veil - a payload generator to bypass antivirus _ christopher truncer's website

The musings of a technology and life hacker…

HomeCertificationsCTFFeatured CategoryITIT SecurityPassword CrackingPen Test TechniquesPersonal

Veil – A Payload Generator to Bypass Antivirus

Posted by Christopher Truncer on May 30, 2013 in Featured Category, IT Security | 117 comments

NOTE: Please, be kind, and don’t submit any payloads to ANY online virus scanner!

On nearly every assessment, pen testers have to fight a battle against antivirus solutions. The level of effort that goes into each “battle” relies on theAV solution, its definitions, etc. Researching methods to bypass antivirus solutions has been an interest of mine on and off for the past 6 months.About two months ago I started to take a more serious look in how I could take my recent research and turn it into something that more usable anduseful. I set out with a couple goals:

Bypass common AV solutions that I/we routinely encounter in most network environmentsUtilize payloads that are compatible with the Metasploit framework, and expand upon these in future releasesAttempt to make each payload file as random as possible

With these goals in mind, I continued researching methods of bypassing AV. Since I wanted to maintain metasploit compatibility, I chose to useshellcode generated by the metasploit framework, specifically msfvenom. To accomplish this, I began looking into other available research, which iswhere I discovered a number of interesting techniques that a variety of people, such as Dave Kennedy and Debasish Mandal, already began todevelop. From their research, I learned about really interesting ways to inject shellcode into memory through python. These methods were thefoundation of the rest of my research.

Since the majority of our assessment are against predominantly Windows environments, it was important that the tool worked reliably against thesesystems. Since I chose to write the tool in Python, I had to figure out how to package the Python output files containing the obfuscated shellcode toexecute on Windows without requiring Python to be installed on the target machine. One of the solutions I looked into was using Py2Exe. I knewother software used this method to convert their Python-based scripts or tools into an executable that could run on Windows and figured I could dothe same. I began testing Py2Exe with the payload files I developed and was successful running the executables on various versions of Windows, so Istuck with that solution. The final part was for me to develop a tool that automated the payload generation process, and I’m happy to release Veil.

Note: Please be sure to check out https://www.veil-evasion.com, Veil’s website for the latest tutorials, updates, and repo location.

Veil - A Payload Generator to Bypass Antivirus | Christopher Truncer's W... https://www.christophertruncer.com/veil-a-payload-generator-to-bypass-a...

1 of 23 10/30/2013 12:44 AM

Veil is currently capable of using 7 different methods to make 21 different payloads, all of which result in meterpreter connections. Veil provides theuser with the option of using either Pyinstaller or Py2Exe to convert their python payload into an executable. With Pyinstaller, Veil users and havetheir file converted into an executable all within Kali and does not require the use of a second VM/Machine. When using Py2Exe,Veil will generatethree files to which are required to create the final executable; a payload file (in Python), a file with runtime instructions for Py2Exe, and a batchscript which handles converting the payload file into an executable. To generate the final payload, copy the three output files to a Windows host withPython, Py2Exe, and PyCrypto installed and execute the batch script. This will build the final executable that is uploaded to the target. Theexecutable file can be dropped anywhere, on any Windows system, as all required libraries are stored within the exe file. Once dropped on a systemand executed, the payload will result in a meterpeter callback that is undetected by AV.

I’ve tested the packaged executable against multiple AV solutions (MSE, Kaspersky, AVG, Symantec, and McAfee), on both test systems and “in thewild,” and have a very high success rate, bypassing detection in almost every circumstance. I hope that, by releasing this tool, I can enable others inthe community to provide more effective assessments by allowing them to focus their efforts on security risks and spend less time bypassingineffective security measures that wouldn’t deter an actual adversary.


2 of 23 10/30/2013 12:44 AM

Share this:

Setup:

For Kali:

Run the setup script (setup.sh) and follow the installation process.1.Once the setup script has completed, delete the setup script.2.

For Windows (when using Py2Exe)

Install Python 2.7 - (tested with x86 – http://www.python.org/download/releases/2.7/)1.Install Py2Exe - (http://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/)2.Install PyCrypto - (http://www.voidspace.org.uk/python/modules.shtml)3.

