Home 0P3N Blog Bypass Anti-Virus with ShellCode Injection (Part II)
Ready to Start Your Career?
Create Free Account
By: S-Connect
April 11, 2017

Bypass Anti-Virus with ShellCode Injection (Part II)

By: S-Connect
April 11, 2017
By: S-Connect
April 11, 2017

shell-code

Welcome back!

To continue with the previous article, here we will learn to create a shell code with Metasploit and PE infector via Shellter into a Win32 application.

For those who have not read part I, you can read it here.

We have several ways to do that but keep this in your mind: “There is no silver bullet for Anti-Virus Evasion, it's like a cat and mouse game.”

Let's start with the selection of an application for shell code injection. Here, I am selecting WinRAR as a demonstration (wrar540).

bypass-antivirus-1

Before proceeding further, need to create a payload. We have multiple options for payload creation i.e. Veil, Metasploit, etc. Here I am using Metasploit.

bypass-antivirus-2

Shellcode has been created; now time to inject this shell code into wrar540 win32 application via Shellter.

**If you are getting a problem during configuration, you can refer to part-I of this article.

Run ‘Shellter’ as root & select operation mode ‘M’ for manual, you will see

bypass-antivirus-3

You will asked to put PE Target , here we will select ‘wrar540.exe’

For PE Elimination

bypass-antivirus-4

For first stage filtering process

bypass-antivirus-5

IAT Handler stage

bypass-antivirus-6

IAT Handler Obfuscation

bypass-antivirus-7

Injection Stage

bypass-antivirus-8Verification Stage

bypass-antivirus-9Finally, we have injected our shellcode into PE. As you can see

bypass-antivirus-10

Before sending to the victim, it is better to test the infection on latest McAfee. Here it is

bypass-antivirus-11

Now scan with anti-virus for any infection, here it is

bypass-antivirus-12

Things are ready for execution, so let’s execute for the result.

bypass-antivirus-13

As you can see, the Win32 application is working fine and we have a Meterpreter shell too.

That’s all for part-II. In the next article, I will cover the working criteria for viruses.


For the latest attacks and proof of concept, please subscribe and follow me at:

Website:https://www.fishyseclab.comhttps://s3curityedge.wordpress.comhttps://www.cybrary.it/members/sconnect/

Facebook:https://www.facebook.com/alitabishofficialhttps://www.facebook.com/FishySecLab/https://www.facebook.com/s3curityedge/

Request Demo

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry