Articles

Shellter vs Veil

Updated: 01d/12m/2017

Since I have been asked already to provide an overview of Shellter versus Veil I decided to make one. Before you get mad at me, I want to make clear that in reality there is no attempt to bring anything or anyone against each other.
Also keep in mind that the comparison is only taking in consideration usage of executable files.

So, if you are a Veil developer and/or just an enthusiastic user of it and you think that I have missed something, or some information provided here is not accurate, then please contact me and it will be fixed as soon as possible.

Shellter v7.1 has been released recently and for once more it totally changes the game regarding shellcode injectors.
Shellter currently provides the lowest detections rates if used appropriately, that is by using encoded payloads, and/or by using Shellter’s encoder as a single and/or as an extra encoding layer.

Veil has been out there for long time now and many people already use it.

My intention is to bring another weapon into your arsenal by having fun and innovating the way PE infectors used to work until today.

Shellter, is indeed  the first dynamic PE infector ever created, and it is here to prove that this technique is not just possible or innovative, but also powerful.

Shellter

Pros

Main Features

  • Compatible with  Windows x86/x64 (XP SP3 and above)  & Wine/CrossOver for Linux/Mac.
  • Portable – No setup is required.
  • Doesn’t require extra dependencies (python, .net, etc…).
  • No static PE templates, framework wrappers etc…
  • Supports any 32-bit payload (generated either by metasploit or custom ones by the user).
  • Compatible with all types of encoding by metasploit.
  • Compatible with custom encoding created by the user.
  • Stealth Mode – Preserves Original Functionality.
  • Multi-Payload PE Infection.
  • Proprietary Encoding + User Defined Encoding Sequence.
  • Dynamic Thread Context Keys.
  • Supports Reflective DLL loaders.
  • Embedded Metasploit Payloads.
  • Junk code Polymorphic engine.
  • Thread context aware Polymorphic engine.
  • User can use custom Polymorphic code of his own.
  • Takes advantage of Dynamic Thread Context information for anti-static analysis.
  • Detects self-modifying code.
  • Traces single and multi-thread applications.
  • Fully dynamic injection locations based on the execution flow.
  • Disassembles and shows to the user available injection points.
  • User chooses what to inject, when, and where.
  • Command Line support.
  • Free

Cons

  • Doesn’t (currently) support 64-bit PE files, payloads.
  • Free, but not open source.

GO PRO!

Veil

Pros

  • Supports 32 and 64-bit payloads generated by metasploit.
  • Supports custom shellcode (payload).
  • Free and Open Source.
  • More than one people contribute to its development.
  • Supports different methods of hiding the payload (Base64, AES etc..).

Cons

  • Requires installation.
  • Requires extra dependencies.
  • Mostly compatible with specific Distros of Linux.
  • Generated executable can be over 3 MBytes.
  • Final output executables look alike because of the framework wrappers used.
  • Makes more easy creating veil targeted AV signatures (McAfee already has a dedicated one).

Enjoy,
kyREcon