Instructions for Use:

Run Veil from Kali and generate your payload.1.If using Pyinstaller, your payload will be converted into an executable and is available for immediate use.2.If using Py2Exe

Move the payload.py along with its two accompanying files onto your Windows machine (that already has python and the otherdependencies from above installed). All three files should be placed in the root of the directory Python was installed to (likelyC:\Python27).Run the batch script to convert the Python payload into an executable format.

3.

Place the payload file on your target machine through any means necessary!4.

Future Direction:

Research new methods of encrypting or obfuscating the payload.Research other languages with direct access to the Windows API for delivering the payload.

Want to play with Veil? Feel free to do so. Download, clone, do anything you’d like with it. You can download Veil here - https://github.com/veil-evasion/Veil.

I hope that it can help others on their tests just as it has helped me. Please, if anyone has additional functionality they would like to add, I’d love tohave input from the community!

To learn how to effectively use Veil on assessments, and other Red Team techniques, check out our class at Blackhat USA 2013! And check out ourPen Testing class as well!

References:

Dave Kennedy - http://www.trustedsec.com/files/BSIDESLV_Secret_Pentesting_Techniques.pdf

Debasish Mandal - http://www.debasish.in/2012/04/execute-shellcode-using-python.html

117 Responses to “Veil – A Payload Generator to Bypass Antivirus”

DoesNotMatter says:May 30, 2013 at 9:52 am

I’ve been using this technique in my custom code for quite sometime. One recommendation — create template files, rather than creating it withall the Payloadfile.write().

You could replace the strings in the template files real easy. It also allows for others to easily just modify the template. This will also make yourcode more cleaner and maintainable ==== and extensible as others would be happy to add to it

All the best!

reply

CTruncer says:May 30, 2013 at 10:06 pm

Thanks, appreciate the recommendations. We’re definitely looking to do both suggestions shortly, after a lot of testing, we were happywhere we are at for an initial release, but do plan on trying to turn this into a usable framework to allow contribution from thecommunity.

1.


3 of 23 10/30/2013 12:44 AM

reply

Derek Mischler says:May 30, 2013 at 1:13 pm

I think you spelled your name wrong in the “by”, looks like you may have just dropped an r. Excited to give this a shot and dig your use of thePolished theme!

reply


haha, good catch. That was a fail. Just updated. Thanks for letting me know!

reply

2.

Alexandros Iliopoulos says:May 30, 2013 at 5:04 pm

One question. When I choose Pyinstaller where the payload have saved?

reply


Like @selsroger mentioned below, the payload.exe file will be in the same directory that you launched Veil from.

reply

3.

Vinícius K-Max (@viniciuskmax) says:May 30, 2013 at 5:14 pm

Er… my payload.exe crashs over and over again, don’t matter my encode choices: http://i.imgur.com/UIXrvTO.png

Windows XP SP 2 x86

Suggestions?

reply


Could you let me know exactly what you installed for py2exe? We’ve done extensive testing and haven’t encountered any issues yet, butif you could let us know exactly what you installed, we could try to re-create the issue and then determine how to fix it.

reply

4.

@SelsRoger says:May 30, 2013 at 7:23 pm

@Alexandros Iliopoulos: in the directory from which you have launched veil. You can see this easily. Launch veil but don’t chose between 1 &2, pyInstaller or py2Exe so it just sits there waiting for input. Payload.py will have been built and be sitting in the cwd (just ls).

Actually Chris, on 64-bit kali, wine isn’t installed. Launching the setup script will get a helper wine64 package ask to setup multiarchs andinstall the 32-bit wine. After doing this, on my system, Python wasn’t installed under wine. So when using Veil, obviously pyInstaller does notsucceed in creating the payload.So this never works:

5.


4 of 23 10/30/2013 12:44 AM

185 # Else, used pyinstaller (used by default)186 else:187 print188 os.system(‘wine /root/.wine/drive_c/Python27/python.exe /root/pyinstaller-2.0/pyinstaller.py –noconsole –onefile payload.py’)189 os.system(‘mv dist/payload.exe .’)…and later the temp payload.py is cleaned up.

@Alexandros Iliopoulos: unzip Veil.py a second time and launch setup.py again and make sure to install Python under wine (if this was yourproblem). If not, I hope I at least solved someone’s problem

reply


Yeah, you’re absolutely right. We initially tested on and developed for x86 Kali, but supporting x64 Kali is important to us as well. Lookslike you helped to save us some time in supporting this, so thanks! We’ll be adding this capability to the tool shortly.

reply

Bhavin says:August 27, 2013 at 5:51 am

Hi Chris,

Thanks for the great tool in advance. But the solution above doesn’t work for me as well. No payload is generated usingpyinstaller.py.

