Shmoocon Recap

This past Saturday the Veil team presented our talk “AV Evasion With the Veil Framework” at Shmoocon 2014. It was an awesome experience, and we greatly appreciate all the feedback and support we received. The slides from the talk have been posted on slideshare.  We also gave the same talk at ShmooconEpilogue, hosted by NOVAHackers, and our presentation was recorded.  To see the video, just click here.

With the release of Veil-Catapult and our move towards expanding the Veil framework beyond just Veil-Evasion, we wanted to brief everyone again on the new github project structure. The original tool formerly known just as “Veil” now resides at while Veil-Catapult resides in its own repo at We will maintain a superproject at that will always pull down and set up stable branches of each tool in the Veil-Framework. We recommend that most users clone the superproject and use its update script to take care of everything.

Based on feedback from Shmoo, we implemented the ability to auto-spawn a handler for session catching when using Veil-Evasion in Veil-Catapult. If you set SPAWN_CATAPULT_HANDLER=”true” in /etc/veil/ and then utilize Veil-Evasion to generate a payload to deliver in Veil-Catapult, a window will open that automatically fills in the options for msfconsole. At this point, this is disabled by default.

We also wanted to go over a lesser known shellcode injection technique that we spoke about during our presentation, specifically how we are injecting into memory with via the processes’s heap.  We found that utilizing the processes’s heap for storing and then executing our shellcode was possible while researching methods to allocate memory and modify the permissions (read, write, execute) of the memory that has been allocated.  Although, after finally getting heap based injection working, we also found that it has been documented elsewhere.

Heap based injection is very similar to injecting into memory with VirtualAlloc.  First, we create a private heap object, via HeapCreate.  This allows the calling process to use the heap object.  Once the object has been created, we allocate a block of memory from the heap object to store our shellcode with HeapAlloc.  These two calls are the only difference between injecting into memory via the heap or utilizing a VirtualAlloc call.  Once the space has been allocated (as read/write/executable), we move our shellcode into memory with RtlMoveMemory, spawn a thread that executes the shellcode via CreateThread, and then we simply wait for our spawned thread (containing out Meterpreter session) to finish its execution, via WaitForSingleObject, before exiting the entire process.

If anyone has any additional feedback, questions, or ideas, please hit us up on freenode on the #veil channel, email us or reach out to any of us on twitter (info on our contact page), or submit issues on our github.  Thanks for all the support, and we hope to keep making something we love that also helps our community.

5 thoughts on “Shmoocon Recap

  1. Your link for RtlMoveMemory should go to “”. The other RtlMoveMemory you linked to is part of the WDK and you call it from kernel mode (usually from inside a driver). Or do you now build kernel mode payloads in Veil, too? :)

Leave a Reply