A powerful, instrumentable, real-time malware analysis platform
A virtual machine on Windows 10 22H2 or higher, 64-bit.
Important
Blackbird performs kernel-level instrumentation and may affect system stability depending on configuration.
Always use it within a controlled virtual machine environment and not on systems containing important data.
- Fully fledged analysis interface
- Kernel-backed
- Integrated heuristics & detections
- Detailed overview and inspection of process-activity
- WPA-like event-viewing graph
- Target execution control
- Target API hooking
- API call analyzer & graph
- API call argument observation
- Full symbol resolution
- Thread & Thread-stack analyzers
- Memory analyzer & Disassembler
- Registry activity overview
- File activity overview
- Process-relations & child processes overview
- Handles overview
- Network overview
- ETW overview
- COM overview
- Performance analytics
- Configurable & Importable YARA rules
- Diagnostics suite
- Remote control via host
- No external dependancies/libs required
Please use this project board to open issues & enhancements. This also loosely tracks live-development.
The introduction, installation, architecture, security & manual are provided here;
Session archives are stored as .bkcap (SQLite + LZ4). Detection reference scenarios are in DetectionExamples.exe.
You need Visual Studio 2022+ with Windows Driver Kit (WDK) and .NET (Desktop Development).
Clone Blackbird:
git clone https://github.com/8damon/Blackbird
Open the Blackbird.slnx file & select Release & build.
-
BlackbirdOperator.exeis WIP. Communications channel is currently in-dev & not supported. -
YARA, MITRE & SIGMA rules + memory scanning for YARA are WIP, currently not supported.
-
Some executables when launched present with
ERROR_BAD_IMPERSONATION_LEVEL (1346), this is a known bug and the root cause is being identified. -
"Uplink Failed" / "Service Not Found", this is due to you not running the installer script
Installer.ps1, this is required to start the service & install the driver. -
Memory page inspector is WIP. File-backings & some visual bugs are present.
Note
Some instability or unexpected behavior may occur due to the low-level nature of the platform. This is expected during development.