Veil-Evasion

Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions. Veil-Evasion’s code is located at https://www.github.com/Veil-Framework/Veil-Evasion/ and it’s a part of the Veil super project at https://github.com/Veil-Framework/Veil which we recommend mosts users clone and install. Relevant blog posts are here, and its active developers are listed below. Feel free to contact them with questions, comments, or feedback.

 

Chris Truncer

Twitter: @ChrisTruncer

Website: https://www.christophertruncer.com

E-Mail: Chris [at] veil-framework [dot] com

 

HarmJ0y

Twitter: @HarmJ0y

formerly @the_grayhound

 

Mike Wright

Twitter: @TheMightyShiv

 

60 thoughts on “Veil-Evasion

  1. Pingback: Shmoocon Recap - Veil - Framework

  2. avast does not report the Payload of veil-evasion as malicious, but when I run it while it analyzes the flag as malicious ( sorry for bad english)

    thanks for the excellent work!!

  3. Pingback: The State of the Veil-Framework - Veil - Framework

  4. Very excellent work! I want to advice to scan on this site: http://nodistribute.com/ i think it’s serious and don’t distribute to av companies the payload… (they say you have 4 scan for day, but if you change ip or tor….) :D

  5. Pingback: Use Cobalt Strike’s Beacon with Veil’s Evasion | Strategic Cyber LLC

  6. Pingback: Video: Veil Framework – Create a Undetected Backdoor « blog.sternit.de - Alles rund um die IT-Welt + Security News + Tipps + Tricks

  7. Pingback: Why can’t I psexec with EXE::Custom? | Strategic Cyber LLC

  8. Pingback: Moar Shellz! -

  9. Pingback: Anti Virus Evasion with Veil and Downloadstring

  10. Pingback: Burlando Antivírus com o Veil-Evasion | Xtreme Security

  11. hi there… First of all, I really apreciate your work. It is amazing! But paying attention at the source code, I havent really understood yet why yuo have concealed the variables in the source code using random strings. I’m saying that becouse there is no evidence in the binary of them and doing so the source code looks unintelligible. So why did you do that?
    Thanks!

  12. I have installed Veil on my Kali laptop and a Kali VM following Chris’s Youtube video without any problems. However when trying to install Veil on an instance of Kali in Amazon EC2 I encounter numerous unexpected differences.

    I can get as far as cloning Veil from Github, but when CDing into the Veil folder there is no setup folder, therefore no setup.sh to execute. Instead there is an Install.sh and a Readme file.

    Attemting to execute Install.sh does not lead to Veil being installed. Please help.

  13. Pingback: Another Night, Another Actor | Strategic Cyber LLC

  14. can i change the process name of the ruby reverse_tcp exploit ? i mean i generate a file for a victim and when he runs the file, the name of my file in the task manager is rubyw.exe . Can i somehow change that to whatever i want to ?

  15. python/meterpreter/rev_https caught (check out mcafee’s result, Trojan-Veil.gen.b)
    http://nodistribute.com/result/ywQUpr6tPf73zKo
    and this is the best I can get, other payloads’ results are 14/34-24/34.
    The big “that bypass common antivirus solutions” is just a show-off it’s no better than any of the other bigmouth crypters.

    • unsatisfied_user, they can’t necessarily help it if there’s end users who are submitting samples to virustotal or the like. It’s also a safe assumption to make that AV companies know about this website and framework as well.

  16. hello,

    sorry my English.

    I’m using, veil-evasion in armitage using python / meterpreter / rev_tcp

    eset nod 32, avast are detecting. Some solution or another way to create another payload?

  17. Hello trying to install your tool kali linux I get the following errors aver if you can help me:
    E: Could not find package mingw-w64
    E: The “monodoc-browser” package does not have a candidate for installation
    E: Could not locate the package monodevelop
    E: Could not find package python-pefile

    dont know what else to do, and tried everything,
    I hope your answers, thanks.

  18. Hello, Straight to the point. I get this error when installing Veil. Any advice will be greatly appreciative.
    =========================================================================
    Veil-Evasion | [Version]: 2.17.0
    =========================================================================
    [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
    =========================================================================

    Traceback (most recent call last):
    File “./Veil-Evasion.py”, line 283, in
    controller = controller.Controller(oneRun=False)
    File “/home/Hack3r/Veil/Veil/Veil-Evasion/modules/common/controller.py”, line 129, in __init__
    self.LoadPayloads()
    File “/home/Hack3r/Veil/Veil/Veil-Evasion/modules/common/controller.py”, line 141, in LoadPayloads
    d = dict( (path[path.find(“payloads”)+9:-3], imp.load_source( “/”.join(path.split(“/”)[3:])[:-3],path ) ) for path in glob.glob(join(settings.VEIL_EVASION_PATH+”/modules/payloads/” + “*/” * x,'[!_]*.py’)) )
    File “/home/Hack3r/Veil/Veil/Veil-Evasion/modules/common/controller.py”, line 141, in
    d = dict( (path[path.find(“payloads”)+9:-3], imp.load_source( “/”.join(path.split(“/”)[3:])[:-3],path ) ) for path in glob.glob(join(settings.VEIL_EVASION_PATH+”/modules/payloads/” + “*/” * x,'[!_]*.py’)) )
    File “/home/Hack3r/Veil/Veil/Veil-Evasion//modules/payloads/native/backdoor_factory.py”, line 14, in
    from tools.backdoor import pebin
    File “/home/Hack3r/Veil/Veil/Veil-Evasion/tools/backdoor/pebin.py”, line 42, in
    import pefile
    ImportError: No module named pefile
    P.S. Loved your talk at Defcon 22.
    Thanks

  19. =========================================================================
    Veil-Evasion | [Version]: 2.13.4
    =========================================================================
    [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
    =========================================================================

    Traceback (most recent call last):
    File “Veil-Evasion.py”, line 283, in
    controller = controller.Controller(oneRun=False)
    File “/usr/share/veil-evasion/modules/common/controller.py”, line 129, in __init__
    self.LoadPayloads()
    File “/usr/share/veil-evasion/modules/common/controller.py”, line 141, in LoadPayloads
    d = dict( (path[path.find(“payloads”)+9:-3], imp.load_source( “/”.join(path.split(“/”)[3:])[:-3],path ) ) for path in glob.glob(join(settings.VEIL_EVASION_PATH+”/modules/payloads/” + “*/” * x,'[!_]*.py’)) )
    File “/usr/share/veil-evasion/modules/common/controller.py”, line 141, in
    d = dict( (path[path.find(“payloads”)+9:-3], imp.load_source( “/”.join(path.split(“/”)[3:])[:-3],path ) ) for path in glob.glob(join(settings.VEIL_EVASION_PATH+”/modules/payloads/” + “*/” * x,'[!_]*.py’)) )
    File “/root/Veil-Evasion//modules/payloads/auxiliary/pyinstaller_wrapper.py”, line 12, in
    from modules.common.pythonpayload import PythonPayload
    ImportError: No module named pythonpayload

  20. Just did a gut pull and ran update.py. Everything working fine except know all files store in /usr/share/veil-output instead of /root/veil-output. Just wondering if this is the new behavior or did I screw up. Running on Kali fully patched. Thanks

  21. ok guys so I have created a plethora of payloads using this but when the time comes they always get detected either it’s avg or avast. so can someone pls point me to the right direction or stuff following which I could finally create a truely undetectable Payload for real?

  22. Pingback: How to Evade Antivirus Detection? » bogner.sh

  23. Pingback: toolsmith: Attack & Detection: Hunting in-memory adversaries with Rekall and WinPmem | infopunk.org

  24. Pingback: An easy way of creating your own Trojan | RootSecurity

  25. do not scan with any antivirus scanner online do it manually by running vmware and a compatible windows os for your test, i use virtualbox with windows 7 install and my test antivirus is avast and avira , and so far nothing detected , but detected on mcafee antivirus . thanks bro

  26. i think every pentester can create a small lab using a virtualization technology(vmware , vurtualbox, hyper-v, e.tc. ) always test on your own before using

  27. Pingback: Advanced Threat Tactics – Course and Notes | Strategic Cyber LLC

  28. Pingback: Privilege Escalation | To Shell And Back: Adventures In Pentesting

  29. Pingback: Common Windows Privilege Escalation Vectors | Smart PC Expert-Service PC Online

  30. Pingback: How Antivirus Software Works • TecPing

  31. Pingback: Bypassing Antivirus With Ten Lines of Code or (Yet Again) Why Antivirus is Largely Useless - IT大道

  32. Pingback: Bypassing Antivirus With Ten Lines Of Code Or (Yet Again) Why Antivirus Is Largely Useless | 神刀安全网

  33. Pingback: How Antivirus Software Works & How to Evade It • HaCoder

  34. Pingback: Bypassing Antivirus With Ten Lines of Code or (Yet Again) Why Antivirus is Largely Useless – vulnerablelife

  35. Pingback: Defeating corporate anti-virus | Pen Test Partners

  36. Pingback: How Antivirus Software Works & How to Evade It | Badshaa

  37. Pingback: Antivirus software -how it works and how to evade it – 00rules

Leave a Reply