April 11, 2017
Bypass Anti-Virus with ShellCode Injection (Part II)
April 11, 2017
To continue with the previous article, here we will learn to create a shell code with Metasploit and PE infector via Shellter into a Win32 application.
For those who have not read part I, you can read it here.
We have several ways to do that but keep this in your mind: “There is no silver bullet for Anti-Virus Evasion, it's like a cat and mouse game.”
Let's start with the selection of an application for shell code injection. Here, I am selecting WinRAR as a demonstration (wrar540).
Before proceeding further, need to create a payload. We have multiple options for payload creation i.e. Veil, Metasploit, etc. Here I am using Metasploit.
Shellcode has been created; now time to inject this shell code into wrar540 win32 application via Shellter.
**If you are getting a problem during configuration, you can refer to part-I of this article.
Run ‘Shellter’ as root & select operation mode ‘M’ for manual, you will see
You will asked to put PE Target , here we will select ‘wrar540.exe’
For PE Elimination
For first stage filtering process
IAT Handler stage
IAT Handler Obfuscation
Finally, we have injected our shellcode into PE. As you can see
Before sending to the victim, it is better to test the infection on latest McAfee. Here it is
Now scan with anti-virus for any infection, here it is
Things are ready for execution, so let’s execute for the result.
As you can see, the Win32 application is working fine and we have a Meterpreter shell too.
That’s all for part-II. In the next article, I will cover the working criteria for viruses.
For the latest attacks and proof of concept, please subscribe and follow me at: