Presented at
DEF CON 33 (2025),
Aug. 8, 2025, 11 a.m.
(45 minutes).
BOAZ (Bypass, Obfuscate, Adapt, Zero-Trust) evasion was inspired by the concept of multi-layered approach which is the evasive version of defence-in-depth first proposed in a presentation at BH USA14. BOAZ was developed to provide greater control over combinations of evasion methods, enabling more granular evaluations against antivirus and EDR. It is designed to bypass before, during, and post execution detections that span signature, heuristic, and behavioural detection mechanisms. BOAZ supports both x86/x64 binary (PE) or raw payload as input and output EXE or DLL. It has been tested on separated Windows 11 Enterprise, Windows 10, and Windows Server 2022 VMs with 14 desktop AVs and 7 EDRs installed including Windows Defender, Norton, BitDefender, Sophos, and ESET. The design of BOAZ evasion is modular, so users can add their own toolset or techniques to the framework. BOAZ is written in C++ and C and uses Python3 as the main linker to integrate all modules. There have been significant improvements implemented since its inception. The new version of the BOAZ evasion tool, set for release at DEF CON 33, will feature three novel threadless process injection primitives, along with newly implemented loaders and behavioural evasion techniques.
Presenters:
-
Thomas "XM20" Xuan Meng
Thomas is a cybersecurity researcher, reverse engineer, and developer with a diverse background in policing, academia, and civil service. He holds a PhD in Computational Engineering, an MPhil in Criminological Research, and a BSc in Mathematics, and was awarded a university medal in Cybersecurity from Edinburgh Napier University.
Similar Presentations: