Research-oriented PE packer written in C, implementing ChaCha20-Poly1305, HKDF, and SHA-256, combined with anti-debugging techniques and process hollowing. The project explores evasion and anti-analysis techniques commonly used in protected or malicious software, with focus on implementation details and reverse engineering implications.
THIS PROJECT WAS NOT CREATED FOR MALWARE DEVELOPMENT. It is intended solely for legal and educational purposes. The author does not condone or support any illegal usage, including but not limited to the creation, distribution, or execution of malicious software. Use this tool responsibly and only in environments where you have explicit permission to do so.
This project is also not guaranteed to be cryptographically and overall secure. It was created as a demonstration of programming and reverse engineering skills. However, if this tool can help someone without violating the laws of their country — that would be appreciated.
Veil-Forge encrypts a given x64 PE executable and embeds it into a precompiled unpacking stub.
At runtime, the stub:
- derives keys using HKDF
- decrypts the payload
- executes it via process hollowing
This design prevents straightforward static inspection of the original binary and introduces additional complexity for dynamic analysis.
You will need the x86_64-w64-mingw32-gcc cross-compiler installed.
❌ There is no support for 32-bit systems or non-Windows operating systems.
To build automatically, run:
./build.batUsage:
./packer.exe your.exe KEY64_IN_HEX NONCE24_IN_HEXExample with test file:
./packer.exe hello_world.exe 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef 0123456789abcdef0123456789abcdef0123456789abcdefA key and nonce must be provided by the user. Without both, the final application will not run. Use a secure method (such as a cryptographic key generator, you may find it on the web services) to generate a 64-byte key and 24-byte nonce, in hexadecimal format.
The project uses the following algorithms:
- AEAD ChaCha20-Poly1305
- SHA-256
- HKDF (HMAC-based key derivation)
- Process Hollowing
- Anti-debug techniques
Limitations:
No support for 32-bit systems
No Linux/macOS support
No anti-VM or sandbox detection
Stub does not use any obfuscation
AV software (like Windows Defender) will almost certainly detect the final exe as a trojan
⚠️ Antivirus software may flag or delete the generated executable.
F.e. Windows Defender sometimes thinks that final executable file is suspicious at least
and describes it as the trojan and tries to delete it.
Project was tested, compiled and run on Windows 11 (v.23H2, x64).
Also, there were writen unit-tests for packer and unpacker functions. Run compiled tests.exe if you want to auto-test application.
If everything is okay you should see (example with hello_world.exe):
./build.bat
Note that building requires x86_64-w64-mingw32-gcc compiler and supports only Windows 64-bit.
tests.exe will be builded with all unit tests included, so that you can check if app works as expected by running ./tests.exe .
Building with default warning settings. ./build.bat WARN_ALL for more information of building.
UNPACKER BUILDING SUCCESS
PACKER BUILDING SUCCESS
TESTS_PACKER BUILD SUCCESS
TESTS_UNPACKER BUILD SUCCESS
./packer.exe hello_world.exe 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef 0123456789abcdef0123456789abcdef0123456789abcdef
Checking input arguments...
Arguments are valid.
Reading input file...
Read file successfully.
Validate input file as x64 PE...
File is valid x64 PE.
Encrypting data...
Encryption ended successfully.
Copying stub template...
Copying stub template ended successfully.
HKDF: reset=0 input=0 result=0. HKDF ended as expected.
Adding encrypted resource to final.exe...
Added encrypted resources.
Packing completed successfully! Output file: final.exe.
./final.exe
The resulting packed binaries:
- obscure original code and strings during static analysis
- shift visibility to runtime behavior
- rely on process injection (process hollowing), which is a detectable behavioral pattern
Potential detection approaches include:
- behavioral monitoring of process creation and memory modification
- identification of hollowing patterns
- heuristic or rule-based detection of unpacking stubs
Also, there is approach to manually dump unpacked sample at runtime. To make it more difficult - anti-analysis techniques were implemented.
This project is not intended to provide production-grade protection or cryptographic guarantees. It is a technical demonstration of packer design, reverse engineering awareness, and low-level implementation.
Stars are very appreciated
@Arrbat