Chacal

Golang anti-vm framework for Red Team and Pentesters

Let Chacal hidde your malware in your assalt operation!

About The Project

Chacal is an anti-vm framework written in Golang in order to support Red Team and Pentesters in your assalts, in Windows environment!
!!I'm not responsible for your acts!!

Getting Started

Firstly, make sure that your dependencies are satisfied.

Dependencies

Chacal has 3 dependencies:

• wmi

  go get github.com/StackExchange/[email protected]
  

• go-ole

  go get github.com/go-ole/[email protected] 
  

• go-ps

  go get github.com/mitchellh/[email protected] 
  

Installation

In your prompt type

go get github.com/p3tr0v/chacal

Usage

Into your program, import the packages used by Chacal

import (
      "github.com/p3tr0v/chacal/antidebug"
      "github.com/p3tr0v/chacal/antimem"
      "github.com/p3tr0v/chacal/antivm"
    )

Anti-Debugging

"github.com/p3tr0v/chacal/antidebug"
Antidebug package implement strategies to avoid common programs that are used for debugging.

Process

antidebug.ByProcessWatcher() return boolean
This function look for common programs used for inspect process, like processhacker.exe, procmon.exe, xdbg.exe, etc.
Example:

if antidebug.ByProcessWatcher() { // Whether some debugger program founded, enter here.
  // exit or wait
}

Timming

antidebug.ByTimmingDiff(time, int) return boolean
Compare whether the difference between initial and end time is bigger than difference allowed (in seconds). When debugging, some analisys use to take some time into a function. Grab the time just in the begging of the function and later in the end, before go out, and ask Chacal to compare.
Example:

func myFuncHere(){
  initTime := time.Now() // grab the time here
  // do your actions here
  if antidebug.ByTimmingDiff(timeInit, 2){ // if your function takes 2 seconds or more, your malware must be debugged. You chose your time.
    // exit or wait
  }
}

Anti-Memory

"github.com/p3tr0v/chacal/antimem"
Antimem package implement strategies to avoid common programs that are used for inspect memory process.

Memory

antimem.ByMemWatcher() return boolean
This function look for common programs used for inspect memory, like rammap.exe, dumpit.exe, etc.
Example:

if antimem.ByMemWatcher() { // Whether some program used for inspect memory founded, enter here.
  // exit or wait
}

Anti-VM

"github.com/p3tr0v/chacal/antivm"
Antivm package implement strategies to avoid virtualized environment.

Disk size

antivm.BySizeDisk( int ) return boolean
Check total size disk, in GB.
Example:

if antivm.BySizeDisk(100) { // whether total disk size is less than 100 GB, enter here. You chose the size, always in GB.
  // exit or wait
}

Virtual disk

antivm.IsVirtualDisk() boolean
Check whether may be on virtual disk.
Example:

if antivm.IsVirtualDisk() { // If Chacal guess you are on virtual disk, enter here.
  // exit or wait
}

Known virtual MAC Address

antivm.ByMacAddress() boolean
Look for known virtualized MAC Address.
Example:

if antivm.ByMacAddress() { If Chacal guess you are on virtual MAC Address, enter here.
  // exit or wait
}

Contact

Telegram: @p3tr0v
LinkedIn: Test your OSINT skills ;)