Metasploit framework except of the scanners and the exploits that it has also provides the penetration testers the ability to create executables files from the payloads that it contains.In this article we will examine how we can create executable payloads that it can be used as backdoors and the effectiveness of writing our own backdoors that will be undetectable from antivirus.

Lets say that we want to convert a payload to an executable file.The first step of course is to decide which payload we are going to use.In this tutorial we will use the windows/meterpreter/reverse_tcp payload.The -S option will give us a summary of the payload and the available options that requires.

Summary of payload options


As you can see the only option that it requires is to configure the LHOST address.So In order to make this payload an .exe file we will use the command that you will see in the image below.

Creating an executable payload


In the LHOST obviously we will put our local IP address,the X parameter will make this payload an .exe file and then we need to specify a name for the executable which in this case we have given the name pentestlab.exe.Now we need to open metasploit framework and to use the module exploit/multi/handler.

Configuring the multi/handler module


When our file pentestlab.exe will executed on the target machine it will connect back to us.

Returning a meterpreter session


This method will only work on systems that are not running any antivirus software.Most popular antivirus will identify this as a backdoor/Trojan/virus so you have to find a way to bypass them.The best way of course is to create your own backdoor.

We have created a new file with the name pentestlab.bin which will encoded with the shikata_ga_nai 1 time and it will avoid the characters \x00\x0a\x0d.

Creating the .bin file


We are opening the file with a hex editor in order to check if this file doesn’t contain the characters that we have instruct it before to avoid.

pentestlab.bin file opened with a hex editor


The image below is a sample of the code that we have used for our backdoor which it has the name pentestlab.exe

Sample of the Backdoor code


Lets say that we have deliver the pentestlab.exe to our target and the victim has executed the malicious file.

Execution of pentestlab.exe


The execution of the backdoor it will generate HTTP request to the malicious web server where the pentestlab.bin is located.

Malicious Web Server


A meterpreter session it will return to us.

Meterpreter Session Opened after the execution of the backdoor


But what about the antivirus?This backdoor doesn’t contain any known signatures and have been encoded with the shikata_ga_nai which is a polymorphic encoder so it will bypass most of the well-known antivirus.

Detection ratio


As you can see and from the image below antivirus such as Kaspersky,McAfee,NOD32,Panda Sophos,Symantec and Microsoft did not detect the backdoor so any machine can be compromised easily.

Well known antivirus did not detect the backdoor



In the first method that we had created an executable from the existing metasploit payloads without any encoding the detection ratio was bigger and most of the antivirus had identify the malicious payload.From our observation we have seen that shikata_ga_nai is not so effective in executables that haven been created by existing metasploit payloads.So it doesn’t matter how well you will use that encoder or any other packer because most of the antivirus have already in their signatures database the signatures of these payloads.

From the other hand when we used as a backdoor something that we have created the detection ratio was very low.So the only effective way to bypass antivirus is to know how to modify the signature of the payload or to write your own shellcode and to play with different packers and encoders until you have an executable which will be undetectable.


  1. Great blog and post! Can you make available the steps on how to build the fud and the html code? Thanks!

  2. @laerciomotta Unfortunately I cannot do that because the purpose of this blog is not to distribute any backdoors.You have to create your own code depending on your needs if you are penetration tester.

    @re8el In this article there isn’t any html code.This backdoor is written in c++ and I cannot distribute it for ethical reasons.However I am planning to focus in future articles on the techniques that you can accomplish antivirus evasion.

    1. @netbiosX ok but to get the correct idea, the c++ code creates the exe that will download -bin from the site, is this correct?

      1. The c++ code creates the .exe.If the user runs that .exe then an HTTP request will be produced to the web server where the .bin is located.The .bin file is stored on a web server (which is our machine) and not on the victim’s computer.The only file that it is necessary to be executed by the victim is the .exe file.Nothing else.

  3. how u edited pentestlab.exe for adding pentestlab.bin path can u elaborate on it “””” BUT the techniques is ossom bro “””””

  4. Hi all,
    It isn’t possible to run binary code through Internet Explorer or any browser, So
    this Idea is not correct and dosen’t work !!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s