rvazarkar / antipwny Goto Github PK
View Code? Open in Web Editor NEWA host based IDS written in C# Targetted at Metasploit
License: GNU General Public License v2.0
A host based IDS written in C# Targetted at Metasploit
License: GNU General Public License v2.0
The Antipwny-master reporting google chrome and Mozilla Firefox as meterpreter it's again and again i even uninstalled and reinstalled it .is it a false warning?
it would be useful if this could be invoked on the command line, do a one time scan, and output the results to a file.
Hello,
I am trying to learn more about the specific signature that you're using to detect Meterpreter sessions in memory. I am seeing a lot of false positives and I would like to see if there's a way to make AntiPwny provide more information into it's detections.
In "AnalysisEngine/Utilities.cs" the Meterpreter signature is defined as a byte array containing.....
0x8C, 0x8B, 0x9B, 0x9E, 0x8F, 0x96, 0xA0, 0x8C, 0x86, 0x8C, 0xA0, 0x8F, 0x8D, 0x90, 0x9C, 0x9A, 0x8C, 0x8C, 0xA0, 0x98, 0x9A, 0x8B, 0x8F, 0x96, 0x9B
In Hex format this translates to.....
8c 8b 9b 9e 8f 96 a0 8c 86 8c a0 8f 8d 90 9c 9a 8c 8c a0 98 9a 8b 8f 96 9b
So I fired up HeapMemView and tried to manually go looking for partial signatures in the false positives I was seeing. I cannot find sequences of bytes from the array that match in the processes where AntiPwny claims to have found a Meterpreter.
I am wondering where you found the data contained in your byte array? Did you just inject a target PC and then run HeapMemView on the target to copy/paste a sample of a Meterpreter infection? Is the data inside that byte array mostly static during Meterpreter infection? Does the byte array's data have any specific significance? If I knew how you obtained that sample of bytes I could create my own byte arrays and experiment. I'm thinking that we need a larger signature to avoid these false positives due to entropy in other programs being picked up as a match to the Meterpreter signature.
I'm not an expert with C# either (getting better and better though) so please correct me if wrong. But after looking at the following code.....
` long Result = IndexOf(buff, metxor);
if (Result > 0)
{
buff = null;
GC.Collect();
return true;
}
Result = IndexOf(buff, javameter);
if (Result > 0)
{
buff = null;
GC.Collect();
return true;
}
buff = null;`
It kinda looks like if the meterpreter signature begins at buff[0] it will slip right by undetected; because IndexOf starts counting at 0. This might be impossible depending on where the signature byte array sample came from in the original processes memory but I can't say that for sure because there's not much describing the signature itself.
I'm really excited about this application. I really appreciate you making it and posting it on Github.
Thank you!
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.