February 2016 V-Day

This February we have a few updates to Veil-Evasion.  First, we’ve upgraded the version of PyInstaller that’s used by Veil-Evasion from pyinstaller 2 to 3.1.  One extra feature that this allows is the ability to encrypt the bytecode that pyinstaller outputs.  We’re using this feature by generating a random key each time Veil-Evasion runs and supplying that when using PyInstaller to convert the python code into a Windows executable.

The other modification to Veil-Evasion is I’ve added some obfuscation to the python payloads themselves.  I’ve identified some areas where different AVs are trying to flag the python payloads, so this should help with some of the detection issues.  Other possibly signatures have been found as well, but I’m waiting to see how AV companies respond to this new obfuscation.

Thanks, hope that this can help, and good luck!  #avlol

A Perl of Hope – January V-Day 2016

Welcome to 2016!  For the first post/release of the year, I’m happy to push out a new language!  First, I will preface this release by stating my politically correct opinion that Perl, is not fun.  However, that doesn’t mean it isn’t viable for writing shellcode injectors!

This month, I’m pushing out the standard “flat” shellcode injection template for perl, which lets you generate perl shellcode injectors.  However, if you run this module, you’re going to see something different than the other modules Veil-Evasion currently supports, right now there’s no native Windows compilation within Kali.

As of this release, I have not yet been able to get all the required dependencies installed within Wine and working.  There is a workaround, similar to our Python Py2Exe output, you can “compile” this perl script into a self-contained Windows executable by using a Windows VM.  While not the most ideal, I personally am always running a Windows VM in addition to a linux one while on tests, so I would imagine many of you follow a similar setup.

To generate a Windows executable, there’s a couple steps you’ll need to follow:

    1. Generate your perl payload like you would any other Veil-Evasion payload.  Once Veil-Evasion is done, you’re going to receive the source code output (like normal), but no executable.
    2. Move the perl script over to your Windows VM (tested on Windows XP x32 and Windows 7 x64).
    3. Install Perl (x32) on your windows VM (I’ve personally tested this process using the latest x32 Strawberry Perl build).
    4. Once Perl has been installed, open a command prompt and run “cpan PAR::Packer”
      1. This step will take a little while, and will require an internet connection
    5. Navigate to your .pl Veil-Evasion output within a command prompt and type “pp –gui -o <output_name_here.exe> <veil-evasion_perl_output.pl>”

perl compile

You now have your Perl executable!

I realize this isn’t the most ideal setup, but I’d rather we have the ability to generate these payloads vs. hold back on the release.  I’ll continue to look into finding a way to make this work within Wine, but if anyone wants to help figure this out, it would definitely be appreciated :)

Anyways, hope that this helps, and happy new year!

 

November 2015 V-Day

Hello!

This month I’ve added in two different modules for our November 2015 V-Day, and both are in relation to our powershell payloads!

First, I built on top of our download and inject HTTP powershell module and added the ability to download code on the fly from a HTTPS server.  This module will download code from HTTPS protected web servers that are not using a valid cert (read self-signed).

Next, another auxiliary module was added into Veil-Evasion.  We built a module upon khr0x40sh’s blog post where Veil-Evasion’s powershell/shellcode_inject/virtual payload was converted into macro code.  This new auxiliary module simply takes the steps documented in the blog post and automates the process.  It will output a text file containing the code that just needs to be pasted in, and you will then have a valid working macro.  The only option you will need to specify is if you are going to be running the code on a x86 or x64 system.

We hope that this helps, and we still have plenty more module for future releases!  Let me know in #Veil on freenode if you have any questions!

September 2015 V-Day

Hello Everyone!

It’s been a while for a release, I know!  Today, we have two smaller updates.  For a payload release, a Ruby payload which has shellcode base64 encoded inside of it (and is decoded at runtime) has been added into Veil-Evasion (thanks to the guys in #ruby on Freenode for some help).

Additionally, Veil-Ordnance has received an update.  As it was, Veil-Ordnance had its modules hardcoded into the application.  Ordnance now will dynamically pick up new payload and encoder modules that are added to it, making it easier to extend Veil-Ordnance’s functionality!

Finally, th3 payload r3l3as3s hav3 slow3d du3 to work on updating a proj3ct.  Hop3fully w3’ll b3 abl3 to g3t a r3l3as3 soon, but in th3 m3antim3 I’ll do my b3st to 3nsur3 th3 payloads ar3 r3l3as3d on tim3 3ach V-Day.  Hop3 this h3lps, and f33l fr33 to ask any qu3stions in #Veil on Fr33nod3!