I have changed the supportfiles.py by following the post mentioned herehttp://www.infosecisland.com/blogview/23359-Sewing-Patches-in-the-Veil-AV-Evasion-Framework.html

But that also does not work. Have checked the location for mypyinstallyer.py file which is here/usr/share/pyinstaller/pyinstaller.py

The payload.py file gets created under the source directory.

Don’t know what i am doing wrong.

I have Kali Linux. If you need more info. will be glad to help

Kind Regards,Bhavin

reply

CTruncer says:August 27, 2013 at 6:29 am

Hi,

We don’t recommend making that change which is in the article as it can break Veil. You need to give us a little more info tohelp. What version of Kali are you using? Did you run the setup script?

Please reach out to us on twitter and/or Freenode irc channel #veil and we can give live support.

Thanks

reply


Hi Chris,


5 of 23 10/30/2013 12:44 AM

Version of Kali is 1.0Firstly i installed veil from add/remove softwares and then it downloaded a lot of supported softwareKali did run and had no errors with that at all, except no .exe file was being gerated.

Then i downloaded the files from git and ran the setup.sh file. Same results – no .exe file.

Am i missing anything?

Kind Regards,Bhavin


Hey,

We posted that there currently an issue with installing Veil via apt. The offsec guys (they’re an awesome team) arecurrently looking into fixing the veil package, unfortunately it happens considering Veil requires a wide variety ofdependencies for the payloads that it generates. And unfortunately, if you try installing via apt, it causes issues wheninstalling via git too.

Easiest way would be to go back to a snapshot before you installed veil via apt, and instead install it via git. It’ll workfor you then.


Hi,

Is there a tutorial somewhere where i can follow it and you mentioned snapshot in Kali, how do i go about doing that?

But the link will be great.

Kind Regards,Bhavin

reply


You would have needed to have taken a snapshot with VMware (or your virtualization software of choice).

There isn’t a tutorial for installing Veil because all you need to do is run the setup script and it handles everything. If you’re havingissues, Honestly the best bet is to try with a clean system. You are potentially going to have issues when trying to install from gitafter a failed apt install.

reply


hmm…okay, thanks Chris…

I think the best thing to do is to do a clean install…but first i am trying the git way…let’s see…fingers crossed

Kind Regards,Bhavin

reply

CTruncer says:


6 of 23 10/30/2013 12:44 AM

August 27, 2013 at 10:28 am

Yeah, sorry might not have been what you were looking for, but git, as of right now, is the way to install due to a bug in the veilpackage.

I’m 100% certain if you have a clean Kali and install/setup veil from git, it will work for you.

reply

@SelsRoger says:May 30, 2013 at 7:33 pm

For completeness’ sake:dpkg –add-architecture i386 && apt-get update && apt-get install wine-bin:i386

are what should be executed on kali 64bit before launching the setup.sh script.

reply

6.

MARCELO CARVALHO (@mfcarva) says:May 30, 2013 at 8:00 pm

good job.

reply


Thanks, much appreciated

reply

7.

alex says:May 30, 2013 at 11:47 pm

This is absolutely amazing !!!!

reply

8.

rootless says:May 31, 2013 at 8:00 am

man,this i an awesome work!

reply

9.

James W says:May 31, 2013 at 8:18 am

Thanks for the post. I am able to get a meterpreter connection. However, when I try to run a command, I get “unknown command”. I just type“?” at the meterpreter prompt, nothing is returned. Any suggestions? Thanks

reply

CTruncer says:May 31, 2013 at 9:39 am

What sort of machine are you running it on?

10.


