Veil – A Payload Generator to Bypass Antivirus

NOTE: Please, be kind, and don’t submit any payloads to ANY online virus scanner!  Please be sure to check out https://www.veil-framework.com, Veil’s website for the latest tutorials, updates, and repo location.  Any questions on using Veil?  Join us in #veil on Freenode!

On nearly every assessment, pen testers have to fight a battle against antivirus solutions.  The level of effort that goes into each “battle” relies on the AV solution, its definitions, etc.  Researching methods to bypass antivirus solutions has been an interest of mine on and off  for the past 6 months. About two months ago I started to take a more serious look in how I could take my recent research and turn it into something that more usable and useful.  I set out with a couple goals:

  • Bypass common AV solutions that I/we routinely encounter in most network environments
  • Utilize payloads that are compatible with the Metasploit framework, and expand upon these in future releases
  • Attempt to make each payload file as random as possible

With these goals in mind, I continued researching methods of bypassing AV.  Since I wanted to maintain metasploit compatibility, I chose to use shellcode generated by the metasploit framework, specifically msfvenom. To accomplish this, I began looking into other available research, which is where I discovered a number of interesting techniques that a variety of people, such as Dave Kennedy and Debasish Mandal, already began to develop.  From their research, I learned about really interesting ways to inject shellcode into memory through python.  These methods were the foundation of the rest of my research.

Since the majority of our assessment are against predominantly Windows environments, it was important that the tool worked reliably against these systems.  Since I chose to write the tool in Python, I had to figure out how to package the Python output files containing the obfuscated shellcode to execute on Windows without requiring Python to be installed on the target machine.  One of the solutions I looked into was using Py2Exe.  I knew other software used this method to convert their Python-based scripts or tools into an executable that could run on Windows and figured I could do the same.  I began testing Py2Exe with the payload files I developed and was successful running the executables on various versions of Windows, so I stuck with that solution.  The final part was for me to develop a tool that automated the payload generation process, and I’m happy to release Veil.

Veil

Veil is currently capable of using 7 different methods to make 21 different payloads, all of which result in meterpreter connections.  Veil provides the user with the option of using either Pyinstaller or Py2Exe to convert their python payload into an executable.  With Pyinstaller, Veil users and have their file converted into an executable all within Kali and does not require the use of a second VM/Machine.  When using Py2Exe,Veil will generate three files to which are required to create the final executable; a payload file (in Python), a file with runtime instructions for Py2Exe, and a batch script which handles converting the payload file into an executable. To generate the final payload, copy the three output files to a Windows host with Python, Py2Exe, and PyCrypto installed and execute the batch script. This will build the final executable that is uploaded to the target. The executable file can be dropped anywhere, on any Windows system, as all required libraries are stored within the exe file.  Once dropped on a system and executed, the payload will result in a meterpeter callback that is undetected by AV.

Py2Exe

I’ve tested the packaged executable against multiple AV solutions (MSE, Kaspersky, AVG, Symantec, and McAfee), on both test systems and “in the wild,” and have a very high success rate, bypassing detection in almost every circumstance. I hope that, by releasing this tool, I can enable others in the community to provide more effective assessments by allowing them to focus their efforts on security risks and spend less time bypassing ineffective security measures that wouldn’t deter an actual adversary.

Scanned with MSE

Setup:

For Kali:

  1. Run the setup script (setup.sh) and follow the installation process.
  2. Once the setup script has completed, delete the setup script.

For Windows (when using Py2Exe)

  1. Install Python 2.7 – (tested with x86 – http://www.python.org/download/releases/2.7/)
  2. Install Py2Exe – (http://sourceforge.net/projects/py2exe/files/py2exe/0.6.9/)
  3. Install PyCrypto – (http://www.voidspace.org.uk/python/modules.shtml)

Instructions for Use:

  1. Run Veil from Kali and generate your payload.
  2. If using Pyinstaller, your payload will be converted into an executable and is available for immediate use.
  3. If using Py2Exe
    • Move the payload.py along with its two accompanying files onto your Windows machine (that already has python and the other dependencies from above installed).  All three files should be placed in the root of the directory Python was installed to (likely C:\Python27).
    • Run the batch script to convert the Python payload into an executable format.
  4. Place the payload file on your target machine through any means necessary!

