Generally I prefer writing my articles in Turkish and I support my articles with proof of concept codes, videos and small tools. In my previous article, I created a small tool called antimeter which scans memory for detecting and also killing Metasploit’s meterpreter. I did not expect that much interest from the community therefore I did not implement core features like logging and autokill but suddenly antimeter got nice feedbacks so I have decided to implement these features and more for the community.
I will release the second version of antimeter in two days, stay tuned…
Here is the antimeter version 2.0 as I promised to the community, click here to download it.
Usage: antimeter.exe [arguments]
-t [time interval] Scans memory in every specified time interval (Default time interval is one minute)
-a Automatically kills the meterpreter process (Disabled by default)
-d Only detects the meterpreter process (Disabled by default)
-e Adds process to the exclusion list
Scans memory in every 5 minutes, kills the meterpreter process automatically, verbose mode is enabled: antimeter.exe -t 5 -a -v
Scans memory in every minute and only detects the meterpreter process: antimeter.exe -n
Scans memory in every minute, explorer and winlogon processes are excluded from scanning: antimeter.exe -e explorer.exe,winlogon.exe
Added logging feature. (log file is antimeter.txt)
Added auto kill feature. (Kills the meterpreter process automatically after detection, no user interaction)
Added “detection mode only” feature. (Does not kill the meterpreter process, detection only)
Added exclusion support. (Do not scan specified processes. Seperate multiple processes with , (comma))
very useful tool ,have you published also a document which explain concepts used ,application source code have a license?
Thank you, I am sorry but there is not any document but the concept is simple, attach process, search for meterpreter string. It is not open source yet.
hi,you search for meterpretrer string ? you search for meterpreter sha1 for sample? only one info ,how to can calculate sha1 of meterpreter?,I hope you can give me a short response,
Just one of the strings.
hi ,for this i think you have meterpreter source code ,you have compiled it and you have getted sha image of entire meterpreter or of a part of this, is iit ok in this way?
Regards and Thank You in advance for a short response
P.S. sorry for my improvable english :-)
No md5 or sha just searching for a string on meterpreter binary.
Ok ,you search for an “arbitrary” string len N chars of meterpreter in process? ok,probably I’m starting to understand some element….,Thank You
You can do it for any process running in the memory so nothing special for meterpreter, ciao
if concept is this it is “simple” but if an hacker will do a custom (entire code reparse) meterpreter probably is not visible from antimeter or not? sorry if you can you can post source code link of meterpreter my curiosity for security increase with interesting arguments like this, really thanks and sorry if my question is not very interesting
If the hacker replaces all the strings in the meterpreter source code with custom ones and then compile the meterpreter, antimeter will not able to detect it. Concept is simple but some hackers are too lazy and ignorance to modify the source code and compile and bla bla :)
I think which you have reason, in any case thanks for this freeware
Thank You M.S
Your welcome :)
Thank you! This is a great tool.
Enoy it :)
I am unable to download Antimeter, dont know whats the reason, can you send me on my email address,
and one thing more can you tell me if we have meterpreter traces also in registry if Yes how we can analyse registry.
Please visit http://www.packetstormsecurity.org, search for antimeter2 and try to download it.
It leaves traces on memory not registry or file system so you should take memory dump of the target system and analyze it.
Note: I can able to download antimeter from my site, verified, fyi…
Hi, please when you publish source of the antimeterpreter or when tools comes open source ?
I am sorry but I lost the source code months ago :(
Hi, first I do not want to blame you. But I asked because my antivirus software detect a high dangerous threat in your executable antimeter2.exe. That’s scare me off, when i create a similar program whose find suspicious code in memory then I not recive any warning by antivirus. Your program looks suspicious until u not release a source code.
Thanks for understanding and wish to you
This work on wine in ubuntu?
No idea. Feel free to try and let us know. ;)
My knowledge for how this works is completely terrible, so sorry if I can’t explain this well.
I tried out your tool, and it detected pokerstars.exe as meterpreter. I killed it and it killed the legit pokerstars software.
I also tried using another tool called anti-pwny. There were detections for things like Chrome.exe (atleast 3 differnt Chrome procceses are detected) and and gameutil1.exe, which is a pokerstars process (like 3 different chrome processes)
I guess my question is, how am I to know if these are false positives? Can meterpreter hide as these things? I took a mem dump of each process, will that tell me if they truly are meterpreter? I feel like the coincidence that both software detected the pokerstars thing might be too big to ignore.
Take a memory dump and analyse it. (Example: https://www.youtube.com/watch?v=6QRFvdimckM)
I tried a couple of times, but redline does not appear to work with Windows 10. Is there anything similar to redline that works with windows 10 that can detect injections as well?
Use Volatility for memory analysis. Yes it is able to detect injection as well.