7 of 23 10/30/2013 12:44 AM

reply

James W says:May 31, 2013 at 9:47 am

I have tried from a windows 7 machine and kali (both with no firewall). The victim machine is a windows 2003 sp2.

reply

CTruncer says:June 1, 2013 at 12:25 am

Which wrapper are you using? py2exe or pyinstaller? Can you try both?

reply

James W says:June 3, 2013 at 7:41 am

I’ve been using py2exe. I will try pyinstaller and let you know what happens

reply


Just tried it with pyinstaller and getting the same results. Getting the meterpreter prompt, but nothing is loaded.

reply


What’s your environment that you are using it in? Also, might be easier to hit myself (@ChrisTruncer), @themightyshiv, or@the_grayhound up on twitter, and provide us a pastebin of everything you’ve been doing.

reply


Just tried this on a winxp machine and everything worked great. Wonder why the win2003 machine is giving me problems. Going to tryand get more info about the system.

reply


This is the error that I am getting:

Failed to load extension: No response was received to the core_loadlib request.

reply

CTruncer says:June 12, 2013 at 2:00 pm


8 of 23 10/30/2013 12:44 AM

Can you check, are you using the latest version of Veil?

reply

James W says:June 12, 2013 at 4:24 pm

I am running the latest version.Thanks for your help


You should hit all three of us up on twitter. Give us all the tech specs of what you are running on your systems, and pastebinthe entire thing so we can see what you’re doing.

@ChrisTruncer@TheMightyShiv@the_grayhound

reply

Apos says:May 31, 2013 at 11:37 am

I haven’t tried the tool yet, but just out of curiosity, I would like to ask something.

When someone generates a meterpreter based payload with metasploit into an exe template, then metasploit will put there the 1st stage whichwill then get the rest of the necessary modules upon connection with the evil machine.So, does that tool basically try to hide that 1st stage?

Thanks for your time.

Apos

reply


Pretty much. This is kind of a wrapper for meterpreter’s stage 1.

reply

11.

rw says:May 31, 2013 at 11:40 am

well done, it’s working great so far. any plans to offer x64 msf payloads eventually? also, you mention it works on “almost” all AV products –can you disclose which ones caught it?

reply

alex says:May 31, 2013 at 5:44 pm

just ran it thru virustotal and only 2/47 detected it ….it passed with flying colors as no major AV caught it …:)….btw i used this on awindows 7 machine 64bit ….some AV called antiy-AVL and TheHacker caught it …hope i helped …:)

reply

12.


9 of 23 10/30/2013 12:44 AM

rw says:May 31, 2013 at 8:01 pm

Ugh. Best not to upload stuff like this to VT as AV vendors have been known to use VT’s signatures thus making things easier todetect.

reply

mj says:June 1, 2013 at 12:28 am

Yea… the longer this stays out of VT, longer it’s likely to stay undetected and remain useful.

reply

SuperNova says:June 11, 2013 at 5:22 am

Read the line: Please, be kind, and don’t submit any payloads to VirusTotal

reply


We can definitely look into adding x64 meterpreter, that wouldn’t be hard to do. We just wanted to start with the x32 bit versions first.We mentioned “almost” all AV products because we just simply haven’t tested EVERY single AV solution out there. Of the ones we’vetested, it’s bypassed everyone of them. However, just due to not having tested all solutions, we just didn’t think it was fair to say webypass them all.

reply

Hugo Sanchez says:June 1, 2013 at 12:02 pm

Well done alex !! IOMG,it is a common rule and everybody knows NOT to upload samples to VT for checking since there’ll be signatures soonin the AV products for your sample !

reply

13.

xmatt says:June 3, 2013 at 3:21 pm

Chris, firstly congrats, brilliant tool. Could I suggest that perhaps you put an explanation at the top by your comment about not uploading toVT? I think Hugo Sanchez said it quite well so words to that effect.

It would be nice if there was an efficient way to communicate this kind of tool to the community without the risks of the “general masses”getting their hands on it and it shortly being smashed through VT regardless. Maybe there is a need for a reputation-trust based social networktype website maintained by the community that is quite well guarded? just a thought

reply


Thanks for the kind words, appreciate it. As for Virus total, I would have thought that that was common sense, but looks like a disclaimerwouldn’t hurt

reply

14.


10 of 23 10/30/2013 12:44 AM

Epidome says:August 22, 2013 at 5:57 pm

Well isn’t it counter productive not to? I mean are these methods developed for the good or bad?

reply

CTruncer says:August 22, 2013 at 6:02 pm

No, we don’t want to submit them because we would like the payloads to avoid AV.

reply

Epidome says:August 22, 2013 at 7:14 pm

Ah ok. I thought the idea was to have the Av protect from people using this method to do evil.

CTruncer says:August 22, 2013 at 8:55 pm

There’s a lot of legitimate reasons to release a tool like this. While that is one, it isn’t our goal. Primarily we releasedthis to help pen testers and red teamers during their assessments.