Future Direction:

  • Research new methods of encrypting or obfuscating the payload.
  • Research other languages with direct access to the Windows API for delivering the payload.

Want to play with Veil?  Feel free to do so.  Download, clone, do anything you’d like with it.  You can download Veil  here – https://github.com/Veil-Framework/Veil-Evasion.

I hope that it can help others on their tests just as it has helped me.  Please, if anyone has additional functionality they would like to add, I’d love to have input from the community!

References:

Dave Kennedy – http://www.trustedsec.com/files/BSIDESLV_Secret_Pentesting_Techniques.pdf

Debasish Mandal – http://www.debasish.in/2012/04/execute-shellcode-using-python.html

144 thoughts on “Veil – A Payload Generator to Bypass Antivirus

  1. I’ve been using this technique in my custom code for quite sometime. One recommendation — create template files, rather than creating it with all the Payloadfile.write().

    You could replace the strings in the template files real easy. It also allows for others to easily just modify the template. This will also make your code more cleaner and maintainable ==== and extensible as others would be happy to add to it 🙂

    All the best!

    • Thanks, appreciate the recommendations. We’re definitely looking to do both suggestions shortly, after a lot of testing, we were happy where we are at for an initial release, but do plan on trying to turn this into a usable framework to allow contribution from the community.

  2. I think you spelled your name wrong in the “by”, looks like you may have just dropped an r. Excited to give this a shot and dig your use of the Polished theme!

    • Could you let me know exactly what you installed for py2exe? We’ve done extensive testing and haven’t encountered any issues yet, but if you could let us know exactly what you installed, we could try to re-create the issue and then determine how to fix it.

  3. @Alexandros Iliopoulos: in the directory from which you have launched veil. You can see this easily. Launch veil but don’t chose between 1 & 2, pyInstaller or py2Exe so it just sits there waiting for input. Payload.py will have been built and be sitting in the cwd (just ls).

    Actually Chris, on 64-bit kali, wine isn’t installed. Launching the setup script will get a helper wine64 package ask to setup multiarchs and install the 32-bit wine. After doing this, on my system, Python wasn’t installed under wine. So when using Veil, obviously pyInstaller does not succeed in creating the payload.
    So this never works:

    185 # Else, used pyinstaller (used by default)
    186 else:
    187 print
    188 os.system(‘wine /root/.wine/drive_c/Python27/python.exe /root/pyinstaller-2.0/pyinstaller.py –noconsole –onefile payload.py’)
    189 os.system(‘mv dist/payload.exe .’)

    and later the temp payload.py is cleaned up.

    @Alexandros Iliopoulos: unzip Veil.py a second time and launch setup.py again and make sure to install Python under wine (if this was your problem). If not, I hope I at least solved someone’s problem 😉

    • Yeah, you’re absolutely right. We initially tested on and developed for x86 Kali, but supporting x64 Kali is important to us as well. Looks like you helped to save us some time in supporting this, so thanks! We’ll be adding this capability to the tool shortly.

      • Hi Chris,

        Thanks for the great tool in advance. But the solution above doesn’t work for me as well. No payload is generated using pyinstaller.py.

        I have changed the supportfiles.py by following the post mentioned here
        http://www.infosecisland.com/blogview/23359-Sewing-Patches-in-the-Veil-AV-Evasion-Framework.html

        But that also does not work. Have checked the location for my
        pyinstallyer.py file which is here
        /usr/share/pyinstaller/pyinstaller.py

        The payload.py file gets created under the source directory.

        Don’t know what i am doing wrong.

