How to Safely Check Veil Payloads Against VirusTotal

In hindsight, this post is probably one of the first ones that we should have written, but better late then never.

As many of you know, we heavily state on our website, within Veil, and within the license, that you should not be submitting your payloads to VirusTotal, or any online virus scanner. We still heavily believe in this, and if you want the best chance to not get caught, just don’t do it.

With that said, there’s another option. In case no one has used it before, Rob Fuller (@mubix) created a great tool called VT-Notify. VT-Notify works by sending a SHA1 hash of a binary to VirusTotal through its API. The key thing to note here is that your payload is not uploaded to VirusTotal, simply its SHA1 hash. VirusTotal then uses the SHA1 hash against its AV solutions, and let’s you know if any of the SHA1 hashes have been flagged/detected by any of the antivirus solutions it has available. Again, while we still think it’s best to not submit any information anywhere, this is the best solution for checking to see if your payloads have been flagged.

First, in case you haven’t noticed, Veil is now creating a list within the ~/veil-output/ directory called hashes.txt.

Hashestxt

This file contains the SHA1 hashes of all payloads you’ve created, along with their name. This is what VT-Notify will use when interacting with VirusTotal.

VT-Notify has been added to Veil in two different areas, and can be accessed either way. To use it within Veil’s menu, simply start Veil, and then at the main menu you should see the new option. This is for a quick single check. Simply call the command “checkvt”, and you should see the following output if all your payloads are “clean”.

Checktvclean

Now, if one of your payloads have been flagged, you should see something similar to the following.

Checkvtcaught

This essentially concludes how to use it within Veil’s menu system. You also can use the tool, like normal with all its command line options from the command line. To to this, just simply browse to its location at /path/to/veil/tools/vt-notify/ and call it from within that directory.

Vtnotify

If anyone has any questions, feel free to hit us up in our forums! Thanks!

Veil v2.0 : Towards a True Framework

Repo Location: https://github.com/Veil-Framework/Veil-Evasion

Team Veil is proud to announce the release of Veil v2.0.  This drastically reworked version of the Veil AV-evasion framework incorporates a new structure, a slew of new features, and a variety of new payloads:

New Structure

  • Veil has moved from a single flat file towards a truly modular framework:
    • Payload modules dropped into ./modules/payloads/[language] are loaded into the framework automatically
    • Common reusable functions are stored in various files in ./modules/common/*
    • Source/compiled files are output by default to ./output/source/ and ./output/compiled/
    • ./config/update.py is executed automatically on first run, producing a common configuration file at ./config/veil.py, which can be edited manually
    • External tools used by payloads are stored in ./tools/
    • ./doc/* contains pydoc generated documentation for the framework
  • A tutorial describing how to develop payload modules is forthcoming.

New features

  • Veil’s menus and interface have been redesigned for increased usability.
  • One of the common requests for Veil was the inclusion of additional msfvenom shellcode payloads. To incorporate this, we built in automatic crawling of the metasploit /windows/* payload tree and the extraction of necessary payload parameters. The payloads should tab complete within the shellcode selection menu, in msfvenom windows/PAYLOAD format.
  • Tab completion has also been added in a variety of places around the framework, including most menus, LHOST for IP completion, and LPORT for 4444 completion. Try it out!
  • A new python ‘crypter’ named ‘pyherion’ (inspired by Null Security’s Hyperion) has been introduced, which encapsulates python payload files in an AES/base64 encoded wrapper that dynamically decodes/decrypts the python code in memory and executes it. A standalone version has also been introduced in ./tools/pyherion.py . A short post explaining its implementation details will be forthcoming.
  • Command line switches have been implemented for almost all options. Type ./Veil.py -h for details.

New payloads

  • C payloads – Using both a void pointer reference and direct injection into memory with VirrtualAlloc calls
  • Powershell – VirtualAlloc injection, MSF-psexec formatted resource file generation, and download/execution of a secondary payload.
  • C# payloads – VirtualAlloc and base64 obfuscated payloads have been introduced, along with C# .exe compilation.
  • Native payloads – hyperion and pescrambler