Bypass Anti-Virus with ShellCode Injection (Part II)

April 11, 2017 | Views: 3295

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Welcome back!

To continue with the previous article, here we will learn to create a shell code with Metasploit and PE infector via Shellter into a Win32 application.

For those who have not read part I, you can read it here.

We have several ways to do that but keep this in your mind: “There is no silver bullet for Anti-Virus Evasion, it’s like a cat and mouse game.”

Let’s start with the selection of an application for shell code injection. Here, I am selecting WinRAR as a demonstration (wrar540).

bypass-antivirus-1

Before proceeding further, need to create a payload. We have multiple options for payload creation i.e. Veil, Metasploit, etc. Here I am using Metasploit.

bypass-antivirus-2

Shellcode has been created; now time to inject this shell code into wrar540 win32 application via Shellter.

**If you are getting a problem during configuration, you can refer to part-I of this article.

Run ‘Shellter’ as root & select operation mode ‘M’ for manual, you will see

bypass-antivirus-3

You will asked to put PE Target , here we will select ‘wrar540.exe’

For PE Elimination

bypass-antivirus-4

For first stage filtering process

bypass-antivirus-5

IAT Handler stage

bypass-antivirus-6

IAT Handler Obfuscation

bypass-antivirus-7

Injection Stage

bypass-antivirus-8Verification Stage

bypass-antivirus-9Finally, we have injected our shellcode into PE. As you can see

bypass-antivirus-10

Before sending to the victim, it is better to test the infection on latest McAfee. Here it is

bypass-antivirus-11

Now scan with anti-virus for any infection, here it is

bypass-antivirus-12

Things are ready for execution, so let’s execute for the result.

bypass-antivirus-13

As you can see, the Win32 application is working fine and we have a Meterpreter shell too.

That’s all for part-II. In the next article, I will cover the working criteria for viruses.


For the latest attacks and proof of concept, please subscribe and follow me at:

Website:
https://www.fishyseclab.com
https://s3curityedge.wordpress.com
https://www.cybrary.it/members/sconnect/

Facebook:
https://www.facebook.com/alitabishofficial
https://www.facebook.com/FishySecLab/
https://www.facebook.com/s3curityedge/

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel