VOIDMAW: A New Bypass Technique for Memory Scanners
As malware detection techniques evolve, so do the methods attackers use to evade them. VOIDMAW is an innovative memory scanning bypass technique that can effectively hide problematic code from antivirus software. It supports multithreaded payloads and is compatible with all Command-and-Control (C2) beacons. Additionally, VOIDMAW can run any non-.NET executables, making it a powerful tool in the hands of attackers.
VOIDMAW employs two programs to achieve its goal:
1. Dismantle
This is the first part of the VOIDMAW process. This program reads a payload, such as a Cobalt Strike beacon or an executable converted to shellcode (like Mimikatz), into memory and begins recording its behavior. It records every unique instruction executed and its offset in memory. This data will later be used to generate a header file, which is essential for executing the payload through the Voidmaw program.
The steps in Dismantle are as follows:
- PAGE_GUARD Protection: The program sets PAGE_GUARD protection on the memory page that holds the payload. This protection triggers exceptions whenever an attempt is made to execute code on that page.
- Vectored Exception Handler (VEH): A VEH is installed to handle exceptions raised by the PAGE_GUARD. The VEH has two key responsibilities:
- STATUS_GUARD_PAGE_VIOLATION Handling: This captures the executed instructions, saving them in a map structure while maintaining the PAGE_GUARD protection.
- EXCEPTION_SINGLE_STEP Handling: This restores the PAGE_GUARD after each instruction is recorded, ensuring subsequent instructions trigger new exceptions, allowing for continuous instruction recording.
Once all instructions are recorded, they are encrypted and masked using INT3 instructions (software breakpoints) to hide the executed code. The output of this process is a header file, which includes:
- The masked original payload.
- The XOR encryption key used to decrypt the instructions.
- An unordered map containing the encrypted instructions and their offsets.
- An InitMap function to initialize the map in the second program, Voidmaw.
2. Voidmaw
Once the payload has been processed by Dismantle, it is ready to be executed by Voidmaw. This program uses the header file generated by Dismantle to dynamically decrypt and execute the payload while maintaining a level of invisibility that makes it difficult for memory scanners to detect.
The execution process works as follows:
- InitMap Function: Voidmaw first calls the InitMap function to initialize the map of encrypted instructions.
- Memory Allocation: A memory region is created, and the masked payload is written into this space.
- Vectored Exception Handler (VEH): Voidmaw installs a new VEH to handle EXCEPTION_BREAKPOINT, which is triggered whenever the program hits an INT3 instruction during execution.
When the VEH encounters an INT3, it checks the offset of the exception and looks it up in the unordered map. The encrypted assembly instruction is then decrypted, restored at the instruction pointer, and executed. Once executed, the instruction is masked again with INT3, leaving only one assembly instruction visible at a time. This process repeats for every thread, allowing Voidmaw to handle multithreaded payloads seamlessly.
This technique ensures that only one instruction is ever visible at any given time, making it difficult for memory scanners to catch the entire malicious code sequence.
VOIDMAW is an advanced technique for evading memory scanners, and it marks a new frontier in malware execution. Its ability to mask executed instructions and handle multithreaded payloads makes it a great tool for bypassing traditional antivirus defenses. As VOIDMAW is open-source and available on GitHub, its techniques are accessible to a wide range of users, both for research and malicious purposes.
VOIDMAW represents a significant advancement in evasion techniques. Its ability to bypass traditional memory scanners raises concerns for security professionals. Organizations need to be aware of such advanced techniques and adopt proactive measures like behavioral analysis and anomaly detection to counter these evolving threats.