Golang anti-vm framework for Red Team and Pentesters
Let Chacal hidde your malware in your assalt operation!
Table of Contents
Chacal is an anti-vm framework written in Golang in order to support Red Team and Pentesters in your assalts, in Windows environment!
!!I'm not responsible for your acts!!
Firstly, make sure that your dependencies are satisfied.
Chacal has 3 dependencies:
- wmi
go get github.com/StackExchange/wmi@v0.0.0-20210224194228-fe8f1750fd46 - go-ole
go get github.com/go-ole/go-ole@v1.2.5 - go-ps
go get github.com/mitchellh/go-ps@v1.0.0
In your prompt type
go get github.com/p3tr0v/chacal
Into your program, import the packages used by Chacal
import (
"github.com/p3tr0v/chacal/antidebug"
"github.com/p3tr0v/chacal/antimem"
"github.com/p3tr0v/chacal/antivm"
)
"github.com/p3tr0v/chacal/antidebug"
Antidebug package implement strategies to avoid common programs that are used for debugging.
antidebug.ByProcessWatcher() return boolean
This function look for common programs used for inspect process, like processhacker.exe, procmon.exe, xdbg.exe, etc.
Example:
if antidebug.ByProcessWatcher() { // Whether some debugger program founded, enter here.
// exit or wait
}
antidebug.ByTimmingDiff(time, int) return boolean
Compare whether the difference between initial and end time is bigger than difference allowed (in seconds).
When debugging, some analisys use to take some time into a function.
Grab the time just in the begging of the function and later in the end, before go out, and ask Chacal to compare.
Example:
func myFuncHere(){
initTime := time.Now() // grab the time here
// do your actions here
if antidebug.ByTimmingDiff(timeInit, 2){ // if your function takes 2 seconds or more, your malware must be debugged. You chose your time.
// exit or wait
}
}
"github.com/p3tr0v/chacal/antimem"
Antimem package implement strategies to avoid common programs that are used for inspect memory process.
antimem.ByMemWatcher() return boolean
This function look for common programs used for inspect memory, like rammap.exe, dumpit.exe, etc.
Example:
if antimem.ByMemWatcher() { // Whether some program used for inspect memory founded, enter here.
// exit or wait
}
"github.com/p3tr0v/chacal/antivm"
Antivm package implement strategies to avoid virtualized environment.
antivm.BySizeDisk( int ) return boolean
Check total size disk, in GB.
Example:
if antivm.BySizeDisk(100) { // whether total disk size is less than 100 GB, enter here. You chose the size, always in GB.
// exit or wait
}
antivm.IsVirtualDisk() boolean
Check whether may be on virtual disk.
Example:
if antivm.IsVirtualDisk() { // If Chacal guess you are on virtual disk, enter here.
// exit or wait
}
antivm.ByMacAddress() boolean
Look for known virtualized MAC Address.
Example:
if antivm.ByMacAddress() { If Chacal guess you are on virtual MAC Address, enter here.
// exit or wait
}
Telegram: @p3tr0v
LinkedIn: Test your OSINT skills ;)
- 06-26-2021 : New process and MAC address added.