Chacal
Golang anti-vm framework for Red Team and Pentesters
Let Chacal hidde your malware in your assalt operation!
Table of Contents
About The Project
Chacal is an anti-vm framework written in Golang in order to support Red Team and Pentesters in your assalts, in Windows environment!
!!I'm not responsible for your acts!!
Getting Started
Firstly, make sure that your dependencies are satisfied.
Dependencies
Chacal has 3 dependencies:
- wmi
go get github.com/StackExchange/[email protected]
- go-ole
go get github.com/go-ole/[email protected]
- go-ps
go get github.com/mitchellh/[email protected]
Installation
In your prompt type
go get github.com/p3tr0v/chacal
Usage
Into your program, import the packages used by Chacal
import (
"github.com/p3tr0v/chacal/antidebug"
"github.com/p3tr0v/chacal/antimem"
"github.com/p3tr0v/chacal/antivm"
)
Anti-Debugging
"github.com/p3tr0v/chacal/antidebug"
Antidebug package implement strategies to avoid common programs that are used for debugging.
Process
antidebug.ByProcessWatcher()
return boolean
This function look for common programs used for inspect process, like processhacker.exe, procmon.exe, xdbg.exe, etc.
Example:
if antidebug.ByProcessWatcher() { // Whether some debugger program founded, enter here.
// exit or wait
}
Timming
antidebug.ByTimmingDiff(time, int)
return boolean
Compare whether the difference between initial and end time is bigger than difference allowed (in seconds). When debugging, some analisys use to take some time into a function. Grab the time just in the begging of the function and later in the end, before go out, and ask Chacal to compare.
Example:
func myFuncHere(){
initTime := time.Now() // grab the time here
// do your actions here
if antidebug.ByTimmingDiff(timeInit, 2){ // if your function takes 2 seconds or more, your malware must be debugged. You chose your time.
// exit or wait
}
}
Anti-Memory
"github.com/p3tr0v/chacal/antimem"
Antimem package implement strategies to avoid common programs that are used for inspect memory process.
Memory
antimem.ByMemWatcher()
return boolean
This function look for common programs used for inspect memory, like rammap.exe, dumpit.exe, etc.
Example:
if antimem.ByMemWatcher() { // Whether some program used for inspect memory founded, enter here.
// exit or wait
}
Anti-VM
"github.com/p3tr0v/chacal/antivm"
Antivm package implement strategies to avoid virtualized environment.
Disk size
antivm.BySizeDisk( int )
return boolean
Check total size disk, in GB.
Example:
if antivm.BySizeDisk(100) { // whether total disk size is less than 100 GB, enter here. You chose the size, always in GB.
// exit or wait
}
Virtual disk
antivm.IsVirtualDisk()
boolean
Check whether may be on virtual disk.
Example:
if antivm.IsVirtualDisk() { // If Chacal guess you are on virtual disk, enter here.
// exit or wait
}
Known virtual MAC Address
antivm.ByMacAddress()
boolean
Look for known virtualized MAC Address.
Example:
if antivm.ByMacAddress() { If Chacal guess you are on virtual MAC Address, enter here.
// exit or wait
}
Contact
Telegram: @p3tr0v
LinkedIn: Test your OSINT skills ;)