Features | Installation | Usage | Evasion Module
Special thanks to Professor Rich Macfarlane @rjmacfarlane.
BOAZ (Bypass, Obfuscate, Adapt, Zero-trace) evasion was inspired by the concept of multi-layered approach which is the evasive version of defence-in-depth first mentioned in “One packer to rule them all” at BH USA14 (Swinnen & Mesbahi, 2014). BOAZ was developed to provide greater control over combinations of evasion methods, enabling more granular evaluations against antivirus and EDR [39].
BOAZ aims to bypass the before and during execution phases that span signature, heuristic and behavioural-based detection methods. BOAZ supports x64 binary (PE) or raw playload (.bin) as input. It has been tested on separated Window-11 Enterprise, Windows-10 and windows Server 2022 VMs (version: 22H2, 22621.1992) with 14 Desktop AVs and 7 EDRs installed include Windows Defender, Norton, BitDefender, Sophos and ESET. BOAZ’s modular design facilitates user customisation, enabling researchers to integrate their own toolsets or techniques. BOAZ is written in C++ and C and uses Python3 as the main linker to integrate all modules.
For students and researchers in offensive security, no advanced programming or scripting knowledge or skills are required to use BOAZ to generate undetectable polymorphic samples.
This tool has an alternative use: it can function as a packer or obfuscator.
-
Modular Design: Easily extendable with new tactics and techniques by adding scripts.
-
Signature Evasion:
- LLVM IR level Obfuscation: Pluto and Akira LLVM-based obfuscation including string encryption and control flow flattening.
- CodeBase obfuscation:
- Function name and string obfuscated from chars: [0-9a-zA-Z_] by 3 randomly selected algorithms: Mt19937, MinstdRand and ranlux48_base.
- Shikata Ga Nai (SGN) encoding.
- Payload encoding (T1132):
- UUID (Universally Unique Identifier)
- XOR
- MAC
- IP4 format
- base-64
- base-45
- base-58
- Chacha20
- RC4 (SystemFunction32/33)
- AES
- AES with divide and conquer to bypass logical path hijacking
- DES (SystemFunction002)
- Compilation time obfuscation (LLVM, T1140, T1027):
- Pluto:
bcf: Bogus Control Flowfla: Control Flow Flatteninggle: Global Variable Encryptionmba: Mixed-Boolean Arithmetic expressions (MBA)sub: Instruction Substitutionsidc: Indirect Call Promotionhlw: Hide LLVM IR Level Warnings
- Akira:
- Indirect jumps and encrypted jump targets
- Encrypted indirect function calls
- Encrypted indirect global variable references
- String encryption
- Procedure-related control flow flattening
- Pluto:
- Stripped binary (T1027.008)
- Two methods to reduce entropy to below threshold by padding Pokémon names or null bytes
- Signed certificate (T1036.001)
- Metadata copied from window binary (T1036)
-
Heuristic Evasion:
- Anti-Emulation (T1497): checks based on file system operation, process and network information and “offer you have to refuse” [15, 38]. A simple heuristic that if 2 or more checks are failed, execution will stop.
- Junk API instructions (“no-op” calls, or mimicry attack): 5 benign API functions to vary the API call sequences
- API Unhooking:
-
- Read the syscall stub from the original ntdll and rewrite the loaded ntdll’s stub
-
- Custom Peruns’ Fart unhooking
-
- Halo’s gate (TartarusGate)
-
- Sifu Memory Guard
- New memory guard inspired by hardware breakpoints hooking techniques (Loader 48, 49, 51, 52, 57)
- Sleep obfuscation: Custom Ekko (CreateTimerQueueTimer) with arbitrary sleep time invoked at run time
- Stack encryption sleep: Local variables and shellcode were being stored on stack. This part of memory is available for scanning both in emulator pre-execution and post-execution.
- PIC convertor (T1027.009, T1027.002, T1620):
- The donut (The Wover)
- PE2SH (hasherezade)
- RC4 custom encrypted converter
- Amber (by Ege Balcı)
- Shoggoth (by frkngksl)
- Stardust (by 5pider)
-
Behavioral Evasion:
- Various code execution and process injection loaders (T1055, T1106, T1027.007): A variety of loaders for different evasion scenarios
- Two LLVM-obfuscation compilers (T1027)
- Output DLL/CPL (side-loading) (T1574.002, T1218.011/002)
- Event tracing for windows (ETW) patching (hot patch NtTraceEvent with “xor rax, rax; ret”) (T1562.006)
- Patchless ETW bypass:
- The patchless method can avoid detection on patching instructions.
