void8
Security Analysis Toolkit
A lightweight, self-hosted file analysis platform for making informed allowlist decisions. Drop a file, get a verdict. Open source and built for security teams, MSPs, and homelabs.
About

What is void8?

void8 is a portable analysis environment that runs on a disposable Windows VM. It combines automated static analysis tools with a browser-based frontend to give you a fast, structured answer to one question: should I trust this file?

Instead of juggling multiple tools and manually cross-referencing results, void8 runs the full analysis pipeline in seconds and presents a scored verdict with supporting evidence. When the automated analysis is inconclusive, the integrated workflow guides you through manual dynamic analysis using registry snapshots, persistence diffing, and live process monitoring.

The entire setup deploys from a single zip file. One double-click installs everything onto a clean Windows LTSC VM, launches the analysis server, and opens the browser interface. Analyze files, revert to a clean snapshot, repeat.

Current Build

What's in the toolkit

void8 v1 ships as a self-contained PowerShell server with an embedded web frontend. The analysis engine combines native Windows APIs with established security tools.

Frontend Browser-based drag-and-drop interface at localhost:8080. Drop a file or paste a path, get a scored report with collapsible detail sections. Includes workflow guidance for both static and dynamic analysis.
Signatures Digital signature verification via PowerShell's native Get-AuthenticodeSignature. Identifies the signer, certificate validity, and publisher without relying on third-party parsers.
VirusTotal Automated hash lookup via Sigcheck. Submits SHA-256 to VirusTotal and returns the detection ratio from 70+ AV engines without uploading the file itself.
Scoring Weighted risk scoring across multiple signals: VT detections, signature status, file entropy, extension mismatches, and PE characteristics. Maps to three verdicts: Clean, Suspicious, Dangerous.
Persistence Autoruns baseline captures every startup entry, service, driver, and scheduled task. Enables before/after comparison to detect persistence mechanisms added by installers.
Sigcheck
Sysinternals. File signatures, entropy, VirusTotal hash lookup.
PeStudio
Static PE analysis. Imports, strings, sections, embedded resources.
Autoruns
Sysinternals. Persistence mechanism enumeration and diffing.
Process Monitor
Sysinternals. Real-time file, registry, and process activity.
System Informer
Live process tree, network connections, DLLs, services.
Regshot
Registry snapshot and diff for pre/post install comparison.
Roadmap

What's coming

Next
AI-Assisted Analysis
Integration with a local Ollama instance running a lightweight model (7-8B parameters). After the static analysis completes, the structured results are sent to the model for a second opinion. The AI reviews hash patterns, API import combinations, string anomalies, and entropy signatures to catch contextual indicators that rule-based scoring misses. Runs entirely on local hardware with no data leaving your network. Results appear as an additional section in the analysis report.
Next
Automated Dynamic Analysis
One-click dynamic analysis that launches Process Monitor with pre-configured filters, executes the sample, waits a configurable duration, captures the results, diffs the Autoruns baseline, and appends everything to the static report. Correlates with INetSim network simulation for isolated environments.
Planned
macOS and Linux Versions
Platform-native analysis environments using equivalent tooling. macOS version targeting Mach-O binary analysis with codesign verification, while the Linux version covers ELF binaries with readelf, strace, and YARA integration. Same browser-based frontend, same scoring model, adapted for each platform's binary formats and signing mechanisms.
Planned
Report History and Comparison
Persistent report storage with the ability to compare analyses over time. Track how a file's VT detection ratio changes, compare Autoruns baselines across multiple test runs, and maintain an audit trail of allowlist decisions.
Planned
Kasm Workspace Integration
Pre-built Kasm workspace image with void8 pre-installed. Upload files through Kasm's browser interface, analyze in the isolated workspace, and discard the session. Zero local footprint.