Tutorial – Payload Development

A big part of our effort with Veil is to provide a framework for the community to integrate their own AV-evasion methods, public or private. With that said, we wanted to provide a tutorial on the general payload development process for Veil.

We’ve provided a payload template at ./modules/payloads/template.py :

payload_template

The top of each module contains a comment string detailing the workings of the module, any references/prior work the module uses or was based on, and the author who wrote the module.

Imports of common Veil modules are up next using the form from modules.common import MODULE syntax, where MODULE is any of the python files contained in ./modules/common/*. These methods are then called with module.method() syntax. The following is a breakdown of some of the common modules/methods payloads can take advantage of:

  • common.helpers : various string/variable randomization methods, display helpers, etc.
  • common.encryption : encryption related methods (AES, letter substitution, etc.) and language-specific crypters/obfuscators (currently just Pyherion)
  • common.shellcode : the most commonly used module, allows for modularized shellcode generation: call shellcode.generate() to utilize built in menus and return the raw shellcode selected
  • settings : Veil’s configuration file, options referenced with syntax of  settings.CONFIG_SETTING. Check out /etc/veil/settings.py for all available options.

Under __init__(), a few options are required:

  • self.description : a 1-2 sentence description of the payload
  • self.language : the language to group the payload under (currently python/cs/powershell/c#/native)
  • self.extension : the extension to write the payload file out to

Other options can used as needed:

  • self.shellcode = shellcode.Shellcode() : instantiated if shellcode generation is needed
  • self.notes : additional notes (i.e. manual compilation instructions) to display to the user on generation
  • self.required_options : payload options that require a value, of the format {option_name : ["default_value", "description"], … } . A commonly used instance of this is the “compile_to_exe” option to instruct Veil to automatically compile the payload. Note: if no default value is supplied, Veil will automatically require a user to input a value before payload generation.

The generate() method is “where the magic happens”. Shellcode can be generated by Veil’s internal functionality be calling the internal shellcode object with the syntax Shellcode = self.shellcode.generate() like on line 42. Line 48 shows how to use a method in helpers to get a randomized string. Lines 51 and 52 demonstrate how to take advantage of appropriate source code encrypters. Finally, the resulting source code is returned so it can be processed by Veil.

Once you write your own payload module, drop it into the appropriate location in the ./modules/payloads/* folder and it will automatically load into the Veil framework. The general structure is [language]/[method]/[payload]. ‘Method’ at this point consists of “meterpreter” for Meterpreter stagers, and “shellcode_inject” for the various shellcode injection methods.

If you have any questions, feel free to get in touch with in #veil on freenode or checkout our forums at https://www.veil-framework.com/forums/ .

Leave a Reply