Epidome says:August 23, 2013 at 6:52 am

Ok. Well I just think I have a hard time seeing how this industry works.


What exactly? We already know that malicious actors can perform the same task quite easily. Shouldn’t we allow thewhite hat’s to perform the same capability?

bON says:June 7, 2013 at 4:01 am

Sorry, but i can not to download setup/requiredfiles.zip because this file is big!( Can you halp my???

reply


Those are all the files required for setup, so it might be useful to have.

reply

15.

bON says:16.


11 of 23 10/30/2013 12:44 AM

June 7, 2013 at 4:09 am

Dear, Chrys! Can you create tutorial video, where you showed how install and exploit Vail! Please!

reply

someinterestedguy says:June 7, 2013 at 10:08 am

can you port Veil to mac (no wine)?thanks.

reply


We do have a goal to make Veil not rely on any underlying OS, but purely on Python, but as of now it is reliant on Linux. It does workbest on Kali, and as of now we recommend using it on Kali.

reply

17.

Coldfire says:June 7, 2013 at 3:27 pm

How can i use Veil to create a payload On external IP ???

When i try to Create a payload thrs no option to create payload for External IP..

May b thrs another method i dnt knw..

your help is much appreciated..

reply


Could you elaborate on that? You provide the IP address that the callback goes to, so it can be for any IP.

reply

Coldfire says:June 10, 2013 at 7:25 am

When i try to create a payloadIt says Enter ur local IP … Dats what i worried lil bit

as u said anyIp .. can we put our Public IP when it says Enter ur local IP ??

If yes than i will try to test it via External networkNot on my same Network On Internet i mean ??

I forwarded Port also and while generating payload i will put that Port which i forwarded on my Modem

After all this Can i get a meterpreter ShellOn External IP ???

Srry Noob Question Again

thnx

reply

18.


12 of 23 10/30/2013 12:44 AM


Yes, you can use your external IP address, or any IP address.

reply

Coldfire says:June 15, 2013 at 3:07 pm

Sir 1 major prob plz help me ..

i tried Veil on Ubuntu 13

Its all running ok But when in last i tryied to make Binary .exe

it show error

=========================================================================Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013=========================================================================

[Error]: Can’t find python.exe in /root/.wine/drive_c/Python27/.Make sure the python.exe binary exists before using PyInstaller.

root@nomno:~/Desktop/Veil-master/Veil-master#

I knw bcoz Python27 is not thrBut when i try to install through wine in UbuntuIt installed in my home/machinename/.wine/drive_c/Python27

How can i change the script to Take Python27 frmanother location???

and which script shld i change…

Help !! plzzz

CTruncer says:July 1, 2013 at 12:24 pm

We just pushed out an update where it should allow for use on non-kali linux. That looks to be your problem

anonymous says:June 8, 2013 at 4:30 pm

Hello there Chris,

Just dropping by to say thank you and that you did a brilliant job. I appreciate the effort.

Thank you mate

P.S. I promise never to use it on virustotal lol

James

reply


19.


13 of 23 10/30/2013 12:44 AM

Haha,

Thanks for both accounts, we all appreciate it.

reply

Ali says:June 8, 2013 at 8:52 pm

maybe a little stupid question? but there are too many files on your github link? how do i get all modules etc ? cause it will take me ages todownload all files?. Thanks and sorry for a noob question. By the seem nice. all the best for upcoming updates.

reply


Hey,

No, there aren’t too many. The reason it is semi-large is because we have all the required setup files included within the git repo. Weincluded them because we’ve tested with those specifically and they are known to be working.

reply

20.

iso (@watiso0) says:June 10, 2013 at 12:59 pm

good job

reply


thanks, we appreciate it

reply

21.

dimi says:June 12, 2013 at 11:48 am

Hello Chris sorry for the bad english!!The Payload crash when i try to run it, the machines are windows xp (italian) x86.

i’ve installed the requirement that you have indicated.

thanks

reply


Hi there, we need a bit more information. Are you running the latest version of Veil on Kali? Have you updated it? How are yougenerating your payload files?

Might be easy to talk to us on twitter. Look up our accounts:@ChrisTruncer@TheMightyShiv@the_grayhound

reply

22.


14 of 23 10/30/2013 12:44 AM

dimi says:June 13, 2013 at 2:33 am

yes i’m running the latest version of veil on windows xp,i’ ve downloaded veil yestarday from github,so i think to have the latest version.

i’ll create a twitter account soon.Thanks.

reply


The readme and this blog post says to run Veil on Kali.

reply

Matt B says:June 16, 2013 at 5:16 am

Hi, it works fine when used on my local network but when others open the .exe from a different wifi connection,nothing happens. Any ideas?


You might need to check into your port forwarding.

Bernie says:June 16, 2013 at 2:06 am

Would be great if you could specify hostname for reverse_https instead of just IP address. Other than that, great job!

reply


Good request. We’re working on the error checking logic to make this happen. Thanks for the feedback

reply

23.

Lolantha Peiris says:June 19, 2013 at 11:11 am

I get this error. Do you have any idea about it? Any help would be much appreciated

[Error]: Can’t find python.exe in /root/.wine/drive_c/Python27/.Make sure the python.exe binary exists before using PyInstaller.

reply


24.


15 of 23 10/30/2013 12:44 AM

Did you run the setup script? Are you using Kali x86? Do you have python installed within wine?

reply

Phobos69 says:June 20, 2013 at 4:22 pm

Thanks a lot for this tool. It works perfectly. Just a little question, somebody tried to convert the payload.exe, obtained with veil, with exe2vbaof metasploit for obtained a macro for MSOffice? I’m tried but sometimes work and sometimes receive an error when open word . Somebodycan help me? Thanks in advanced?

reply


We haven’t tested the capability of that. So as of right now, we’d have no idea if that worked or not.

reply

25.

Carl Campbell says:June 22, 2013 at 3:31 am

Hi. Just picked up Veil today and been playing with it this afternoon. Excellent job.

I’ve been having a bit of bad luck with some of the resulting *.EXEs — 3 of them got picked up by Norton (Argh!). However, all of thepowershell payloads I created, work like a charm!!!

Great job, Christopher. Keep up the good work!

reply


What version of Norton were you going against? What payloads did you use? What was the message that Norton had detected the exeswith?

reply

Carl Campbell says:June 27, 2013 at 11:29 pm

This is how my test went:

1. I used 3 PCs, all of them brand new.2. They all had a version of “Norton Internet Security” pre-installed.3. The attacking machine, was a remote VM.4. The payload was created using “python/DESVirtualAlloc” and compiles with pyinstaller.5. No additional ‘msfvenom’ parameters were used.

Norton identified the file, as “Metasploit”, correctly identified the destination and port.

It was just a test — I didn’t bother to encode the payload.

reply

26.

k says:June 26, 2013 at 3:33 pm

i cant run it on kaliit give me that error

27.


16 of 23 10/30/2013 12:44 AM

./Veil.pybash: ./Veil.py: No existe el fichero o el directorio

reply

Carl Campbell says:June 27, 2013 at 11:34 pm

You have to be in the folder where you unpacked Veil. Supposing that you installed on your home folder, type:

# cd ~/Veil-master (or whatever you called the dir)# ./Veil.py

reply

k says:June 30, 2013 at 7:28 am

i maneged to open it with‘/root/Veil/Veil.py’now it give mi thath error[?] How would you like to create your payload executable?

1 – Pyinstaller (default)2 – Py2Exe

[>] Please enter the number of your choice: 1C:\Python27\python.exe: can’t open file ‘/root/pyinstaller-2.0/pyinstaller.py’: [Errno 2] No such file or directorymv: no se puede efectuar `stat’ sobre «dist/payload1.exe»: No existe el fichero o el directoriorm: no se puede borrar «*.spec»: No existe el fichero o el directoriorm: no se puede borrar «logdict*.*»: No existe el fichero o el directorioi think i made a great mess : )

reply


This is because you are running it on Windows. Please use Kali

reply

[email protected] says:July 3, 2013 at 10:37 am

Dear, Chris! When i use Py2Exe, Veil no creat file in output/compiled/ ! Can you help me, please!

reply

CTruncer says:July 3, 2013 at 10:42 am

Py2Exe requires python and other dependencies installed on windows. Review the Veil readme file, it details exactly what you need.When using py2exe, you move the files from the source folder into your windows machine and convert into an executable there.

reply


I was mistaken! When i use Pyinstaller!!

28.