        I have Kali Linux. If you need more info. will be glad to help

        Kind Regards,
        Bhavin

        • Hi,

          We don’t recommend making that change which is in the article as it can break Veil. You need to give us a little more info to help. What version of Kali are you using? Did you run the setup script?

          Please reach out to us on twitter and/or Freenode irc channel #veil and we can give live support.

          Thanks

          • Hi Chris,

            Version of Kali is 1.0
            Firstly i installed veil from add/remove softwares and then it downloaded a lot of supported software
            Kali did run and had no errors with that at all, except no .exe file was being gerated.

            Then i downloaded the files from git and ran the setup.sh file. Same results – no .exe file.

            Am i missing anything?

            Kind Regards,
            Bhavin

          • Hey,

            We posted that there currently an issue with installing Veil via apt. The offsec guys (they’re an awesome team) are currently looking into fixing the veil package, unfortunately it happens considering Veil requires a wide variety of dependencies for the payloads that it generates. And unfortunately, if you try installing via apt, it causes issues when installing via git too.

            Easiest way would be to go back to a snapshot before you installed veil via apt, and instead install it via git. It’ll work for you then.

    • Hi,

      Is there a tutorial somewhere where i can follow it and you mentioned snapshot in Kali, how do i go about doing that?

      But the link will be great.

      Kind Regards,
      Bhavin

      • You would have needed to have taken a snapshot with VMware (or your virtualization software of choice).

        There isn’t a tutorial for installing Veil because all you need to do is run the setup script and it handles everything. If you’re having issues, Honestly the best bet is to try with a clean system. You are potentially going to have issues when trying to install from git after a failed apt install.

    • hmm…okay, thanks Chris…

      I think the best thing to do is to do a clean install…but first i am trying the git way…let’s see…fingers crossed

      Kind Regards,
      Bhavin

      • Yeah, sorry might not have been what you were looking for, but git, as of right now, is the way to install due to a bug in the veil package.

        I’m 100% certain if you have a clean Kali and install/setup veil from git, it will work for you.

  4. For completeness’ sake:
    dpkg –add-architecture i386 && apt-get update && apt-get install wine-bin:i386

    are what should be executed on kali 64bit before launching the setup.sh script.

  5. Thanks for the post. I am able to get a meterpreter connection. However, when I try to run a command, I get “unknown command”. I just type “?” at the meterpreter prompt, nothing is returned. Any suggestions? Thanks

  6. I haven’t tried the tool yet, but just out of curiosity, I would like to ask something.

    When someone generates a meterpreter based payload with metasploit into an exe template, then metasploit will put there the 1st stage which will then get the rest of the necessary modules upon connection with the evil machine.
    So, does that tool basically try to hide that 1st stage?

    Thanks for your time.

    Apos

  7. well done, it’s working great so far. any plans to offer x64 msf payloads eventually? also, you mention it works on “almost” all AV products – can you disclose which ones caught it?

    • just ran it thru virustotal and only 2/47 detected it ….it passed with flying colors as no major AV caught it …:)….btw i used this on a windows 7 machine 64bit :)….some AV called antiy-AVL and TheHacker caught it …hope i helped …:)

    • We can definitely look into adding x64 meterpreter, that wouldn’t be hard to do. We just wanted to start with the x32 bit versions first. We mentioned “almost” all AV products because we just simply haven’t tested EVERY single AV solution out there. Of the ones we’ve tested, it’s bypassed everyone of them. However, just due to not having tested all solutions, we just didn’t think it was fair to say we bypass them all.

  8. Well done alex !! IOMG,it is a common rule and everybody knows NOT to upload samples to VT for checking since there’ll be signatures soon in the AV products for your sample !

  9. Chris, firstly congrats, brilliant tool. Could I suggest that perhaps you put an explanation at the top by your comment about not uploading to VT? I think Hugo Sanchez said it quite well so words to that effect.