- EtwEventWrite and EtwEventWriteFull are wrappers call NtTraceEvent, which is a syscall. We can set up a Vectored Exception Handler (VEH) and configure a hardware breakpoint (HWBP) using RtlCaptureContext to capture the thread's context, then use NtContinue to update it. Inside the VEH handler, when NtTraceEvent is called, we can redirect RIP to the Ret instruction after the Syscall instruction, which is six instructions after the function start address. we also set Rax = 0, thereby bypassing the ETW event completely.
- API name spoofing via IAT, using CallObfuscator by d35ha
- Parent PID Spoofing (T1134.004)
- Process code injection and execution mitigation policy (M1038) (e.g. CFG, XFG, module tampering prevention, Structured Exception Handler Overwrite Protection (SEHOP), etc)
- Post-execution self-deletion: output binary can be marked as self-delete upon execution (T1070.004)
- Post-execution anti-forensic techniques: delete execution traces from various locations that do not require an admin privilege. For example:
- Modify arbitrary reg key last write time with NtSetInformationKey.
- Delete AmCache and ShimCache
- Copy $STANDARD_INFORMATION timestamp and zone identifier.
- New memory scanner evasion techniques:
- Conventional VEH memory guard
- PG (page guard) --> VEH (vectored exception handler)
- PG --> VEH --> VCH (vectored continued handler) stealth guard
- Virtual table hooking execution guard
- A new code execution and process injection primitive
- Threadless execution primitive 9S (Manual VEH to VCH execution)
- Threadless execution primitive 2B (Threadless virtual table pointer spoofing)
- Linux environment with Wine configured. Kali Linux or other Debian prefered.
- CMake, Git, GCC, G++, MingW, LLVM and other build essentials installed.
- Install required packages::
git clone https://github.com/thomasxm/Boaz_beta/
cd Boaz_betabash requirements.sh- Cavets:
It should be noted that SGN encoder sometimes can generate bad characters, use with caution. requirements.sh will install LLVM, which takes a while to complete. BOAZ can be run without the -llvm handle; however, it is not optimised without the latter.
Example usage:
python3 Boaz.py -f ~/testing_payloads/notepad_64.exe -o ./alice_notepad.exe -t donut -obf -l 1 -c pluto -e uuid Use a built ELF executable in Linux environment:
./Boaz -f ~/testing_payloads/notepad_64.exe -o ./alice_notepad.exe -t donut -obf -l 1 -c akira -e des -a Refer to the help command for more details on usage:
python3 Boaz.py -h ./Boaz -h usage: Boaz.py [-h] -f INPUT_FILE [-o OUTPUT_FILE] [-divide] [-l LOADER] [-dll] [-cpl] [-sleep]
[-a] [-cfg] [-etw] [-j] [-dream [DREAM]] [-u] [-g]
[-t {donut,pe2sh,rc4,amber,shoggoth}] [-sd] [-sgn]
[-e {uuid,xor,mac,ipv4,base45,base64,base58,aes,des,chacha,rc4,aes2,ascon}]
[-c {mingw,pluto,akira}] [-mllvm MLLVM] [-obf] [-obf_api] [-w [SYSWHISPER]]
[-entropy {1,2}] [-b [BINDER]] [-wm [WATERMARK]] [-d] [-af] [-icon]
[-s [SIGN_CERTIFICATE]]
Process loader and shellcode.
options:
-h, --help show this help message and exit
-f INPUT_FILE, --input-file INPUT_FILE
Path to binary.exe
-o OUTPUT_FILE, --output-file OUTPUT_FILE
Optional: Specify the output file path and name. If not provided, a
random file name will be used in the ./output directory.
-divide Divide flag (True or False)
-l LOADER, --loader LOADER
Loader number (must be a non-negative integer)
-dll Compile the output as a DLL instead of an executable, can be run with
rundll32.exe
-cpl Compile the output as a CPL instead of an executable, can be run with
control.exe
-sleep Obfuscation Sleep flag with random sleep time (True or False)
-a, --anti-emulation Anti-emulation flag (True or False)
-cfg, --control-flow-guard
Disable Control Flow Guard (CFG) for the loader template.
-etw Enable ETW patching functionality
-j, --junk-api Insert junk API function call at a random location in the main function
(5 API functions)
-dream [DREAM] Optional: Sleep with encrypted stacks for specified time in
milliseconds. Defaults to 1500ms if not provided.
-u, --api-unhooking Enable API unhooking functionality
-g, --god-speed Enable advanced unhooking technique Peruns Fart (God Speed)
-t {donut,pe2sh,rc4,amber,shoggoth}, --shellcode-type {donut,pe2sh,rc4,amber,shoggoth}
Shellcode generation tool: donut (default), pe2sh, rc4, amber or
shoggoth
-sd, --star_dust Enable Stardust PIC generator, input should be .bin
-sgn, --encode-sgn Encode the generated shellcode using sgn tool.