17 of 23 10/30/2013 12:44 AM

reply


If you need support, which it sounds like you might need help. The best place is to talk the three of us developers on twitter, or in#veil on freenode.

reply


When i use Pyinstaller!! Veil no creat file in output/compiled/ !

reply


Please contact us on Twitter, or even better, within #veil on freenode.

We can help you there.

reply

Dimo says:July 17, 2013 at 11:43 pm

I have one question, when i use custom shellcode (all in one line and no quotes) the vail console flickers up and down maybe 2 min, and thenreturns to the beginning…

Is this a bug, or my shellcode is too big?

reply


Sounds like it might be a bug. Can you pastebin us everything you are doing, and send it to us via twitter/e-mail/github? Info is onhttps://www.veil-evasion.com

reply

29.

Anumod says:July 26, 2013 at 5:07 am

I have tried to install on Linux x86 using setup.sh but in the end i receive the following errors:-./setup.sh: line 55: cd: ../config: No such file or directorypython: can’t open file ‘update.py’: [Errno 2] No such file or directory

reply


Are you using the latest version from github?

reply

30.


18 of 23 10/30/2013 12:44 AM

Anumod says:July 27, 2013 at 5:34 am

Thakyou Christopher.. I got it.

reply

Moises says:July 26, 2013 at 6:55 am

Hello and thank you for the tool. I have tried it few times, looks great. I really hope you will continue developing it. I am new to Kali andsecurity in general. Is there an option in Veil to merge the payload.exe generated with another custom executable, lets say an http://ftp.exe? Ifnot do you know of any tool in kali which will give me the option to do so? Thank you.

reply

31.

Steve says:July 26, 2013 at 4:37 pm

Thanks for posting this! It looks amazing, but I’m having trouble getting it installed. Google-fu didn’t help me, so I’m posting here. Sorry if it’s aretarded question, but if the boot fits…

I downloaded the setup.sh to kali. I attempted to run it and got:

root@kali:~# sh ./setup.sh./setup.sh: 5: ./setup.sh: Syntax error: newline unexpected

How to do? :\

reply

Steve says:July 26, 2013 at 5:02 pm

Fixed myself- Working great! <3 Thank you so much for posting this.

reply


What was the issue? It need a patch?

reply

32.

Robert says:July 30, 2013 at 5:27 am

Is it possible to add msfvenom options such as -x for template name? At one point it says: Enter extra msfvenom options in OPTION=valuesyntax,. If I want to add a custom template how do I go with this one? Tried few methods but no luck. I think this one was asked in one of theabove posts too.

reply


Yeah, you can add extra options exactly in that OPTION=value section of veil, but the only one that won’t work is the -x. That’s becauseyou’re not cloning an existing template when using Veil, it’s making its own template.

33.


19 of 23 10/30/2013 12:44 AM

reply

Robert says:August 26, 2013 at 6:20 am

Do you consider this as a future additional to Veil? It will be great if we had the option to inject the new Veil exe into let’s say puttyso it runs when you open putty.

reply


Veil doesn’t work in that way, it makes its own executable (and by extension, its own template). To use another template,you can just use msfvenom

reply


Hey Chris,

I installed Kali again and downloaded the latest Veil version from git…Errors below after i run as sudo sh ./setup.sh

./setup.sh: 4: [: root: unexpected operator

./setup.sh: 13: [: 1: unexpected operator[ERROR]: Either run this setup script as root or install sudo.

Is there anything wrong i am doing?

Kind Regards,Bhavin

reply


Hi Chris,

Finally got it working: used bash ./setup.sh instead and that did the trick. Although not the first time. Had the errorCan’t find python.exe in /root/.wine/drive_c/Python27/

So followed the post above by Alexandros Iliopoulos to unzip the package again and start the install process…

Went through the python setup and voila…works like a charm.Thanks for your prompt replies…

Kind Regards,Bhavin

reply

34.

bukovinai says:September 5, 2013 at 8:50 am

Hi Cristopher,I created a python style payload (with pyinstaller) but when I run this payload on my machine the program is quit after some seconds…. Howcan I debug what is the problem?(I would like to create a reverse meterpreter shell)

My environment win7 x64 + SCEP 2012. the AV didn’t alert me….

35.


