void8
Security Analysis Toolkit
A lightweight, self-hosted file analysis platform for making informed allowlist decisions. Drop a file, get a verdict. Open source and built for security teams, MSPs, and homelabs.
About

What is void8?

void8 is a portable analysis environment that runs on a disposable Windows VM. It combines automated static analysis tools with a browser-based frontend to give you a fast, structured answer to one question: should I trust this file?

Instead of juggling multiple tools and manually cross-referencing results, void8 runs the full analysis pipeline in seconds and presents a scored verdict with supporting evidence. When the automated analysis is inconclusive, the integrated workflow guides you through manual dynamic analysis using registry snapshots, persistence diffing, and live process monitoring.

The entire setup deploys from a single zip file. One double-click installs everything onto a clean Windows LTSC VM, launches the analysis server, and opens the browser interface. Analyze files, revert to a clean snapshot, repeat.

Current Build

What's in the toolkit

void8 v1 ships as a self-contained PowerShell server with a separate HTML frontend, designed for a single-zip drop deployment on a disposable Windows VM. The analysis engine combines native Windows APIs with established security tools.

Frontend Browser-based drag-and-drop interface at localhost:8080. Drop a file or paste a path, get a scored report with collapsible detail sections. Includes workflow guidance for both static and dynamic analysis.
Signatures Digital signature verification via PowerShell's native Get-AuthenticodeSignature. Identifies the signer, certificate validity, and publisher without relying on third-party parsers.
VirusTotal Automated hash lookup via Sigcheck. Submits SHA-256 to VirusTotal and returns the detection ratio from 70+ AV engines without uploading the file itself.
Scoring Weighted risk scoring across multiple signals: VT detections, signature status, file entropy, extension mismatches, and PE characteristics. Maps to three verdicts: Clean, Suspicious, Dangerous.
Persistence Autoruns baseline captures every startup entry, service, driver, and scheduled task on each scan. When the same file is scanned a second time, void8 automatically computes a diff against the previous baseline and surfaces exactly which persistence mechanisms were added, removed, or modified - the core signal for detecting what an installer actually did to the system.
Reports Every scan and state snapshot is persisted as a structured JSON report on disk, with the full Autoruns CSV embedded for later comparison. The browser interface includes a Reports and History view to browse past scans, reload them, download them as JSON, or capture standalone system state snapshots for use as before/after baselines around manual installs.
AI Analysis After automated scanning completes, results are sent to a local Ollama instance running Qwen 2.5 14B by default for a contextual second opinion. The model receives full void8 environment context and uses verdict-aware prompting to give targeted, actionable guidance: clean files get a brief reassurance summary, suspicious files get specific PeStudio tab recommendations and dynamic analysis steps. The model is a single-line configuration change so the analyst can swap in any Ollama-supported model that fits their hardware. Runs entirely on local hardware with no data leaving your network.
Sigcheck
Sysinternals. File signatures, entropy, VirusTotal hash lookup.
PeStudio
Static PE analysis. Imports, strings, sections, embedded resources.
Autoruns
Sysinternals. Persistence mechanism enumeration and diffing.
Process Monitor
Sysinternals. Real-time file, registry, and process activity.
System Informer
Live process tree, network connections, DLLs, services.
Regshot
Registry snapshot and diff for pre/post install comparison.
Roadmap

What's coming

Next
Automated Dynamic Analysis
One-click dynamic analysis that launches Process Monitor with pre-configured filters, executes the sample, waits a configurable duration, captures the results, diffs the Autoruns baseline, and appends everything to the static report. Correlates with INetSim network simulation for isolated environments.
Planned
macOS and Linux Versions
Platform-native analysis environments using equivalent tooling. macOS version targeting Mach-O binary analysis with codesign verification, while the Linux version covers ELF binaries with readelf, strace, and YARA integration. Same browser-based frontend, same scoring model, adapted for each platform's binary formats and signing mechanisms. Likely written in Go for cross-platform single-binary distribution.
Planned
Kasm Workspace Integration
Pre-built Kasm workspace image with void8 pre-installed. Upload files through Kasm's browser interface, analyze in the isolated workspace, and discard the session. Zero local footprint.