    It would be nice if there was an efficient way to communicate this kind of tool to the community without the risks of the “general masses” getting their hands on it and it shortly being smashed through VT regardless. Maybe there is a need for a reputation-trust based social network type website maintained by the community that is quite well guarded? just a thought 🙂

    • We do have a goal to make Veil not rely on any underlying OS, but purely on Python, but as of now it is reliant on Linux. It does work best on Kali, and as of now we recommend using it on Kali.

  10. How can i use Veil to create a payload On external IP ???

    When i try to Create a payload thrs no option to create payload for External IP..

    May b thrs another method i dnt knw..

    your help is much appreciated.. 🙂

      • When i try to create a payload
        It says Enter ur local IP … Dats what i worried lil bit

        as u said anyIp .. can we put our Public IP when it says Enter ur local IP ??

        If yes than i will try to test it via External network
        Not on my same Network On Internet i mean ??

        I forwarded Port also and while generating payload i will put that Port which i forwarded on my Modem

        After all this Can i get a meterpreter Shell
        On External IP ???

        Srry Noob Question Again

        thnx

          • Sir 1 major prob plz help me ..

            i tried Veil on Ubuntu 13

            Its all running ok But when in last i tryied to make Binary .exe

            it show error

            =========================================================================
            Veil | [Version]: 1.1.0 | [Updated]: 06.01.2013
            =========================================================================

            [Error]: Can’t find python.exe in /root/.wine/drive_c/Python27/.
            Make sure the python.exe binary exists before using PyInstaller.

            root@nomno:~/Desktop/Veil-master/Veil-master#

            I knw bcoz Python27 is not thr
            But when i try to install through wine in Ubuntu
            It installed in my home/machinename/.wine/drive_c/Python27

            How can i change the script to Take Python27 frm
            another location???

            and which script shld i change…

            Help !! plzzz 🙁

  11. Hello there Chris,

    Just dropping by to say thank you and that you did a brilliant job. I appreciate the effort.

    Thank you mate 🙂

    P.S. I promise never to use it on virustotal lol

    James

  12. maybe a little stupid question? but there are too many files on your github link? how do i get all modules etc ? cause it will take me ages to download all files?. Thanks and sorry for a noob question. By the seem nice. all the best for upcoming updates.

    • Hey,

      No, there aren’t too many. The reason it is semi-large is because we have all the required setup files included within the git repo. We included them because we’ve tested with those specifically and they are known to be working.

  13. Hello Chris sorry for the bad english!!
    The Payload crash when i try to run it, the machines are windows xp (italian) x86.

    i’ve installed the requirement that you have indicated.

    thanks

    • Hi there, we need a bit more information. Are you running the latest version of Veil on Kali? Have you updated it? How are you generating your payload files?

      Might be easy to talk to us on twitter. Look up our accounts:
      @ChrisTruncer
      @TheMightyShiv
      @the_grayhound

  14. Would be great if you could specify hostname for reverse_https instead of just IP address. Other than that, great job!

  15. I get this error. Do you have any idea about it? Any help would be much appreciated

    [Error]: Can’t find python.exe in /root/.wine/drive_c/Python27/.
    Make sure the python.exe binary exists before using PyInstaller.

  16. Thanks a lot for this tool. It works perfectly. Just a little question, somebody tried to convert the payload.exe, obtained with veil, with exe2vba of metasploit for obtained a macro for MSOffice? I’m tried but sometimes work and sometimes receive an error when open word . Somebody can help me? Thanks in advanced?

  17. Hi. Just picked up Veil today and been playing with it this afternoon. Excellent job.

    I’ve been having a bit of bad luck with some of the resulting *.EXEs — 3 of them got picked up by Norton (Argh!). However, all of the powershell payloads I created, work like a charm!!!

    Great job, Christopher. Keep up the good work!

      • This is how my test went:

        1. I used 3 PCs, all of them brand new.
        2. They all had a version of “Norton Internet Security” pre-installed.
        3. The attacking machine, was a remote VM.
        4. The payload was created using “python/DESVirtualAlloc” and compiles with pyinstaller.
        5. No additional ‘msfvenom’ parameters were used.

