Forum Thread: [Problem] Meterpreter, Migrate and Antivirus

Hello everyone !

First of all, I apoligize for my English :)

I made a meterpreter payload for Windows, and it woks really well so big thanks to all of the people who learned me how to do that !

My payload isn't recognized by Windows Defender and that's really cool :)
But a lot of people have Avast, and my payload is not detected by it neither :3

So, what's the problem ?

As the title points out, it happens when I try to migrate (to explorer.exe). Avast stops everything and detects it as "idp.generic".

I don't have the knowledge to know what it is and how to bypass it (I learned everything here), that's why I'm asking for your help :)

Thank you !

If you want any details that I forgot, please tell me :3

3 Responses

It may be detecting the payload through behavioural patterns of the migrate command for meterpreter payloads. If that is the case, then there isn't much you can do, other than make your own backdoor. I would recommend python and then compiling it using pyinstaller. If you can't do that, or the problem is that is simply that avast has a signature for your payload, then i would recommend using a program like shellter if you haven't used it already.

Thank you for your answer :)

If I make my own backdoor in python and then compile it with pyinstaller, Avast (and other AV) won't recognize it at all ?

And also, does shellter do the same thing as this bit of code ? (I don't know how to put code here, I tried code and /code but that didn't work)

int main(int argc, char * argv)
unsigned char shellcode =
"x14\x03\x50\x14\x83\xe8..." //Shellcode
int (*ret)() = (int(*)())shellcode;
return 0;

EDIT : In fact, I installed my payload as a service which stats at system boot. But I can't interact with the desktop because the user is NT AUTHORITY and not admin or user. That's why I migrate to explorer.exe to become admin. Is there a way to open a new instance of my program as admin throught python under NT AUTHORITY ?

I still don't know how to be admin or user instead of NT AUTHORITY when I am a service :(

Share Your Thoughts

  • Hot
  • Active