20 of 23 10/30/2013 12:44 AM

(I created a crypted payload with hyperion crypter and that is works fine for me…)So, I don’t known why this isn’t work for me…

reply

CTruncer says:September 5, 2013 at 1:02 pm

Can you send us a message on twitter, and give us a pastebin of everything you’ve run?

Thanks

reply

bukovinaikovinai says:September 6, 2013 at 3:26 am

Sorry… It was my mistake (the handler was aborted somehow…)I restarted the handler and the payload works nice now.But I have another problem.I have 2 machine. One laptop is at home & another desktop is in my office.In my office everything works fine. (python install in wine, etc. Everything is very nice.but in my laptop the python can’t install under wine…I don’t understand what is the problem. (and what is the difference between the two machines)both computers are running Linux kali.(in Virtualbox)

how can I compare the 2 system? I don’t known what is the different…

(all software versions of the same: wine, python.msi, veil, etc)

what I should to do ? please help me.

(after I tryed install python 2.7 in wine the python.exe doesn’t exist in the .wine/drive_c/Python dir … ?the installation wasunsuccessfull.)

ps: The Veil is Excellent. Great work man!

reply


For the one with issues, how did you install wine? Did you do it from apt or from cloning the git repo? I just need a little bitmore info to be able to help you troubleshoot this?

reply

bukovinaikovinai says:September 6, 2013 at 2:57 pm

Hi!

Problem solved

I installed wine with apt-get install.(version of wine is 1.4.1)The solution:extract python-2.7.5.msi (with uniextractor) in a windowscopy -r all of python files to .wine/drive_c/Python27then add to registry:

pico pyreg.reg:[HKEY_CURRENT_USER\Software\Python\Pythoncore\2.7]

[HKEY_CURRENT_USER\Software\Python\Pythoncore\2.7\InstallPath]


21 of 23 10/30/2013 12:44 AM

@=”C:\\python27″

[HKEY_CURRENT_USER\Software\Python\Pythoncore\2.7\PythonPath]@=”C:\\python27;C:\\python27\\Lib\\;C:\\python27\\DLLs\\”wine regedit pyreg.reg

then install all of components in wine (pywin32, py2exe, pycrypto)

then everything works (I used the Pyinstaller method in Veil)

This method a work around for the “err:msi:ACTION_InstallFiles Failed to extract cabinet: blablabla” error


Awesome, thanks for posting a suction in case anyone else has that same problem!

gizmo1 says:October 20, 2013 at 5:32 am

hello sir i have used your program and it is very nice but when i create the .exe file and send it to the target computer on which kasperskyinternet security is installed it detects the infected .exe file

please help me out to hide the file from antivirus and get access to the target commputer

i did AES encrypted

reply

Christopher Truncer says:October 20, 2013 at 9:34 am

I believe Kaspersky may be catching it sometimes based off of heuristics. Currently, Veil-Evasion is designed to evade disk baseddetection. One thing you could try is a powershell based payload, or signing the payload. Also, you could try to modify the source code,and re-wrap it into an executable and try to evade it. If you create something that does it, you should certainly let us know or submit apull request for a new payload, we’d love to see it.

reply

36.

Trackbacks/Pingbacks

Veil - A Payload Generator to Bypass Antivirus ... - [...] On nearly every assessment, pen testers have to fight a battle against antivirussolutions. The level of effort that …

1.

Leave a Reply

@ChrisTruncer


22 of 23 10/30/2013 12:44 AM

@justinelze I really want to get it on Xbox one. BF3 was awesome, loved the game

Christopher Truncer

@christruncer

@digininja yeah… I’d get out of there pretty quick.

Christopher Truncer

@christruncer

Thoughts on disclosure veil-evasion.com/disclosure/

Retweeted by Christopher Truncer

veil-evasion

@veilevasion

Expand

20h

20h

28 Oct

Tweets Follow @christruncer

Tweet to @christruncer

Recent Posts

Introduction to HasherI Have the Password Hashes! Can I Pass Them?Multiple Methods for Dropping Payloads with Credentials (or Hashes)

Meta

Log inEntries RSSComments RSSWordPress.org

Blogroll

@ChrisTruncerChrisTruncer – GitHub

Powered by WordPress | Designed by Elegant Themes


23 of 23 10/30/2013 12:44 AM

veil - a payload generator to bypass antivirus _ christopher truncer's website

Documents

python payload

payload generator

payload files

antivirus solutions

python output files

different methods

payload generation process

pythonbased scripts