        Norton identified the file, as “Metasploit”, correctly identified the destination and port.

        It was just a test — I didn’t bother to encode the payload.

      • i maneged to open it with
        ‘/root/Veil/Veil.py’
        now it give mi thath error
        [?] How would you like to create your payload executable?

        1 – Pyinstaller (default)
        2 – Py2Exe

        [>] Please enter the number of your choice: 1
        C:\Python27\python.exe: can’t open file ‘/root/pyinstaller-2.0/pyinstaller.py’: [Errno 2] No such file or directory
        mv: no se puede efectuar `stat’ sobre «dist/payload1.exe»: No existe el fichero o el directorio
        rm: no se puede borrar «*.spec»: No existe el fichero o el directorio
        rm: no se puede borrar «logdict*.*»: No existe el fichero o el directorio
        i think i made a great mess : )

  18. I have one question, when i use custom shellcode (all in one line and no quotes) the vail console flickers up and down maybe 2 min, and then returns to the beginning…

    Is this a bug, or my shellcode is too big?

  19. I have tried to install on Linux x86 using setup.sh but in the end i receive the following errors:-
    ./setup.sh: line 55: cd: ../config: No such file or directory
    python: can’t open file ‘update.py’: [Errno 2] No such file or directory

  20. Hello and thank you for the tool. I have tried it few times, looks great. I really hope you will continue developing it. I am new to Kali and security in general. Is there an option in Veil to merge the payload.exe generated with another custom executable, lets say an http://ftp.exe? If not do you know of any tool in kali which will give me the option to do so? Thank you.

  21. Thanks for posting this! It looks amazing, but I’m having trouble getting it installed. Google-fu didn’t help me, so I’m posting here. Sorry if it’s a retarded question, but if the boot fits…

    I downloaded the setup.sh to kali. I attempted to run it and got:

    root@kali:~# sh ./setup.sh
    ./setup.sh: 5: ./setup.sh: Syntax error: newline unexpected

    How to do? :\

  22. Is it possible to add msfvenom options such as -x for template name? At one point it says: Enter extra msfvenom options in OPTION=value syntax,. If I want to add a custom template how do I go with this one? Tried few methods but no luck. I think this one was asked in one of the above posts too.

    • Yeah, you can add extra options exactly in that OPTION=value section of veil, but the only one that won’t work is the -x. That’s because you’re not cloning an existing template when using Veil, it’s making its own template.

      • Do you consider this as a future additional to Veil? It will be great if we had the option to inject the new Veil exe into let’s say putty so it runs when you open putty.

  23. Hey Chris,

    I installed Kali again and downloaded the latest Veil version from git…Errors below after i run as sudo sh ./setup.sh

    ./setup.sh: 4: [: root: unexpected operator
    ./setup.sh: 13: [: 1: unexpected operator
    [ERROR]: Either run this setup script as root or install sudo.

    Is there anything wrong i am doing?

    Kind Regards,
    Bhavin

    • Hi Chris,

      Finally got it working: used bash ./setup.sh instead and that did the trick. Although not the first time. Had the error
      Can’t find python.exe in /root/.wine/drive_c/Python27/

      So followed the post above by Alexandros Iliopoulos to unzip the package again and start the install process…

      Went through the python setup and voila…works like a charm.
      Thanks for your prompt replies…

      Kind Regards,
      Bhavin

  24. Hi Cristopher,
    I created a python style payload (with pyinstaller) but when I run this payload on my machine the program is quit after some seconds…. How can I debug what is the problem?
    (I would like to create a reverse meterpreter shell)

    My environment win7 x64 + SCEP 2012. the AV didn’t alert me….

