Metasploit Loader x64

 Bypassing AV through Metasploit Loader x64 :

First, we will edit the Metasploit Loader 32-Bit to make it compatible for a 64-Bit. What we need be using is RDI Register that takes 10 bytes for 64-Bit, in place of the EDI Register that took 5 bytes in the 32-Bit version.

Note: Hexcode for mov RDI is 48 BF.

Lets make our executable file using a Dev C++ Tool by Sourceforge

https://sourceforge.net/projects/orwelldevcpp/ 

It should have 32 & 64 GCC

Make a new Project Loaderx64 & Save the file as Loader64

Set Project as a C Project & application as a Console Application. So, that we can run it from the Command Prompt and save the file

Replace the default code with the Raw `main.c` file from Metasploit Loader:

https://raw.githubusercontent.com/rsmudge/metasploit-loader/master/src/main.c

Do the below changes in the file Loaderx64.c. Since using a 64-Bit will require more bytes to process.

Line 107- Replace size+ 5-> size+10

Line 114- add buffer[0] = 0x48; # as mov in hex is 48

Line 115- add buffer[1] = 0xBF; # as rdi in hex is BF

Line 118- Replace 1->2 & 4->8

Line 121- Replace 5->10

Also, put winsock2.h above windows.h. It’s an error in the original code. Refer to the previous post.

Make Sure Compile Options has -lws2_32

Now, Compile & Run the code.

Start the Reverse TCP Handler.

It requires Host & Port values. Check the Handler, a session has been created

After running the loaderx64.exe, we can see we get a fully working meterpreter session:

A session has been created by the Metasploit Loader 64 bit.

Scan the loader on antiscan. If, it will be able to bypass any antiviruses.

https://www.antiscan.me/

Note: Never upload the backdoors created to VirusTotal. Also, switch off the automatic sample submission setting of Windows Defender.

Update 2021 :

References :

• https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/x64-architecture
  
• https://github.com/rsmudge/metasploit-loader