-e {uuid,xor,mac,ipv4,base45,base64,base58,aes,des,chacha,rc4,aes2,ascon}, --encoding {uuid,xor,mac,ipv4,base45,base64,base58,aes,des,chacha,rc4,aes2,ascon}
Encoding type: uuid, xor, mac, ip4, base45, base64, base58, AES, DES,
chacha, RC4 and aes2. aes2 is a devide and conquer AES decryption to
bypass logical path hijacking. Other encoders are under development.
-c {mingw,pluto,akira}, --compiler {mingw,pluto,akira}
Compiler choice: mingw (default), pluto, or akira
-mllvm MLLVM LLVM passes for Pluto or Akira compiler
-obf, --obfuscate Enable obfuscation of codebase (source code)
-obf_api, --obfuscate-api
Enable obfuscation of API calls in ntdll and kernel32.
-w [SYSWHISPER], --syswhisper [SYSWHISPER]
Optional: Use SysWhisper for direct syscalls. 1 for random syscall jumps
(default), 2 for compiling with MingW and NASM.
-entropy {1,2} Entropy level for post-processing the output binary. 1 for null_byte.py,
2 for pokemon.py
-b [BINDER], --binder [BINDER]
Optional: Path to a utility for binding. Defaults to binder/calc.exe if
not provided.
-wm [WATERMARK], --watermark [WATERMARK]
Add watermark to the binary (0 for False, 1 or no value for True)
-d, --self-deletion Enable self-deletion of the binary after execution
-af, --anti-forensic Enable anti-forensic functions to clean the execution traces.
-icon Enable icon for the output binary.
-s [SIGN_CERTIFICATE], --sign-certificate [SIGN_CERTIFICATE]
Optional: Sign the output binary and copy metadata from another binary
to your output. If a website or filepath is provided, use it. Defaults
to interactive mode if no argument is provided.
loader modules:
1. Custom Stack syscalls with threadless execution (local injection)
2. APC test alert
3. Sifu syscall
4. UUID manual injection
5. Remote mockingJay
6. Local thread hijacking
7. Function pointer invoke local injection
8. Ninja_syscall2
9. RW local mockingJay
10. Ninja syscall 1
11. Sifu Divide and Conquer syscall
12. [Your custom loader here]
14. Exit the process without executing the injected shellcode
15. Syswhispers2 classic native API calls
16. Classic userland API calls (VirtualAllcEx --> WriteProcessMemory --> CreateRemoteThread)
17. Sifu Syscall with Divide and Conquer
18. Classic userland API calls with WriteProcessMemoryAPC
19. DLL overloading
20. Stealth new Injection (WriteProcessMemoryAPC + DLL overloading)
21.
22.
23.
24.
25.
26. Stealth new Injection (3 WriteProcessMemoryAPC variants + custom DLL overloading + custom dynamic API-hashing)
27. Stealth new Injection (3 Custom WriteProcessMemoryAPC variants + custom DLL overloading + custom dynamic API-hashing + Halo's gate patching)
28. Halo's gate patching syscall injection + Custom write code to Process Memory by either MAC or UUID convertor + invisible dynamic loading (no loadModuleHandle, loadLibrary, GetProcessAddress)
31. MAC address injection
32. Stealth new injection (Advanced)
33. Indirect Syscall + Halo gate + Custom Call Stack
37. Stealth new loader (Advanced, evade memory scan)
38. A novel PI with APC write method and phantom DLL overloading execution (CreateThread pointed to a memory address of UNMODIFIED DLL.)
39. Custom Stack PI (remote) with threadless execution
40. Custom Stack PI (remote) Threadless DLL Notification Execution
41. Custom Stack PI (remote) with Decoy code execution
48. Stealth new loader + Syscall breakpoints handler with memory guard AKA Sifu breakpoint handler (hook on NtResumeThread)
49. Stealth new loader + Syscall breakpoints handler with memory guard evasion AKA Sifu breakpoint handler (hook on NtCreateThreadEx, with Decoy address, PAGE_NOACCESS and XOR)
51. Stealth new loader + Syscall breakpoints handler with memory guard evasion AKA Sifu breakpoint handler (hook on ntdll!RtlUserThreadStart and kernel32!BaseThreadInitThunk, with Decoy address, PAGE_NOACCESS and XOR)
52. RoP gadgets as the trampoline code to execute the magic code.
53.