    (I created a crypted payload with hyperion crypter and that is works fine for me…)
    So, I don’t known why this isn’t work for me…

      • Sorry… It was my mistake (the handler was aborted somehow…)
        I restarted the handler and the payload works nice now.
        But I have another problem.
        I have 2 machine. One laptop is at home & another desktop is in my office.
        In my office everything works fine. (python install in wine, etc. Everything is very nice.
        but in my laptop the python can’t install under wine…
        I don’t understand what is the problem. (and what is the difference between the two machines)
        both computers are running Linux kali.(in Virtualbox)

        how can I compare the 2 system? I don’t known what is the different…

        (all software versions of the same: wine, python.msi, veil, etc)

        what I should to do ? please help me.

        (after I tryed install python 2.7 in wine the python.exe doesn’t exist in the .wine/drive_c/Python dir … ?the installation was unsuccessfull.)

        ps: The Veil is Excellent. Great work man!

        • For the one with issues, how did you install wine? Did you do it from apt or from cloning the git repo? I just need a little bit more info to be able to help you troubleshoot this?

          • Hi!

            Problem solved 🙂

            I installed wine with apt-get install.
            (version of wine is 1.4.1)
            The solution:
            extract python-2.7.5.msi (with uniextractor) in a windows
            copy -r all of python files to .wine/drive_c/Python27
            then add to registry:

            pico pyreg.reg:
            [HKEY_CURRENT_USER\Software\Python\Pythoncore\2.7]

            [HKEY_CURRENT_USER\Software\Python\Pythoncore\2.7\InstallPath]
            @=”C:\\python27″

            [HKEY_CURRENT_USER\Software\Python\Pythoncore\2.7\PythonPath]
            @=”C:\\python27;C:\\python27\\Lib\\;C:\\python27\\DLLs\\”
            wine regedit pyreg.reg

            then install all of components in wine (pywin32, py2exe, pycrypto)

            then everything works :)(I used the Pyinstaller method in Veil)

            This method a work around for the “err:msi:ACTION_InstallFiles Failed to extract cabinet: blablabla” error

  25. hello sir i have used your program and it is very nice but when i create the .exe file and send it to the target computer on which kaspersky internet security is installed it detects the infected .exe file

    please help me out to hide the file from antivirus and get access to the target commputer

    i did AES encrypted

    • I believe Kaspersky may be catching it sometimes based off of heuristics. Currently, Veil-Evasion is designed to evade disk based detection. One thing you could try is a powershell based payload, or signing the payload. Also, you could try to modify the source code, and re-wrap it into an executable and try to evade it. If you create something that does it, you should certainly let us know or submit a pull request for a new payload, we’d love to see it.

  26. hi ! I have Created a Payload by Veil, it really gr8, just have 1 problem that i am not much happy with its file size, its about 3MB 0r 3.1 MB. is there any solution to reduce the file size of payload ??

    I will be very gr8full to you.

  27. Hello guys,

    Every time I want to build my backdoor, I have these errors :

    http://pastebin.com/YMGUiDVc ( don’t want to past all the errors, I don’t know if the rules allow us to past code lines. )

    I didn’t take care of these errors, because at the end i have these result :

    [*] Your payload files have been generated, don’t get caught!
    [!] And don’t submit samples to any online scanner! 😉

    So I told myself, no matter, now, let’s try to corrupt my second computer wich is connected to an another network and … nope, it’s not working. It’s loading a few seconds, than nothing, I launched the handler, with the same LHOST, LPORT, and it’s still not working …

    Requesting help, thank you in advance, and sorry for my bad english. :l

  28. Hi Chris, first of all let me thank you and congratulate you for such an amazing tool. I just have one question, is there a way to use veil to encode other metasploit modules, such as bypassuac? Best Regards

  29. Does each payload come out different meaning if I or someone did upload to virus total and discovers trojan does that make that single executable tainted or does it ruin future generated payloads?

  30. I have installed veil on kali linux. when i try to use it I face this error in its working process:

    [!] ERROR: Can’t find python.exe in /root/.wine/drive_c/Python27/ [!] ERROR: Make sure the python.exe binary exists before using PyInstaller.

    Please resolve it

Leave a Reply to Lolantha Peiris Cancel reply