1) Does the execution flow return to normal after executing the payload?

Shellter V (v5.0) introduces the Stealth Mode feature which preserves the original functionality of the application while it keeps all the benefits of dynamic PE infection.

As mentioned also below, when you use the Stealth Mode feature you need to set the payload exit function to ‘Thread’, when you prepare the multi-handler listener in metasploit, otherwise the process will be terminated when you kill the session.

For more information on how to use Stealth Mode effectively, please read the readme.txt document.

 2) Does the process die after the payload is executed?

This actually depends on how the payload behaves.

If you use the Stealth Mode feature, then you must always set the exit function for the payload to ‘Thread’ so that it won’t kill the process when it returns. In this case the process will still run.

If you don’t use the Stealth Mode feature, then if the exit function is
set to ‘Process’, the payload will kill the process, otherwise the program will most probably crash.
Keep in mind that this will happen after the execution of the payload, or after killing the reverse connection, so in any case this doesn’t affect the effectiveness of the injected code.

For more information on how to use Stealth Mode effectively, please read the readme.txt document.

3) How long does it take to execute the payload?

Normally, this happens instantly, unless you have injected into a point in the execution flow that requires user interaction with the application in order to be reached.

Furthermore, when junk polymorphic code is used then this delays the execution of the payload. In Stealth Mode the delay is not significant.
However, when Stealth Mode is not used the execution of the effective payload can be delayed by several seconds.

This delay is good in order to bypass AV emulation engines and sandboxes that normally only monitor the process for a limited time. You don’t have to use this feature if you don’t want to. However, it can significantly contribute towards AV evasion.


Refining AV Evasion