Ready to Start Your Career?

Bypass Anti-Virus with ShellCode Injection (Part II)

S-Connect 's profile image

By: S-Connect

April 11, 2017


Welcome back!

To continue with the previous article, here we will learn to create a shell code with Metasploit and PE infector via Shellter into a Win32 application.

For those who have not read part I, you can read it here.

We have several ways to do that but keep this in your mind: “There is no silver bullet for Anti-Virus Evasion, it's like a cat and mouse game.”

Let's start with the selection of an application for shell code injection. Here, I am selecting WinRAR as a demonstration (wrar540).


Before proceeding further, need to create a payload. We have multiple options for payload creation i.e. Veil, Metasploit, etc. Here I am using Metasploit.


Shellcode has been created; now time to inject this shell code into wrar540 win32 application via Shellter.

**If you are getting a problem during configuration, you can refer to part-I of this article.

Run ‘Shellter’ as root & select operation mode ‘M’ for manual, you will see


You will asked to put PE Target , here we will select ‘wrar540.exe’

For PE Elimination


For first stage filtering process


IAT Handler stage


IAT Handler Obfuscation


Injection Stage

bypass-antivirus-8Verification Stage

bypass-antivirus-9Finally, we have injected our shellcode into PE. As you can see


Before sending to the victim, it is better to test the infection on latest McAfee. Here it is


Now scan with anti-virus for any infection, here it is


Things are ready for execution, so let’s execute for the result.


As you can see, the Win32 application is working fine and we have a Meterpreter shell too.

That’s all for part-II. In the next article, I will cover the working criteria for viruses.

For the latest attacks and proof of concept, please subscribe and follow me at:



Schedule Demo