Bypass Anti-Virus with ShellCode Injection (Part II)

Welcome back!

To continue with the previous article, here we will learn to create a shell code with Metasploit and PE infector via Shellter into a Win32 application.

For those who have not read part I, you can read it here.

We have several ways to do that but keep this in your mind: “There is no silver bullet for Anti-Virus Evasion, it's like a cat and mouse game.”

Let's start with the selection of an application for shell code injection. Here, I am selecting WinRAR as a demonstration (wrar540).

Before proceeding further, need to create a payload. We have multiple options for payload creation i.e. Veil, Metasploit, etc. Here I am using Metasploit.

Shellcode has been created; now time to inject this shell code into wrar540 win32 application via Shellter.

**If you are getting a problem during configuration, you can refer to part-I of this article.

Run ‘Shellter’ as root & select operation mode ‘M’ for manual, you will see

You will asked to put PE Target , here we will select ‘wrar540.exe’

For PE Elimination

For first stage filtering process

IAT Handler stage

IAT Handler Obfuscation

Injection Stage

Verification Stage

Finally, we have injected our shellcode into PE. As you can see

Before sending to the victim, it is better to test the infection on latest McAfee. Here it is

Now scan with anti-virus for any infection, here it is

Things are ready for execution, so let’s execute for the result.

As you can see, the Win32 application is working fine and we have a Meterpreter shell too.

That’s all for part-II. In the next article, I will cover the working criteria for viruses.

For the latest attacks and proof of concept, please subscribe and follow me at:

Website:https://www.fishyseclab.comhttps://s3curityedge.wordpress.comhttps://www.cybrary.it/members/sconnect/

Facebook:https://www.facebook.com/alitabishofficialhttps://www.facebook.com/FishySecLab/https://www.facebook.com/s3curityedge/