Boaz Mini-Evasion Tool (for educational purpose)

BOAZ (Bypass, Obfuscate, Adapt, Zero-Knowledge) evasion was inspired by the concept of onion layered approach which is the evasive version of defence-in-depth (Swinnen & Mesbahi, 2014). It was developed to aid the penetration testing and antivirus defence testing.

BOAZ aims to bypass the before and during execution detections that span signature, heuristic and be-havioural detection techniques. BOAZ sup-ports any x64 binary (PE) or raw playload as input. It has been tested on separated Window-11 VMs with 14 Desktop AVs installed. The design of BOAZ evasion is modularised so users can add their own toolset or new techniques to the tool at will. It is written in both C and C++, and uses Python as the main program to link all modules together.

This tool has an alternative use: it can function as a packer or obfuscator to protect any x64 binary.

Features

• Modular Design: Easily extendable with new tactics and techniques by adding scripts.

• Signature Evasion - Obfuscation: Pluto and Akira LLVM-based obfuscation including string encryption and control flow flattening.

  • CodeBase obfuscation:
    • Function name and string obfuscated from chars: [0-9a-zA-Z_] by 3 randomly selected algorithms: Mt19937, MinstdRand and ranlux48_base.:
    • Shikata Ga Nai (SGN) encoding:
  • Payload encoding (T1132):
    • UUID (Universally Unique Identifier)
    • MAC
    • IP4 format
    • base-64
    • base-58
    • AES
    • AES with divide and conquer to bypass logical path hijacking
  • Compilation time obfuscation (LLVM, T1140, T1027):
    • Pluto:
      • bcf: Bogus Control Flow
      • fla: Control Flow Flattening
      • gle: Global Variable Encryption
      • mba: Mixed-Boolean Arithmetic expressions (MBA)
      • sub: Instruction Substitutions
      • idc: Indirect Call Promotion
      • hlw: Hide LLVM IR Level Warnings
    • Akira:
      • Indirect jumps and encrypted jump targets
      • Encrypted indirect function calls
      • Encrypted indirect global variable references
      • String encryption
      • Procedure-related control flow flattening
  • Stripped binary (T1027.008)
  • Two methods to reduce entropy to below threshold by padding Pokémon names or null bytes
  • Signed certificate (T1036.001)

• Heuristic Evasion: Divide and conquer strategy with junk API instructions, API unhooking technique and modularized execution to disrupt heuristic analysis.

  • Anti-Emulation (T1497): checks based on file system operation, process and network information and “offer you have to refuse” [15, 38]. A simple heuristic that if 2 or more checks are failed, execution will stop.
  • Junk API instructions (“no-op” calls, or mimicry attack): 5 benign API functions to vary the API call sequences
  • API Unhooking:
    • 1. Read the syscall stub from the original ntdll and rewrite the loaded ntdll’s stub
    • 2. Custom Peruns’ Fart unhooking
    • 3. Halo’s gate (TartarusGate)
  • Sleep obfuscation: Custom Ekko (CreateTimerQueueTimer) with arbitrary sleep time invoked at run time
  • Stack encryption sleep: Local variables and shellcode were being stored on stack. This part of memory is available for scanning both in emulator pre-execution and post-execution.
  • PIC convertor (T1027.009, T1027.002, T1620):
    • The donut (The Wover)
    • PE2SH (from the author of process-hacker)
    • RC4 encrypted convertor
    • Amber (by Ege Balcı)

• Behavioral Evasion: Utilizes various process injection techniques to evade behavioral detection.

  • Various code execution and process injection loaders (T1055, T1106, T1027.007): A variety of loaders for different evasion scenarios
  • Two LLVM-obfuscation compilers (T1027)
  • Output DLL/CPL (side-loading) (T1574.002, T1218.011/002)
  • ETW-patching (patch ETW stub with “xor rax, rax; ret”) (T1562.006)

Prerequisites

• Linux environment with Wine configured.
• CMake, Git, GCC, G++, MingW and other build essentials installed.

Installation and Compilation

1. Install required packages::

sudo bash requirements.sh

2. Cavets:

It should be noted that SGN encoder sometimes can generate bad characters, use with caution. requirements.sh will install LLVM, which takes a while to complete. BOAZ can be run without the -llvm handle; however, it is not optimised without the latter.

Usage

Example usage:

python3 Boaz.py -f ~/testing_payloads/notepad_64.exe -o ./alice_notepad.exe -t donut -obf -l 1 -c pluto -e uuid -g

Refer to the help command for more details on usage:

python3 Boaz.py -h 

usage: Boaz.py [-h] -f F [-o OUTPUT_FILE] [-divide] [-l LOADER] [-dll] [-cpl] [-sleep] [-a] [-etw] [-j] [-dream [DREAM]] [-u]
               [-g] [-t {donut,pe2sh,rc4,amber}] [-sgn] [-e {uuid,xor,mac,ipv4,base64,base58,aes,aes2}]
               [-c {mingw,pluto,akira}] [-mllvm MLLVM] [-obf] [-w [SYSWHISPER]] [-entropy {1,2}] [-s [SIGN_CERTIFICATE]]

Process loader and shellcode.

options:
  -h, --help            show this help message and exit
  -f F                  Path to binary.exe
  -o OUTPUT_FILE, --output-file OUTPUT_FILE
                        Optional: Specify the output file path and name. If not provided, a random file name will be used in
                        the ./output directory.
  -divide               Divide flag (True or False)
  -l LOADER, --loader LOADER
                        Loader number (must be a non-negative integer)
  -dll                  Compile the output as a DLL instead of an executable, can be run with rundll32.exe
  -cpl                  Compile the output as a CPL instead of an executable, can be run with control.exe
  -sleep                Obfuscation Sleep flag with random sleep time (True or False)
  -a, --anti-emulation  Anti-emulation flag (True or False)
  -etw                  Enable ETW patching functionality
  -j, --junk-api        Insert junk API function call at a random location in the main function (5 API functions)
  -dream [DREAM]        Optional: Sleep with encrypted stacks for specified time in milliseconds. Defaults to 1500ms if not
                        provided.
  -u, --api-unhooking   Enable API unhooking functionality
  -g, --god-speed       Enable advanced unhooking technique Peruns Fart (God Speed)
  -t {donut,pe2sh,rc4,amber}, --shellcode-type {donut,pe2sh,rc4,amber}
                        Shellcode generation tool: donut (default), pe2sh, rc4, or amber
  -sgn, --encode-shellcode
                        Encode the generated shellcode using sgn tool.
  -e {uuid,xor,mac,ipv4,base64,base58,aes,aes2}, --encoding {uuid,xor,mac,ipv4,base64,base58,aes,aes2}
                        Encoding type: uuid, xor, mac, ip4, base64, base58 AES and aes2. aes2 is a devide and conquer AES
                        decryption to bypass logical path hijacking. Other encoders are under development.
  -c {mingw,pluto,akira}, --compiler {mingw,pluto,akira}
                        Compiler choice: mingw (default), pluto, or akira
  -mllvm MLLVM          LLVM passes for Pluto or Akira compiler
  -obf, --obfuscate     Enable obfuscation (optional)
  -w [SYSWHISPER], --syswhisper [SYSWHISPER]
                        Optional: Use SysWhisper for direct syscalls. 1 for random syscall jumps (default), 2 for compiling
                        with MingW and NASM.
  -entropy {1,2}        Entropy level for post-processing the output binary. 1 for null_byte.py, 2 for pokemon.py
  -s [SIGN_CERTIFICATE], --sign-certificate [SIGN_CERTIFICATE]
                        Optional: Sign the payload using a cloned certificate from the specified website. Defaults to
                        www.microsoft.com if no website is provided. 

Evasion Modules

Process Injection Loaders

Example:

Boaz evasion wrapped Mimikatz.exe x64 release. The detection rate for wrapped Mimikatz is zero on Jotti:

Roadmap

• Docker: Make it available with Docker without installation
• Loaders: Implement more loader templates (process injection and code execution methods) with a divide and conquer option available.
• Obfuscation: Enhancing obfuscation methods and integrating new LLVM passes.
• Shellcode Generation: Expand to include more techniques, e.g., PIC generated from arbitrary command, and offer users the choice of shellcode generation technique.
• Sleep Techniques: Implementing additional anti-emulation and sleep techniques, like encrypting heap and stack while sleeping during pre-shellcode-execution phase.
• Syscall: Improving Syswhisper2 integration for signature reduction. (e.g. on detecting virtual machine introspection and dynamic binary instrumentation)
• Compilation: Integrate additional compilier options like Cosmopolitan compiler.
• File format: Extend more file format supports, so that user can execute sample with signed utilities and more options.
• binder: add binder options....
• modularised modules: Although Boaz has all its implementations modularised in concept, it is not 'actually' modularised in its current beta version. Owing to the fact that this tool is a side project for my dissertation, I need to find time to separate each function into an actual module and ensure that each is presented with a template so that users can add a new technique and integrate it into the main programme without the need to change the main programme or other modules.
• Templates: using YAML and JSON files to configure and modularise the program.

Contributing

We welcome contributions to improve the Boaz Evasion Tool. Please review CONTRIBUTING.md for guidelines on how to submit contributions.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Acknowledgments

A special thanks to the researchers and developers whose work has inspired and made this tool possible.

• Inceptor - Bypass AV-EDR solutions combining well known techniques

• The donut

• avcleaner

• Pluto

• Arkari

• pe_to_shellcode

• Shellcode-Hide

• PE2Shellcode

• Amber

• Stardust

• Carbon Copy

• Shikata ga nai

• Red Team Notes

And many more blogs and articles. Please feel free to add more...

Contact

For any queries or contributions, please contact the repository owner.