Forum Thread: Metasploit Encoders

I know what encorders are and why they are there but how do they work? What I know is that they change the signature of what it is used on. How do they do so? Do they add random code and comments to change their hash? Or does it change how compiled exploits are compiled?

6 Responses

Think of it like this...

Youre like a thief.. av is the police.. av is shooting at you... now encoders are your kevlar.. your shield.... the better your shield.. the better chance of your survival..

The encooder masks your exploit under itself.. probably code..
And no it doesnt change how exploits are compiled..

So it covers the exploit as another program/protocol or whatever? How though?

Jeremiah:

AV software is looking for a signature of the malware. If we re-write the code with the same functionality or encrypt the code, sometimes it can get past the AV,

Ok thank you for the explanation. If the payload is encrypted what decrypts it? Does the exploit decrypt it or does it send a smaller payload to decrypt it?

In the simplest cases, the payload is XORed.

Ah ok, so this is one way an advanced AV could still detect the payload?

Share Your Thoughts

  • Hot
  • Active