June 2015 V-Day!

Hello, and welcome to June’s V-Day!

This month, we received a python payload that was created by Alex Rymdeko-Harvey (@Killswitch_GUI)!  This payload works by having the user specify a URL that the payload should beacon back to, and how often it should beacon back.  The following is a step-by-step description of how the module works:

  1. The module will create a web page containing a fake wordpress login.
  2. The fake page will be md5ed, and the hash will be used to encrypt the shellcode stored inside the executable.
  3. Once the executable has been placed on a machine and run, it will beacon to the URL specified looking for the web page.
  4. Once the web server returns a 200, the executable will md5 the web page, and attempt to use that hash to decrypt the shellcode, and execute it in memory.
  5. If the page doesn’t return a 200, the executable will sleep until it’s time to beacon out again.

The nice part about this module is you can choose when your payloads are allowed to execute.  Since no key is stored within the executable, the only time a payload can inject its shellcode is if the page it is beaconing back to is live.

If you want to read more about this, check out the author’s blog post here: http://cybersyndicates.com/2015/06/veil-evasion-aes-encrypted-httpkey-request-module/

Thanks, and enjoy!

On Your Mark, Get Set, Go! – May V-Day

Hello all!

This month we’re really happy to be introducing a new language into the Veil-Framework for bypassing antivirus.  So far, we have Python, C, C#, Powershell, and Ruby.  As you probably can guess, we are happy to be adding in support for Go!

To use Go payloads, the first thing you will need to do is re-run the setup script that comes bundled with Veil-Evasion.  This will auto download Go and compile from source in a method that allows go to cross-compile and create Windows executables within Linux.

Once installed, you will see there are currently four different Go payloads available in the framework.  One of the payloads is the traditional shellcode injection payload, and the others are pure Go meterpreter stagers.  The Go payloads were submitted to us by @b00stfr3ak44, we definitely appreciate them being sent our way for the community to use!

We’d love to continue to encourage people to create new payloads, in any language that you think would be fun. If you’d be willing to send a payload you’ve created to us to include within Veil-Evasion, we’d be happy to do anything we can to help you along the way.

Thanks!

#avlol

April V-Day – BDF Updates!

Hello All!

For our April V-Day, we’ve been working with our friend Josh (@midnite_runr) to get the latest Backdoor Factory updates added in to Veil-Evasion.  There’s been a number of updates to Backdoor Factory lately that had yet to be added in, but we should have them all included now.  One of the most recent changes includes automatic PE patching when backdooring an executable.  @Midnite_runr has been working on adding that feature in for some time, so it’s awesome that his hard work has paid off!  He’s documented a lot of the updates in this video.

If you have any questions, feel free to ask in #Veil on Freenode, and thanks to @midnite_runr for his awesome work!

March V-Day

Hello All!

For this (late) March V-Day, we’re happy to add in a module that was developed and submitted to us from @byt3bl33d3r!  This is a python based beaconing payload.  The payload was based off of the original POC from @midnite_runr (available here).

If configured to beacon out for data, the payload will continuously call back to a system of the attacker’s choice every X seconds.  Once the beacon receives data (a web server 200 code) from the web server, it will attempt to inject the data into memory and execute it.

To use this payload, you will want to dump the raw shellcode to a file, vs. storing it in a \x1f\xbc… format.

Thanks to @midnite_runr for the original POC and thanks to @byt3bl33d3r for not only writing the module, but working with us to get it ready for release!

February V-Day – Binding Payload

Happy belated Valentine’s Day all!

For February 2015’s V-Day :) we have merged in and accept a payload submitted from m1m1x!  The payload added in through this pull request creates a python based payload that binds to a user-specified port on the machine (versus performing a reverse connection) and waits for the connection from your handler.

Additionally, m1m1x has added in code that will allow you to generate x64 python port-binding payloads.  In order to do this, you will need to have x64 wine with x64 python installed within wine.  As of now, this will have to be manually performed by the user.

If anyone has any questions, feel free to hit us up in #veil on freenode!

January 2015 V-Day!

Welcome to 2015!  For our January 2015 V-Day, we have a small addition to our Ruby shellcode injection payload.  Currently, the payloads are injection shellcode into memory using the VirtualAlloc API call routine, but this was the only method.  We’ve just added in the ability to inject shellcode into memory via HeapCreate and HeapAlloc.

Additionally, the Metasploit Project devs have updated Meterpreter to version 0.0.13.  We’ve just added support for the latest version of Meterpreter in Veil-Evasion.

If anyone has any questions, feel free to reach out to us!

#avlol