rvazarkar / antipwny Goto Github PK

The Antipwny-master reporting google chrome and Mozilla Firefox as meterpreter it's again and again i even uninstalled and reinstalled it .is it a false warning?

it would be useful if this could be invoked on the command line, do a one time scan, and output the results to a file.

Hello,

I am trying to learn more about the specific signature that you're using to detect Meterpreter sessions in memory. I am seeing a lot of false positives and I would like to see if there's a way to make AntiPwny provide more information into it's detections.

In "AnalysisEngine/Utilities.cs" the Meterpreter signature is defined as a byte array containing.....

0x8C, 0x8B, 0x9B, 0x9E, 0x8F, 0x96, 0xA0, 0x8C, 0x86, 0x8C, 0xA0, 0x8F, 0x8D, 0x90, 0x9C, 0x9A, 0x8C, 0x8C, 0xA0, 0x98, 0x9A, 0x8B, 0x8F, 0x96, 0x9B

In Hex format this translates to.....

8c 8b 9b 9e 8f 96 a0 8c 86 8c a0 8f 8d 90 9c 9a 8c 8c a0 98 9a 8b 8f 96 9b

So I fired up HeapMemView and tried to manually go looking for partial signatures in the false positives I was seeing. I cannot find sequences of bytes from the array that match in the processes where AntiPwny claims to have found a Meterpreter.

I am wondering where you found the data contained in your byte array? Did you just inject a target PC and then run HeapMemView on the target to copy/paste a sample of a Meterpreter infection? Is the data inside that byte array mostly static during Meterpreter infection? Does the byte array's data have any specific significance? If I knew how you obtained that sample of bytes I could create my own byte arrays and experiment. I'm thinking that we need a larger signature to avoid these false positives due to entropy in other programs being picked up as a match to the Meterpreter signature.

I'm not an expert with C# either (getting better and better though) so please correct me if wrong. But after looking at the following code.....

` long Result = IndexOf(buff, metxor);
if (Result > 0)
{
buff = null;
GC.Collect();
return true;
}

            Result = IndexOf(buff, javameter);
            if (Result > 0)
            {
                buff = null;
                GC.Collect();
                return true;
            }
            buff = null;`

It kinda looks like if the meterpreter signature begins at buff[0] it will slip right by undetected; because IndexOf starts counting at 0. This might be impossible depending on where the signature byte array sample came from in the original processes memory but I can't say that for sure because there's not much describing the signature itself.

I'm really excited about this application. I really appreciate you making it and posting it on Github.

Thank you!