shellcode.

options:
  -h, --help            show this help message and exit
  -f INPUT_FILE, --input-file INPUT_FILE
                        Path to binary.exe
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        Optional: Specify the output file path and name. If not provided, a
                        random file name will be used in the ./output directory.
  -divide               Divide flag (True or False)
  -l LOADER, --loader LOADER
                        Loader number (must be a non-negative integer)
  -dll                  Compile the output as a DLL instead of an executable, can be run with
                        rundll32.exe
  -cpl                  Compile the output as a CPL instead of an executable, can be run with
                        control.exe
  -sleep                Obfuscation Sleep flag with random sleep time (True or False)
  -a, --anti-emulation  Anti-emulation flag (True or False)
  -etw                  Enable ETW patching functionality
  -j, --junk-api        Insert junk API function call at a random location in the main function
                        (5 API functions)
  -dream [DREAM]        Optional: Sleep with encrypted stacks for specified time in
                        milliseconds. Defaults to 1500ms if not provided.
  -u, --api-unhooking   Enable API unhooking functionality
  -g, --god-speed       Enable advanced unhooking technique Peruns Fart (God Speed)
  -t {donut,pe2sh,rc4,amber,shoggoth}, --shellcode-type {donut,pe2sh,rc4,amber,shoggoth}
                        Shellcode generation tool: donut (default), pe2sh, rc4, amber or
                        shoggoth
  -sd, --star_dust      Enable Stardust PIC generator, input should be .bin
  -sgn, --encode-sgn    Encode the generated shellcode using sgn tool.
  -e {uuid,xor,mac,ipv4,base45,base64,base58,aes,chacha,aes2,ascon}, --encoding {uuid,xor,mac,ipv4,base45,base64,base58,aes,chacha,aes2,ascon}
                        Encoding type: uuid, xor, mac, ip4, base64, base58 AES and aes2. aes2 is
                        a devide and conquer AES decryption to bypass logical path hijacking.
                        Other encoders are under development.
  -c {mingw,pluto,akira}, --compiler {mingw,pluto,akira}
                        Compiler choice: mingw (default), pluto, or akira
  -mllvm MLLVM          LLVM passes for Pluto or Akira compiler
  -obf, --obfuscate     Enable obfuscation of codebase (source code)
  -obf_api, --obfuscate-api
                        Enable obfuscation of API calls in ntdll and kernel32.
  -w [SYSWHISPER], --syswhisper [SYSWHISPER]
                        Optional: Use SysWhisper for direct syscalls. 1 for random syscall jumps
                        (default), 2 for compiling with MingW and NASM.
  -entropy {1,2}        Entropy level for post-processing the output binary. 1 for null_byte.py,
                        2 for pokemon.py
  -b [BINDER], --binder [BINDER]
                        Optional: Path to a utility for binding. Defaults to binder/calc.exe if
                        not provided.
  -wm [WATERMARK], --watermark [WATERMARK]
                        Add watermark to the binary (0 for False, 1 or no value for True)
  -s [SIGN_CERTIFICATE], --sign-certificate [SIGN_CERTIFICATE]
                        Optional: Sign the output binary and copy metadata from another binary
                        to your output. If a website or filepath is provided, use it. Defaults
                        to interactive mode if no argument is provided.

Evasion Modules

Process Injection Loaders

Example:

Boaz evasion wrapped Mimikatz.exe x64 release. The detection rate for wrapped Mimikatz is zero on Jotti:

Roadmap

• Docker: Make it available with Docker without installation
• Add a GUI for users: Web UI or Python UI.
• Loaders: Implement more loader templates (process injection and code execution methods) with a divide and conquer option available.
• COFF loaders: Implement COFF loader suppport.
• RISC-V VM Implement new loader using RISC-V VM concept.
• Obfuscation: Enhancing obfuscation methods and integrating new LLVM passes.
• Shellcode Generation: Expand to include more techniques, e.g., PIC generated from arbitrary command, and offer users the choice of shellcode generation technique.
• PIC Chain Reactions: ....
• Sleep Techniques: Implementing additional anti-emulation and sleep techniques, like encrypting heap and stack while sleeping during pre-shellcode-execution phase.
• Syscall: Improving Syswhisper2 integration for signature reduction. (e.g. on detecting virtual machine introspection and dynamic binary instrumentation)
• Compilation: Integrate additional compiler options like Cosmopolitan compiler.
• File format: Extend more file format supports, so that user can execute sample with signed utilities and more options.
• modularised modules: Although Boaz has all its implementations modularised in concept, it is not 'actually' modularised in its current beta version. Owing to the fact that this tool is a side project for my dissertation, I need to find time to separate each function into an actual module and ensure that each is presented with a template so that users can add a new technique and integrate it into the main program without the need to change the main program or other modules.
• Templates: using YAML and JSON files to configure and modularise the program.

Contributing

We welcome contributions to improve the Boaz Evasion Tool. Please review CONTRIBUTING.md for guidelines on how to submit contributions.

We welcome submissions to pull requests and issues.

This is in development, please feel free to reach out to me @thomasmeeeee on X for any suggestions!

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

A special thanks to the researchers and developers whose work has inspired, contributed to, and made this tool possible. All credit goes to the original authors of the techniques and tools:

• Inceptor - Bypass AV-EDR solutions combining well known techniques

• The donut

• avcleaner

• Pluto

• Arkari

• pe_to_shellcode

• Shellcode-Hide

• PE2Shellcode

• Amber

• Shoggoth

• Mangle

• CallObfuscator

• Stardust

• Carbon Copy

• Shikata ga nai

• x86matthew

• DarkLoadLibrary

• Red Team Notes

And many more blogs and articles. Please feel free to add more...

Contact

For any queries or contributions, please contact the repository owner.