Veil-Evasion

Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions. Veil-Evasion’s code is located at https://www.github.com/Veil-Framework/Veil-Evasion/ and it’s a part of the Veil super project at https://github.com/Veil-Framework/Veil which we recommend mosts users clone and install. Relevant blog posts are here, and its active developers are listed below. Feel free to contact them with questions, comments, or feedback.

 

Chris Truncer

Twitter: @ChrisTruncer

Website: https://www.christophertruncer.com

E-Mail: Chris [at] veil-framework [dot] com

 

HarmJ0y

Twitter: @HarmJ0y

formerly @the_grayhound

 

Mike Wright

Twitter: @TheMightyShiv

 

60 thoughts on “Veil-Evasion

  1. avast does not report the Payload of veil-evasion as malicious, but when I run it while it analyzes the flag as malicious ( sorry for bad english)

    thanks for the excellent work!!

  2. Very excellent work! I want to advice to scan on this site: http://nodistribute.com/ i think it’s serious and don’t distribute to av companies the payload… (they say you have 4 scan for day, but if you change ip or tor….) :D

  3. Pingback: Moar Shellz! -
  4. hi there… First of all, I really apreciate your work. It is amazing! But paying attention at the source code, I havent really understood yet why yuo have concealed the variables in the source code using random strings. I’m saying that becouse there is no evidence in the binary of them and doing so the source code looks unintelligible. So why did you do that?
    Thanks!

  5. I have installed Veil on my Kali laptop and a Kali VM following Chris’s Youtube video without any problems. However when trying to install Veil on an instance of Kali in Amazon EC2 I encounter numerous unexpected differences.

    I can get as far as cloning Veil from Github, but when CDing into the Veil folder there is no setup folder, therefore no setup.sh to execute. Instead there is an Install.sh and a Readme file.

    Attemting to execute Install.sh does not lead to Veil being installed. Please help.

  6. can i change the process name of the ruby reverse_tcp exploit ? i mean i generate a file for a victim and when he runs the file, the name of my file in the task manager is rubyw.exe . Can i somehow change that to whatever i want to ?

  7. python/meterpreter/rev_https caught (check out mcafee’s result, Trojan-Veil.gen.b)
    http://nodistribute.com/result/ywQUpr6tPf73zKo
    and this is the best I can get, other payloads’ results are 14/34-24/34.
    The big “that bypass common antivirus solutions” is just a show-off it’s no better than any of the other bigmouth crypters.

    1. unsatisfied_user, they can’t necessarily help it if there’s end users who are submitting samples to virustotal or the like. It’s also a safe assumption to make that AV companies know about this website and framework as well.

  8. hello,

    sorry my English.

    I’m using, veil-evasion in armitage using python / meterpreter / rev_tcp

    eset nod 32, avast are detecting. Some solution or another way to create another payload?

  9. Hello trying to install your tool kali linux I get the following errors aver if you can help me:
    E: Could not find package mingw-w64
    E: The “monodoc-browser” package does not have a candidate for installation
    E: Could not locate the package monodevelop
    E: Could not find package python-pefile

    dont know what else to do, and tried everything,
    I hope your answers, thanks.

  10. Hello, Straight to the point. I get this error when installing Veil. Any advice will be greatly appreciative.
    =========================================================================
    Veil-Evasion | [Version]: 2.17.0
    =========================================================================
    [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
    =========================================================================

    Traceback (most recent call last):
    File “./Veil-Evasion.py”, line 283, in
    controller = controller.Controller(oneRun=False)
    File “/home/Hack3r/Veil/Veil/Veil-Evasion/modules/common/controller.py”, line 129, in __init__
    self.LoadPayloads()
    File “/home/Hack3r/Veil/Veil/Veil-Evasion/modules/common/controller.py”, line 141, in LoadPayloads
    d = dict( (path[path.find(“payloads”)+9:-3], imp.load_source( “/”.join(path.split(“/”)[3:])[:-3],path ) ) for path in glob.glob(join(settings.VEIL_EVASION_PATH+”/modules/payloads/” + “*/” * x,'[!_]*.py’)) )
    File “/home/Hack3r/Veil/Veil/Veil-Evasion/modules/common/controller.py”, line 141, in
    d = dict( (path[path.find(“payloads”)+9:-3], imp.load_source( “/”.join(path.split(“/”)[3:])[:-3],path ) ) for path in glob.glob(join(settings.VEIL_EVASION_PATH+”/modules/payloads/” + “*/” * x,'[!_]*.py’)) )
    File “/home/Hack3r/Veil/Veil/Veil-Evasion//modules/payloads/native/backdoor_factory.py”, line 14, in
    from tools.backdoor import pebin
    File “/home/Hack3r/Veil/Veil/Veil-Evasion/tools/backdoor/pebin.py”, line 42, in
    import pefile
    ImportError: No module named pefile
    P.S. Loved your talk at Defcon 22.
    Thanks

    1. Hello, I have the same problem and i fix it to execute ./setup.sh in /root/Veil/Veil-Evasion/setup/
      After Veil works fine !

  11. =========================================================================
    Veil-Evasion | [Version]: 2.13.4
    =========================================================================
    [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
    =========================================================================

    Traceback (most recent call last):
    File “Veil-Evasion.py”, line 283, in
    controller = controller.Controller(oneRun=False)
    File “/usr/share/veil-evasion/modules/common/controller.py”, line 129, in __init__
    self.LoadPayloads()
    File “/usr/share/veil-evasion/modules/common/controller.py”, line 141, in LoadPayloads
    d = dict( (path[path.find(“payloads”)+9:-3], imp.load_source( “/”.join(path.split(“/”)[3:])[:-3],path ) ) for path in glob.glob(join(settings.VEIL_EVASION_PATH+”/modules/payloads/” + “*/” * x,'[!_]*.py’)) )
    File “/usr/share/veil-evasion/modules/common/controller.py”, line 141, in
    d = dict( (path[path.find(“payloads”)+9:-3], imp.load_source( “/”.join(path.split(“/”)[3:])[:-3],path ) ) for path in glob.glob(join(settings.VEIL_EVASION_PATH+”/modules/payloads/” + “*/” * x,'[!_]*.py’)) )
    File “/root/Veil-Evasion//modules/payloads/auxiliary/pyinstaller_wrapper.py”, line 12, in
    from modules.common.pythonpayload import PythonPayload
    ImportError: No module named pythonpayload

  12. Just did a gut pull and ran update.py. Everything working fine except know all files store in /usr/share/veil-output instead of /root/veil-output. Just wondering if this is the new behavior or did I screw up. Running on Kali fully patched. Thanks

  13. ok guys so I have created a plethora of payloads using this but when the time comes they always get detected either it’s avg or avast. so can someone pls point me to the right direction or stuff following which I could finally create a truely undetectable Payload for real?

  14. do not scan with any antivirus scanner online do it manually by running vmware and a compatible windows os for your test, i use virtualbox with windows 7 install and my test antivirus is avast and avira , and so far nothing detected , but detected on mcafee antivirus . thanks bro

  15. i think every pentester can create a small lab using a virtualization technology(vmware , vurtualbox, hyper-v, e.tc. ) always test on your own before using

Leave a Reply