Bypass Anti-Virus with ShellCode Injection (Part II)

April 11, 2017 | Views: 3914

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Welcome back!

To continue with the previous article, here we will learn to create a shell code with Metasploit and PE infector via Shellter into a Win32 application.

For those who have not read part I, you can read it here.

We have several ways to do that but keep this in your mind: “There is no silver bullet for Anti-Virus Evasion, it’s like a cat and mouse game.”

Let’s start with the selection of an application for shell code injection. Here, I am selecting WinRAR as a demonstration (wrar540).


Before proceeding further, need to create a payload. We have multiple options for payload creation i.e. Veil, Metasploit, etc. Here I am using Metasploit.


Shellcode has been created; now time to inject this shell code into wrar540 win32 application via Shellter.

**If you are getting a problem during configuration, you can refer to part-I of this article.

Run ‘Shellter’ as root & select operation mode ‘M’ for manual, you will see


You will asked to put PE Target , here we will select ‘wrar540.exe’

For PE Elimination


For first stage filtering process


IAT Handler stage


IAT Handler Obfuscation


Injection Stage

bypass-antivirus-8Verification Stage

bypass-antivirus-9Finally, we have injected our shellcode into PE. As you can see


Before sending to the victim, it is better to test the infection on latest McAfee. Here it is


Now scan with anti-virus for any infection, here it is


Things are ready for execution, so let’s execute for the result.


As you can see, the Win32 application is working fine and we have a Meterpreter shell too.

That’s all for part-II. In the next article, I will cover the working criteria for viruses.

For the latest attacks and proof of concept, please subscribe and follow me at:



Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



We recommend always using caution when following any link

Are you sure you want to continue?