void8
Security Analysis Toolkit
A lightweight, self-hosted file analysis platform for making informed allowlist decisions. Drop a file, get a verdict. Open source and built for security teams, MSPs, and homelabs.
About

What is void8?

void8 is a portable analysis environment that runs on a disposable Windows VM. It combines automated static analysis tools with a browser-based frontend to give you a fast, structured answer to one question: should I trust this file?

Instead of juggling multiple tools and manually cross-referencing results, void8 runs the full analysis pipeline in seconds and presents a scored verdict with supporting evidence. When the automated analysis is inconclusive, the integrated workflow guides you through manual dynamic analysis using registry snapshots, persistence diffing, and live process monitoring.

The entire setup deploys from a single zip file. One double-click installs everything onto a clean Windows LTSC VM, launches the analysis server, and opens the browser interface. Analyze files, revert to a clean snapshot, repeat.

Current Build

What's in the toolkit

void8 v1 ships as a self-contained PowerShell server with a separate HTML frontend, designed for a single-zip drop deployment on a disposable Windows VM. The analysis engine combines native Windows APIs with established security tools.

Frontend Browser-based drag-and-drop interface at localhost:8080. Drop a file or paste a path, get a scored report with collapsible detail sections. Includes workflow guidance for both static and dynamic analysis.
Signatures Digital signature verification via PowerShell's native Get-AuthenticodeSignature. Identifies the signer, certificate validity, and publisher without relying on third-party parsers.
VirusTotal Automated hash lookup via Sigcheck. Submits SHA-256 to VirusTotal and returns the detection ratio from 70+ AV engines without uploading the file itself.
Provenance Mark of the Web inspection via the Zone.Identifier alternate data stream. When a scanned file was downloaded through a browser, Outlook, Teams, or most SMB shares, void8 surfaces the originating zone, host URL, and referrer URL - the cheapest possible breadcrumb back to where a file actually came from. A binary downloaded from a vendor site is a different trust proposition than one extracted from an email attachment, even if everything else looks identical.
Scoring Weighted risk scoring across multiple signals: VT detections, signature status, file entropy, extension mismatches, PE characteristics, and YARA rule matches. Maps to three verdicts: Clean, Suspicious, Dangerous. A publisher trust cap softens the final verdict from Dangerous to Suspicious when a file is signed by a recognized publisher with low VirusTotal detection, preventing legitimate commercial installers with noisy internals from being blocked on soft signals alone. Malware family YARA matches still force-escalate to Dangerous regardless of signature state.
Reputation Every persisted scan report becomes a reputation signal for future scans. void8 walks the local Reports directory on each new scan and aggregates history for the exact hash, the signing publisher, and the declared product. A hash with multiple prior CLEAN verdicts and no DANGEROUS history gets a small trust nudge; a publisher with a consistent track record gets another. A hash with any prior DANGEROUS verdict force-escalates the new scan to DANGEROUS as well. Reputation is grounded in what your own environment has actually observed, not on external trust services. A local denylist file at Tools/denylist.txt provides a parallel hard-block path for known-bad hashes - drop in your own list or import a feed like MalwareBazaar's daily CSV.
Persistence Autoruns baseline captures every startup entry, service, driver, and scheduled task on each scan. When the same file is scanned a second time, void8 automatically computes a diff against the previous baseline and surfaces exactly which persistence mechanisms were added, removed, or modified - the core signal for detecting what an installer actually did to the system.
Unpacking Automatic installer unpacking via bundled 7-Zip. When a scanned file is a recognized archive or installer format (NSIS, MSI, Inno, SFX, CAB, MSIX, zip), void8 extracts it to a per-SHA-256 working directory and runs a stripped-down signature check on every PE binary found inside. Results are displayed inline as a list of child binaries with signed/unsigned badges and per-row launch buttons, so an analyst can tell at a glance whether an installer is wrapping unsigned payloads or just framework helpers - and jump straight to PeStudio on any child that warrants a closer look.
YARA Pattern-based detection against the parent file and every PE binary extracted from it. Rules are loaded from a drop-in folder so analysts can add their own, and every rule must declare a category (malware family, suspicious behavior, packer, anti-analysis, info) and severity (high, medium, low, info) via a structured meta block that maps directly to the scoring engine. Child matches feed scoring at half weight with a per-child cap and a global cap to prevent large bundled binaries from dominating the verdict. Ships with a 15-rule starter set covering common malware families, injection techniques, LOLBin abuse, WMI persistence, commercial packers, and anti-debugging patterns.
Indicators Fast ASCII and UTF-16LE strings extraction over the first 5 MB of the file via a compiled C# helper, then regex extraction of URLs, IPv4 addresses, domains, registry paths, and references to suspicious Windows APIs. Aggressive benign-host filtering removes the certificate authority and Microsoft schema noise that lives in every signed PE. Extracted indicators are then checked against URLhaus (free, keyless, always on) and optionally against AbuseIPDB and AlienVault OTX when API keys are configured. Hits feed both the verdict scoring and the AI prompt, so the local model now has actual binary content to reason about instead of just metadata. Lookups are cached to disk so repeated scans of the same dropper do not re-hit the feeds, and a hard global cap prevents one noisy file from burning rate limits.
Reports Every scan and state snapshot is persisted as a structured JSON report on disk, with the full Autoruns CSV embedded for later comparison. The browser interface includes a Reports and History view to browse past scans, reload them, download them as JSON, or capture standalone system state snapshots for use as before/after baselines around manual installs.
AI Analysis After automated scanning completes, results are sent to a local Ollama instance for a contextual second opinion. The model receives full void8 environment context including extracted IOCs, local reputation history, and provenance, and uses verdict-aware prompting to give targeted, actionable guidance: clean files get a brief reassurance summary, suspicious files get specific PeStudio tab recommendations and dynamic analysis steps. Runs entirely on local hardware with no data leaving your network. Model choice is configurable - tested with qwen2.5:14b and the Llama 3 family.
Sigcheck
Sysinternals. File signatures, entropy, VirusTotal hash lookup.
PeStudio
Static PE analysis. Imports, strings, sections, embedded resources.
Autoruns
Sysinternals. Persistence mechanism enumeration and diffing.
Process Monitor
Sysinternals. Real-time file, registry, and process activity.
System Informer
Live process tree, network connections, DLLs, services.
Regshot
Registry snapshot and diff for pre/post install comparison.
YARA
Pattern-based detection with a drop-in rule folder and category-weighted scoring.
Roadmap

What's coming

Next
Automated Dynamic Analysis
One-click dynamic analysis that launches Process Monitor with pre-configured filters, executes the sample, waits a configurable duration, captures the results, diffs the Autoruns baseline, and appends everything to the static report. Correlates with INetSim network simulation for isolated environments.
Planned
macOS and Linux Versions
Platform-native analysis environments using equivalent tooling. macOS version targeting Mach-O binary analysis with codesign verification, while the Linux version covers ELF binaries with readelf, strace, and YARA integration. Same browser-based frontend, same scoring model, adapted for each platform's binary formats and signing mechanisms. Likely written in Go for cross-platform single-binary distribution.
Planned
Kasm Workspace Integration
Pre-built Kasm workspace image with void8 pre-installed. Upload files through Kasm's browser interface, analyze in the isolated workspace, and discard the session. Zero local footprint.