Antimeter Tool

Generally I prefer writing my articles in Turkish and I support my articles with proof of concept codes, videos and small tools. In my previous article, I created a small tool called antimeter which scans memory for detecting and also killing Metasploit’s meterpreter. I did not expect that much interest from the community therefore I did not implement core features like logging and autokill but suddenly antimeter got nice feedbacks so I have decided to implement these features and more for the community. I will release the second version of antimeter in two days, stay tuned…

Here is the antimeter version 2.0 as I promised to the community, click here to download it.

USAGE
——-

Usage: antimeter.exe [arguments]

Optional arguments:
-t [time interval] Scans memory in every specified time interval (Default time interval is one minute)
-a Automatically kills the meterpreter process (Disabled by default)
-d Only detects the meterpreter process (Disabled by default)
-e Adds process to the exclusion list

EXAMPLES
———-

Scans memory in every 5 minutes, kills the meterpreter process automatically, verbose mode is enabled: antimeter.exe -t 5 -a -v

Scans memory in every minute and only detects the meterpreter process: antimeter.exe -n

Scans memory in every minute, explorer and winlogon processes are excluded from scanning: antimeter.exe -e explorer.exe,winlogon.exe

CHANGELOG (v2.0)
——————

Added logging feature. (log file is antimeter.txt)
Added auto kill feature. (Kills the meterpreter process automatically after detection, no user interaction)
Added “detection mode only” feature. (Does not kill the meterpreter process, detection only)
Added exclusion support. (Do not scan specified processes. Seperate multiple processes with , (comma))

VIDEO
——–

image_pdfShow this post in PDF formatimage_printPrint this page
28 comments
    1. Thank you, I am sorry but there is not any document but the concept is simple, attach process, search for meterpreter string. It is not open source yet.

  1. hi,you search for meterpretrer string ? you search for meterpreter sha1 for sample? only one info ,how to can calculate sha1 of meterpreter?,I hope you can give me a short response,
    Best Regards
    Gianmarco

  2. hi ,for this i think you have meterpreter source code ,you have compiled it and you have getted sha image of entire meterpreter or of a part of this, is iit ok in this way?

    Regards and Thank You in advance for a short response
    Gianmarco
    P.S. sorry for my improvable english :-)

  3. Ok ,you search for an “arbitrary” string len N chars of meterpreter in process? ok,probably I’m starting to understand some element….,Thank You

    1. You can do it for any process running in the memory so nothing special for meterpreter, ciao

  4. if concept is this it is “simple” but if an hacker will do a custom (entire code reparse) meterpreter probably is not visible from antimeter or not? sorry if you can you can post source code link of meterpreter my curiosity for security increase with interesting arguments like this, really thanks and sorry if my question is not very interesting

    1. If the hacker replaces all the strings in the meterpreter source code with custom ones and then compile the meterpreter, antimeter will not able to detect it. Concept is simple but some hackers are too lazy and ignorance to modify the source code and compile and bla bla :)

  5. I am unable to download Antimeter, dont know whats the reason, can you send me on my email address,
    and one thing more can you tell me if we have meterpreter traces also in registry if Yes how we can analyse registry.

    1. Hello Hasina,

      Please visit http://www.packetstormsecurity.org, search for antimeter2 and try to download it.

      It leaves traces on memory not registry or file system so you should take memory dump of the target system and analyze it.

      Regards,

      Note: I can able to download antimeter from my site, verified, fyi…

  6. Hi, first I do not want to blame you. But I asked because my antivirus software detect a high dangerous threat in your executable antimeter2.exe. That’s scare me off, when i create a similar program whose find suspicious code in memory then I not recive any warning by antivirus. Your program looks suspicious until u not release a source code.

    Thanks for understanding and wish to you
    best regards.

  7. Hello!

    My knowledge for how this works is completely terrible, so sorry if I can’t explain this well.

    I tried out your tool, and it detected pokerstars.exe as meterpreter. I killed it and it killed the legit pokerstars software.

    I also tried using another tool called anti-pwny. There were detections for things like Chrome.exe (atleast 3 differnt Chrome procceses are detected) and and gameutil1.exe, which is a pokerstars process (like 3 different chrome processes)

    I guess my question is, how am I to know if these are false positives? Can meterpreter hide as these things? I took a mem dump of each process, will that tell me if they truly are meterpreter? I feel like the coincidence that both software detected the pokerstars thing might be too big to ignore.

    Thanks!

  8. I tried a couple of times, but redline does not appear to work with Windows 10. Is there anything similar to redline that works with windows 10 that can detect injections as well?

  9. antimeter2 Windows 10’da çalışıyor mu? Çok fazla crack oyun indirdiğim için bilgisayarımda %75 ihtimalle meterpreter gibi zararlı yazılımlar olacağından şüphe ediyorum. Bide bloglarını okuduktan sonra antimeter zip dosyasını açmaya korkuyorum rahatlıkla açabilir miyim?

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like
Read More

WhatsApp Scammers

Introduction I recently received my share of calls and messages from foreign cell phone numbers, disturbing almost everyone, especially in Turkey, who has used the WhatsApp application in recent days. Of course, as in my articles on other scams (Exposing Pig Butchering Scam, LinkedIn Scammers, Instagram Scammers), I rolled up…
Read More
Read More

Cryptokiller Aracı

Geçtiğimiz haftalarda, kullanıcıların ve kurumların oldukça başını ağrıtan Cryptolocker zararlı yazılımı üzerinde çalışırken, işletim sistemine Cryptolocker zararlı yazılımının bulaştığını tespit edip, işlemi (process) durduran Cryptokiller adında bir araç hazırladım. Windows 7 Enterprise SP1 (x86)’de test ettiğim bu aracı 5 farklı Cryptolocker zararlı yazılımı üzerinde test ettikten sonra yeni bir salgın…
Read More