Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/HavocFramework/Havoc/llms.txt

Use this file to discover all available pages before exploring further.

What is Demon?

Demon is Havoc Framework’s primary post-exploitation agent, written in C and assembly. It is designed to be a modern, malleable, and stealthy command and control agent with advanced evasion capabilities.

Key Characteristics

Implementation

  • Language: Written in C and x64/x86 assembly
  • Architecture Support: Full x64 and x86 support
  • Format Options: Windows PE executable (EXE), Dynamic Link Library (DLL), and raw shellcode
  • Reflective Loading: Includes KaynLdr reflective loader for in-memory execution

Design Philosophy

Demon is built with operational security (OPSEC) as a core principle:

Evasion First

Indirect syscalls, return address spoofing, and sleep obfuscation techniques built-in

Modular Architecture

Organized codebase with clear separation between core, injection, crypto, and execution modules

Minimal Footprint

Dynamic API resolution via PEB walking and hash-based lookups

Flexible Execution

Support for BOF/COFF execution, .NET assemblies, and shellcode injection

Source Code Structure

The Demon agent source is organized into logical directories:
DirectoryDescription
src/asmAssembly code for return address stack spoofing and syscall stubs
src/coreCore functionality including transport, Win32 API resolution, and syscalls
src/cryptAES encryption/decryption for C2 communications
src/injectProcess injection techniques and utilities
src/mainEntry points for PE executable, DLL, and service binaries

Core Capabilities

Evasion Techniques

Demon dynamically crafts syscall stubs from ntdll.dll on disk, allowing it to bypass userland hooks placed by EDR solutions. The syscalls execute through legitimate ntdll.dll address space, evading process instrumentation callbacks.
On x64 systems, Demon implements return address stack spoofing to hide the real return address during function calls. This technique makes call stacks appear legitimate during memory scans.
Multiple sleep obfuscation techniques (Ekko, Zilean, FOLIAGE) encrypt the agent in memory during sleep periods, making memory scans ineffective.
Demon can patch AMSI (Anti-Malware Scan Interface) and ETW (Event Tracing for Windows) in-memory using hardware breakpoints or direct memory modification to bypass behavioral detection.

Execution Methods

  • BOF/COFF Loader: Execute Beacon Object Files (BOFs) and COFF objects in-memory
  • .NET Assembly Execution: Load and execute .NET assemblies via CLR hosting
  • Shellcode Injection: Multiple injection techniques with syscall or Win32 API options
  • Process Hollowing: Spawn sacrificial processes for fork-and-run operations
  • Token Manipulation: Comprehensive token theft, impersonation, and privilege escalation

Communication

  • Transport Protocols: HTTP/HTTPS and SMB named pipes
  • Encryption: AES-256 encryption for all C2 traffic
  • Malleable Profiles: Configurable HTTP headers, URIs, User-Agent strings
  • Proxy Support: Automatic proxy detection and configuration

Configuration Options

Demon’s behavior can be configured both at compile-time and runtime:
  • Sleep mask technique selection
  • Indirect syscalls vs Win32 APIs
  • Stack spoofing enablement
  • Proxy loading method
  • AMSI/ETW patching technique

Command Structure

Demon implements a comprehensive command dispatcher that handles:
  • Process management and enumeration
  • File system operations
  • Token and privilege management
  • Network and domain enumeration
  • Kerberos ticket operations
  • Job management for long-running tasks
  • Screenshot capture
  • Pivot operations (SMB)
All commands are documented in detail in the Commands reference.

Multi-Threading Support

Demon implements a job management system for handling concurrent operations:
  • Long-running tasks execute in separate threads
  • Jobs can be suspended, resumed, or killed
  • Thread-safe package queue for C2 communications
Sleep obfuscation is disabled when job threads are running. This prevents corruption of encrypted memory while other threads access code/data.

Next Steps

Generate Payloads

Learn how to generate Demon payloads via the Havoc client

Explore Features

Deep dive into Demon’s evasion and execution capabilities

Command Reference

Complete reference of all Demon commands

Sleep Obfuscation

Configure sleep obfuscation techniques