Generally I prefer writing my articles in Turkish and I support my articles with proof of concept codes, videos and small tools. In my previous article, I created a small tool called antimeter which scans memory for detecting and also killing Metasploit’s meterpreter. I did not expect that much interest from the community therefore I did not implement core features like logging and autokill but suddenly antimeter got nice feedbacks so I have decided to implement these features and more for the community. I will release the second version of antimeter in two days, stay tuned…

Here is the antimeter version 2.0 as I promised to the community, click here to download it.

USAGE
——-

Usage: antimeter.exe [arguments]

Optional arguments:
-t [time interval] Scans memory in every specified time interval (Default time interval is one minute)
-a Automatically kills the meterpreter process (Disabled by default)
-d Only detects the meterpreter process (Disabled by default)
-e Adds process to the exclusion list

EXAMPLES
———-

Scans memory in every 5 minutes, kills the meterpreter process automatically, verbose mode is enabled: antimeter.exe -t 5 -a -v

Scans memory in every minute and only detects the meterpreter process: antimeter.exe -n

Scans memory in every minute, explorer and winlogon processes are excluded from scanning: antimeter.exe -e explorer.exe,winlogon.exe

CHANGELOG (v2.0)
——————

Added logging feature. (log file is antimeter.txt)
Added auto kill feature. (Kills the meterpreter process automatically after detection, no user interaction)
Added “detection mode only” feature. (Does not kill the meterpreter process, detection only)
Added exclusion support. (Do not scan specified processes. Seperate multiple processes with , (comma))

VIDEO
——–

20 Responses to “Antimeter Tool”

  1. very useful tool ,have you published also a document which explain concepts used ,application source code have a license?
    Best Regards
    Gianmarco

  2. Thank you, I am sorry but there is not any document but the concept is simple, attach process, search for meterpreter string. It is not open source yet.

  3. hi,you search for meterpretrer string ? you search for meterpreter sha1 for sample? only one info ,how to can calculate sha1 of meterpreter?,I hope you can give me a short response,
    Best Regards
    Gianmarco

  4. Just one of the strings.

  5. hi ,for this i think you have meterpreter source code ,you have compiled it and you have getted sha image of entire meterpreter or of a part of this, is iit ok in this way?

    Regards and Thank You in advance for a short response
    Gianmarco
    P.S. sorry for my improvable english :-)

  6. No md5 or sha just searching for a string on meterpreter binary.

  7. Ok ,you search for an “arbitrary” string len N chars of meterpreter in process? ok,probably I’m starting to understand some element….,Thank You

  8. if concept is this it is “simple” but if an hacker will do a custom (entire code reparse) meterpreter probably is not visible from antimeter or not? sorry if you can you can post source code link of meterpreter my curiosity for security increase with interesting arguments like this, really thanks and sorry if my question is not very interesting

  9. You can do it for any process running in the memory so nothing special for meterpreter, ciao

  10. If the hacker replaces all the strings in the meterpreter source code with custom ones and then compile the meterpreter, antimeter will not able to detect it. Concept is simple but some hackers are too lazy and ignorance to modify the source code and compile and bla bla :)

  11. I think which you have reason, in any case thanks for this freeware

  12. Thank You M.S

  13. Your welcome :)

  14. Thank you! This is a great tool.

  15. Enoy it :)

  16. hasina says:

    I am unable to download Antimeter, dont know whats the reason, can you send me on my email address,
    and one thing more can you tell me if we have meterpreter traces also in registry if Yes how we can analyse registry.

  17. Hello Hasina,

    Please visit http://www.packetstormsecurity.org, search for antimeter2 and try to download it.

    It leaves traces on memory not registry or file system so you should take memory dump of the target system and analyze it.

    Regards,

    Note: I can able to download antimeter from my site, verified, fyi…

  18. komunista says:

    Hi, please when you publish source of the antimeterpreter or when tools comes open source ?

  19. I am sorry but I lost the source code months ago :(

  20. Hi, first I do not want to blame you. But I asked because my antivirus software detect a high dangerous threat in your executable antimeter2.exe. That’s scare me off, when i create a similar program whose find suspicious code in memory then I not recive any warning by antivirus. Your program looks suspicious until u not release a source code.

    Thanks for understanding and wish to you
    best regards.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>