void8
Security Analysis Toolkit
A lightweight, self-hosted file analysis platform for making informed allowlist decisions. Drop a file, get a verdict. Open source and built for security teams, MSPs, and homelabs.
About

What is void8?

void8 is a portable analysis environment that runs on a disposable Windows VM. It combines automated static analysis tools with a browser-based frontend to give you a fast, structured answer to one question: should I trust this file?

Instead of juggling multiple tools and manually cross-referencing results, void8 runs the full analysis pipeline in seconds and presents a scored verdict with supporting evidence. When the automated analysis is inconclusive, the integrated workflow guides you through manual dynamic analysis using registry snapshots, persistence diffing, and live process monitoring.

The entire setup deploys from a single zip file. One double-click installs everything onto a clean Windows LTSC VM, launches the analysis server, and opens the browser interface. Analyze files, revert to a clean snapshot, repeat.

Current Build

What's in the toolkit

void8 v1 ships as a self-contained PowerShell server with a separate HTML frontend, designed for a single-zip drop deployment on a disposable Windows VM. The analysis engine combines native Windows APIs with established security tools.

Frontend Browser-based drag-and-drop interface at localhost:8080. Drop a file or paste a path, get a scored report with collapsible detail sections. Includes workflow guidance for both static and dynamic analysis.
Signatures Digital signature verification via PowerShell's native Get-AuthenticodeSignature. Identifies the signer, certificate validity, and publisher without relying on third-party parsers.
VirusTotal Automated hash lookup via Sigcheck. Submits SHA-256 to VirusTotal and returns the detection ratio from 70+ AV engines without uploading the file itself.
Scoring Weighted risk scoring across multiple signals: VT detections, signature status, file entropy, extension mismatches, and PE characteristics. Maps to three verdicts: Clean, Suspicious, Dangerous.
Persistence Autoruns baseline captures every startup entry, service, driver, and scheduled task on each scan. When the same file is scanned a second time, void8 automatically computes a diff against the previous baseline and surfaces exactly which persistence mechanisms were added, removed, or modified - the core signal for detecting what an installer actually did to the system.
Reports Every scan and state snapshot is persisted as a structured JSON report on disk, with the full Autoruns CSV embedded for later comparison. The browser interface includes a Reports and History view to browse past scans, reload them, download them as JSON, or capture standalone system state snapshots for use as before/after baselines around manual installs.
AI Analysis After automated scanning completes, results are sent to a local Ollama instance running Qwen 2.5 14B by default for a contextual second opinion. The model receives full void8 environment context and uses verdict-aware prompting to give targeted, actionable guidance: clean files get a brief reassurance summary, suspicious files get specific PeStudio tab recommendations and dynamic analysis steps. The model is a single-line configuration change so the analyst can swap in any Ollama-supported model that fits their hardware. Runs entirely on local hardware with no data leaving your network.
Sigcheck
Sysinternals. File signatures, entropy, VirusTotal hash lookup.
PeStudio
Static PE analysis. Imports, strings, sections, embedded resources.
Autoruns
Sysinternals. Persistence mechanism enumeration and diffing.
Process Monitor
Sysinternals. Real-time file, registry, and process activity.
System Informer
Live process tree, network connections, DLLs, services.
Regshot
Registry snapshot and diff for pre/post install comparison.
Roadmap

What's coming

Next
Installer Unpacking and Recursive Analysis
Auto-detect and unpack the common installer formats (MSI, NSIS, Inno Setup, InstallShield, 7z self-extractors), then recursively run void8's analysis pipeline on every embedded PE. Closes the biggest current blind spot, which is that an installer wrapper's signature and entropy reveal almost nothing about what it actually contains. The verdict on the wrapper becomes a verdict on its payload.
Next
YARA Scanning
Bundle a curated YARA ruleset such as YARA-Forge or the Neo23x0 signature-base and run it against every scanned file plus any unpacked installer contents. Rule hits surface as a new signal class in the scoring engine, with rule names and tags shown in the report. The single biggest static-analysis upgrade short of writing custom detection logic.
Planned
IOC Extraction with Reputation Lookups
Pull printable strings from PE files, regex out URLs, IPs, domains, registry paths, and suspicious API names, then check the network indicators against URLhaus, AbuseIPDB, and OTX. Hits feed both the scoring engine and the AI analysis prompt, giving the model real binary content to reason about instead of just metadata.
Planned
Allowlist Export
After a CLEAN verdict, generate the rule artifact the analyst actually needs: an AppLocker publisher rule scoped to signer plus product plus version range, a Windows Defender Application Control policy fragment, or a Defender ASR exclusion. Closes the loop from "is this safe" to "here's the rule to deploy" and makes void8 useful as the front end of an allowlisting workflow rather than just an analysis bench.
Planned
Local Reputation Database
Promote the existing per-SHA-256 JSON reports into a real lookup. Every scan checks whether this signer, product, or hash has been seen before and how it was scored, so "signed by a publisher you trusted three times this month" becomes a scoring signal in its own right. Pairs with optional MalwareBazaar daily feed import for instant denylist hits without a VirusTotal round-trip.
Planned
Mark-of-the-Web Inspection
Read the Zone.Identifier alternate data stream on scanned files to surface where they came from: the originating URL, the security zone, and the referrer. A binary downloaded from a vendor site is a different risk profile than one extracted from an email attachment, even when everything else looks identical.
Planned
Native PE Introspection
Parse the PE header directly in the analysis pipeline to extract imports, per-section entropy, overlay presence, TLS callbacks, and resource types - the things PeStudio shows, surfaced inline in the void8 report. Suspicious imports like CreateRemoteThread, VirtualAllocEx, and WriteProcessMemory become real scoring signals instead of things only the AI prompt mentions in passing.
Planned
Automated Dynamic Analysis
One-click dynamic analysis that launches Process Monitor with pre-configured filters, executes the sample, waits a configurable duration, captures the results, diffs the Autoruns baseline, and appends everything to the static report. Correlates with INetSim network simulation for isolated environments.
Planned
macOS and Linux Versions
Platform-native analysis environments using equivalent tooling. macOS version targeting Mach-O binary analysis with codesign verification, while the Linux version covers ELF binaries with readelf and strace. Same browser-based frontend, same scoring model, same YARA and IOC pipelines, adapted for each platform's binary formats and signing mechanisms. Likely written in Go for cross-platform single-binary distribution.
Planned
Kasm Workspace Integration
Pre-built Kasm workspace image with void8 pre-installed. Upload files through Kasm's browser interface, analyze in the isolated workspace, and discard the session. Zero local footprint.