Home

Awesome

VOIDMAW

Description:

This is a new bypass technique for memory scanners. It is useful in hiding problematic code that will be flagged by the antivirus vendors.

This is basically an improved version of Voidgate, but without all of the previous limitations.

This technique is compatible with all C2 beacons, it handles multithreaded payloads and it can handle executables generated by tools such as pe_to_shellcode, thus allowing it to run virtually any non .NET executables.

How it looks under the debugger: debugger


How it works:

This technique is made out of two programs:

1.) Dismantle:

This program records all the uniquely executed instructions and their offset. It will use this data to create a header file that needs to be included in the second program (Voidmaw) responsible with payload execution.

This program takes an input file that contains the desired payload (could be a Cobaltstrike beacon or an executable such as mimikatz that was converted to shellcode and reads it into a buffer.

The prgogram will then set PAGE_GUARD protection to that page and install a vectored exception handler (VEH). This VEH is responsible with two things:

Once the program has finished recording all the executed instructions, it will encrypt them in the unordered_map.

After that, the program will create a copy of the previously executed payload and mask all the recorded executed assembly with INT3 instructions.

Once all of the above mentioned steps, are done, the program will generate an output file. This file is a header file that you must include in the Voidmaw program.

IMPORTANT:

2.) Voidmaw:

This program is responsible with the execution of the newly generated payload.

The above mentioned generated header file has 4 important elements:

This program will first call the InitMap function and then create a memory region where it writes the payload, then it installs a VEH.

This VEH is responsible with handling EXCEPTION_BREAKPOINT.

When we create a new thread on the copied payload, whenever we hit an INT3 (an instruction that was executed during our recording and was masked), we will trigger this VEH. The VEH will then check at what offset this occurred. Once the offset was found, it will look up for that offset in the unordered_map and copy the encrypted assembly to a buffer and decrypt it and write it at the instruction pointer where the exception occurred.

After this, the offset and size of the instruction is placed in a queue, where it will be masked back with INT3 at the next exception, thus basically hiding its previous steps. Only one assembly instruction is visible per thread.

The assembly instructions have only 2 possible states: 1.) masked by INT3 2.) replaced by the original assembly

If the payload creates a new thread somewhere in it's code section, if the instruction is masked, we will get a new exception and handle it also. This makes this technique capable of handling multithreaded payloads without setting hooks on NtCreateThread or other possible ways to create a new thread.

IMPORTANT:

Usage:

1.) Dismantle.exe:

.\Dismantle.exe -p "C:\mimikatz.bin" -o "./out.h" -a "privilege::debug"

Where:

2.) Voidmaw.exe: Compile with the above generated header file and run. This program takes no arguments and can be delivered as a standalone executable on the target machine where.


Compilation Dependencies:

NOTE: The compiled libraries are included in the project, however it is recommended that you compile them yourself.


Demo:

Cobaltstrike beacon:

NOTE: This is a bypass for memory scanners and YARA rules and is not a bulletproof technique. Bad OPSEC (such as default cobaltstrike profile) will get your beacon flagged!

1.) Payload generation: cobalt-rec 2.) Payload execution: cobalt-exec

Mimikatz:

1.) Payload generation: mimi-rec 2.) Payload execution: mimi-exec


Disclaimer:

This repository is for academic purposes, the use of this software is your responsibility.


NOTE:

Author - Paul Socatiu