Ready to Start Your Career?

Bypass Anti-Virus with Shell Code Injection (Part 1)

S-Connect 's profile image

By: S-Connect

April 6, 2017


List of crafted instructions, executed once the code is injected into the application specifically running applications are called Shell Code. This is possibly done with the popular way via a Stack Buffer overflow & Heap-based Buffer overflow. It’s about referring to start command shell through the customized written code.

Shell Code is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shell code" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shell code.  ~ Wikipedia

Types of Shell Code

ü  Local Shell Code: Commonly used for privileged escalation, attacker has limited access to machines but can easily exploit the vulnerability of higher privileged process on that particular machine.

ü  Remote: Commonly used in a scenario when attackers target a vulnerable process running on another machine. These shell codes used TCP/IP socket connections to get access to the target machine. Here we have two categories based on connection set-up.

a.     Reverse Shell or Connect-back

b.     Bind Shell

c.     Socket-Reuse Shell Code

ü Download and Execute: Basically it’s been download and execute some form of a malicious program on the target system. It basically instructs the victim machine to download the malicious program from blacklisted servers, save it to disk and execute it. Commonly used in drive-by download attack.

üStaged: It’s work in a situation when we have limited memory to execute useful shell code, then it may be possible to execute in stages. The first stage will deliver a small piece of shell code for execution. Stage 1 payload or shell code will download a larger piece of shell code into the process’s memory for execution.

ü  Egg-hunt: Another form of staged shell code, normally used when we have a situation to inject large shell code into the process but unable to determine the location where it will end up. Intruder injects small egg-hunted shell code at a predictable location in the process, to search the process’ address space for larger shell code for execution.

üOmelet: Just like egg-hunt but looks for numerous small blocks of data and recombines them into on larger block that is subsequently executed.

So firewall evasion we have multiple techniques, tools or framework for. Here we will use “SHELLTER.” It’s a dynamic shell code injector and the first ever PE (Portable Executable) infecter rather than EPO (Entry-Point Obscuring) infecter. We can inject our custom shell code into native Windows applications. Currently ‘Shellter’ do have 32-bit applications support only.

Advantages of Shellter

Detection process occurs when AV finds the modification i.e. changes in memory permission at the legitimate program once it has been fabricated via your shell code. Shellter does have an ability to maintain the original structure of the PE file and does not apply any modification & adding extra sections with RWE access.

Setup at Kali Linux

root@Iphone6s:~# apt-get update

root@Iphone6s:~# apt-get install shellter

Installation successful. Now execute an application like:

root@Iphone6s:~# shellter

Note: If you are getting an error during execution like “wine32 is missing” then type the below-mentioned command.

root@Iphone6s:~# dpkg --add-architecture i386

root@Iphone6s:~# apt-get update

root@Iphone6s:~# apt-get install wine32

Now that shellter is up and running, we'll move onto the next article which will cover “Shell code creation for Anti-Virus Evasion”

For latest attacks and proof of concept, please subscribe and follow us at:






Schedule Demo