The second method for combining an EXE file with a payload in the Veil Framework involves using the “shellcode_inject” modules. Unlike the first method, which attempts to bind two files, this technique focuses on creating a specialized loader that performs inline injection, allowing the shellcode to run within the memory space of a legitimate process. This is often more effective at bypassing modern heuristic-based antivirus because it avoids the structural anomalies common in traditionally “bound” or “joined” files. To begin, launch the framework by typing veil and navigate to the Evasion menu by entering use 1. From the list of available modules, look for those categorized under shellcode_inject, such as the powershell/shellcode_inject/virtual or c/shellcode_inject/flat options.
Once you have selected your injection module, the configuration process requires more than just network details. You must set your LHOST and LPORT as usual, but you also need to specify the “injection method.” In many of these modules, you can use the set INJECT_METHOD command to choose between techniques like VirtualAlloc or HeapAlloc, which dictate how the payload is carved into the system’s memory. To combine this with an existing EXE, some modules offer a CUSTOM_EXE option similar to the first method, but here it acts as a template for the loader’s behavior rather than a simple carrier. If the specific module does not have a CUSTOM_EXE field, you can generate the injection script and then manually use a third-party tool like “IExpress” (built into Windows) or “SharPyShell” to bundle the generated script with your legitimate executable.
After you have configured the internal settings and any environmental checks—such as setting MINRAM or PROCESSORS to ensure the file is not running in a virtualized sandbox—type generate. Veil will compile a loader that, when executed, will look for a specific process or launch a new one to host the shellcode. Provide a base name for your file and note the output directory. To catch the session, open msfconsole in a new terminal and use the multi/handler. Ensure your payload type matches the one used in Veil, typically windows/meterpreter/reverse_tcp. Set the matching IP and port, then type exploit. When the target opens the resulting file, the injection module will silently map the shellcode into memory, establishing a stable connection to Metasploit while the user remains unaware of the background activity.
