BOAZ Evasion and Antivirus Testing Tool: Multilayered AV/EDR Evasion Framework
BOAZ (Bypass, Obfuscate, Adapt, Zero-trace) evasion was inspired by the concept of multi-layered approach which is the evasive version of defence-in-depth first mentioned in “One packer to rule them all” at BH USA14 (Swinnen & Mesbahi, 2014). BOAZ was developed to provide greater control over combinations of evasion methods, enabling more granular evaluations against antivirus and EDR [39].
BOAZ aims to bypass the before and during execution phases that span signature, heuristic and behavioural-based detection methods. BOAZ supports x64 binary (PE) or raw playload (.bin) as input. It has been tested on separated Window-11 Enterprise, Windows-10 and windows Server 2022 VMs (version: 22H2, 22621.1992) with 14 Desktop AVs and 7 EDRs installed include Windows Defender, Norton, BitDefender, Sophos and ESET. BOAZ’s modular design facilitates user customisation, enabling researchers to integrate their own toolsets or techniques. BOAZ is written in C++ and C and uses Python3 as the main linker to integrate all modules.
For students and researchers in offensive security, no advanced programming or scripting knowledge or skills are required to use BOAZ to generate undetectable polymorphic samples.
This tool has an alternative use: it can function as a packer or obfuscator.
Features
-
Modular Design: Easily extendable with new tactics and techniques by adding scripts.
-
Signature Evasion:
- LLVM IR level Obfuscation: Pluto and Akira LLVM-based obfuscation including string encryption and control flow flattening.
- CodeBase obfuscation:
- Function name and string obfuscated from chars: [0-9a-zA-Z_] by 3 randomly selected algorithms: Mt19937, MinstdRand and ranlux48_base.
- Shikata Ga Nai (SGN) encoding.
- Payload encoding (T1132):
- UUID (Universally Unique Identifier)
- XOR
- MAC
- IP4 format
- base-64
- base-45
- base-58
- Chacha20
- RC4 (SystemFunction32/33)
- AES
- AES with divide and conquer to bypass logical path hijacking
- DES (SystemFunction002)
- Compilation time obfuscation (LLVM, T1140, T1027):
- Pluto:
bcf: Bogus Control Flowfla: Control Flow Flatteninggle: Global Variable Encryptionmba: Mixed-Boolean Arithmetic expressions (MBA)sub: Instruction Substitutionsidc: Indirect Call Promotionhlw: Hide LLVM IR Level Warnings
- Akira:
- Indirect jumps and encrypted jump targets
- Encrypted indirect function calls
- Encrypted indirect global variable references
- String encryption
- Procedure-related control flow flattening
- Pluto:
- Stripped binary (T1027.008)
- Two methods to reduce entropy to below threshold by padding Pokémon names or null bytes
- Signed certificate (T1036.001)
- Metadata copied from window binary (T1036)
-
Heuristic Evasion:
- Anti-Emulation (T1497): checks based on file system operation, process and network information and “offer you have to refuse” [15, 38]. A simple heuristic that if 2 or more checks are failed, execution will stop.
- Junk API instructions (“no-op” calls, or mimicry attack): 5 benign API functions to vary the API call sequences
- API Unhooking:
-
- Read the syscall stub from the original ntdll and rewrite the loaded ntdll’s stub
-
- Custom Peruns’ Fart unhooking
-
- Halo’s gate (TartarusGate)
-
- Sifu Memory Guard
- New memory guard inspired by hardware breakpoints hooking techniques (Loader 48, 49, 51, 52, 57)
- Sleep obfuscation: Custom Ekko (CreateTimerQueueTimer) with arbitrary sleep time invoked at run time
- Stack encryption sleep: Local variables and shellcode were being stored on stack. This part of memory is available for scanning both in emulator pre-execution and post-execution.
- PIC convertor (T1027.009, T1027.002, T1620):
- The donut (The Wover)
- PE2SH (hasherezade)
- RC4 custom encrypted converter
- Amber (by Ege Balcı)
- Shoggoth (by frkngksl)
- Stardust (by 5pider)
-
Behavioral Evasion:
- Various code execution and process injection loaders (T1055, T1106, T1027.007): A variety of loaders for different evasion scenarios
- Two LLVM-obfuscation compilers (T1027)
- Output DLL/CPL (side-loading) (T1574.002, T1218.011/002)
- Event tracing for windows (ETW) patching (hot patch NtTraceEvent with “xor rax, rax; ret”) (T1562.006)
- Patchless ETW bypass:
- The patchless method can avoid detection on patching instructions.
- EtwEventWrite and EtwEventWriteFull are wrappers call NtTraceEvent, which is a syscall. We can set up a Vectored Exception Handler (VEH) and configure a hardware breakpoint (HWBP) using RtlCaptureContext to capture the thread’s context, then use NtContinue to update it. Inside the VEH handler, when NtTraceEvent is called, we can redirect RIP to the Ret instruction after the Syscall instruction, which is six instructions after the function start address. we also set Rax = 0, thereby bypassing the ETW event completely.
- API name spoofing via IAT, using CallObfuscator by d35ha
- Parent PID Spoofing (T1134.004)
- Process code injection and execution mitigation policy (M1038) (e.g. CFG, XFG, module tampering prevention, Structured Exception Handler Overwrite Protection (SEHOP), etc)
- Post-execution self-deletion: output binary can be marked as self-delete upon execution (T1070.004)
- Post-execution anti-forensic techniques: delete execution traces from various locations that do not require an admin privilege. For example:
- Modify arbitrary reg key last write time with NtSetInformationKey.
- Delete AmCache and ShimCache
- Copy $STANDARD_INFORMATION timestamp and zone identifier.
- New memory scanner evasion techniques:
- Conventional VEH memory guard
- PG (page guard) –> VEH (vectored exception handler)
- PG –> VEH –> VCH (vectored continued handler) stealth guard
- Virtual table hooking execution guard
- A new code execution and process injection primitive
- Threadless execution primitive 9S (Manual VEH to VCH execution)
- Threadless execution primitive 2B (Threadless virtual table pointer spoofing)