54. Stealth new loader + Exception handler + Syscall breakpoints handler with memory guard evasion AKA Sifu breakpoint handler (hook on ntdll!RtlUserThreadStart and kernel32!BaseThreadInitThunk, with Decoy address, PAGE_NOACCESS and XOR)
56. This is a fork of Loader 37 with additional features. If -ldr flag is not provided, loader will add module (contains the shellcode) to the PEB module lists manually using code from Dark library.
57. A fork of loader 51 with XOR replaced with RC4 encryption offered by SystemFunction032/033.
58. VEH add hanlder. Add ROP Trampoliine to the kernel32!BaseThreadInitThunk for additional complexity to analyse.
59. SEH add hanlder. Add ROP Trampoliine to the kernel32!BaseThreadInitThunk for additional complexity to analyse.
60. Use Page guard to trigger first exception to set debug registers without using NtGetContextThread --> NtSetContextThread
61. Use Page guard to trigger first exception to set debug registers without using NtGetContextThread --> NtSetContextThread + Use VEH to set up breakpoints Dr0~Dr3, Dr7. Then use VCH to execute the code. So, no registers and stack pointer and instruction pointer changed in VEH.
62. New loader in progress.
63. Remote version of custom module loading loader 37. Remote module injection.
64.
65. Advanced VMT hooking with custom module loader 37.
66. A fork of L-65, with additional features such as optional PPID spoofing, multiple shellcode and DLL injection mitigation policies enabled on remote process.
67. A fork of L-65, with strange trampoline code to execute the magic code in both local and remote process.
68. New loader in progress.
69. A fork of L-61, manually set VEH and VCH and clean ups by remove the CrossProcessFlags from TEB->PEB.
...
73. VT Pointer threadless process injection, can be invoked with decoy address to any function or triggered by injected application (e.g. explorer). Memory guard available with RC4 entryption and PAGE_NOACCESS.
74. VT Pointer threadless process injection, can be invoked with decoy address to any function or triggered by injected application (e.g. explorer). Memory guard available with RC4 entryption and PAGE_NOACCESS. The VirtualProtect is being called within pretext.
75. Dotnet JIT threadless process injection. (coming soon)
76. Module List PEB Entrypoint threadless process injection. (coming soon)
White paper link: Coming soon...
- First four arguments of a callee function:
Rcx,Rdx,R8, andR9. - Additional arguments stored on the stack starting from
(Rsp + 0x28).
Boaz evasion wrapped Mimikatz.exe x64 release. The detection rate for wrapped Mimikatz is zero on Jotti:
Figure: Jotti scan results of boaz_mimi
Figure: Kaspersky EDR versus Mimikatz packed by Boaz
Figure: Kaspersky EDR versus Meterpreter reverse shell packed by Boaz
Figure: Sophos EDR versus Mimikatz packed by Boaz
- Docker: Make it available with Docker without installation
- Add a GUI for users: Web UI or Python UI.
- Loaders: Implement more loader templates (process injection and code execution methods) with a divide and conquer option available.
- Rust: Loader should be language agnostic. Rust loader would be a good alternative.
- COFF loaders: Implement COFF loader suppport.
- Obfuscation: Enhancing obfuscation methods and integrating new LLVM passes.
- Shellcode Generation: Expand to include more techniques, e.g., PIC generated from arbitrary command, and offer users the choice of shellcode generation technique.
- PIC Chain Reactions: ....
- Sleep Techniques: Implementing additional anti-emulation and sleep techniques, like encrypting heap and stack while sleeping during pre-shellcode-execution phase.
- Syscall: Improving Syswhisper2 integration for signature reduction. (e.g. on detecting virtual machine introspection and dynamic binary instrumentation)
- Compilation: Integrate additional compiler options like Cosmopolitan compiler.
- File format: Extend more file format supports, so that user can execute sample with signed utilities and more options.
- modularised modules: Although Boaz has all its implementations modularised in concept, it is not 'actually' modularised in its current beta version. Owing to the fact that this tool is a side project for my dissertation, I need to find time to separate each function into an actual module and ensure that each is presented with a template so that users can add a new technique and integrate it into the main program without the need to change the main program or other modules.
- Templates: using YAML and JSON files to configure and modularise the program.
We welcome contributions to improve the Boaz Evasion Tool. Please review CONTRIBUTING.md for guidelines on how to submit contributions.
We welcome submissions to pull requests and issues.
This is in development, please feel free to reach out to me @thomasmeeeee on X for any suggestions!
This project is licensed under the MIT License - see the LICENSE file for details.
A special thanks to the researchers and developers whose work has inspired, contributed to, and made this tool possible. All credit goes to the original authors of the techniques and tools:
And many more blogs and articles. Please feel free to add more...
For any queries or contributions, please contact the repository owner.