Added self-detection routines. Added version numbers to the executable

rvazarkar · Nov 18, 2013 · ee25ce1 · ee25ce1
1 parent 03c7b93
commit ee25ce1
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 11 deletions.
diff --git a/AnalysisEngine.sln b/AnalysisEngine.sln
@@ -19,8 +19,8 @@ Global
 		{70E8F229-FE8C-4CEE-B336-DC5F2EBA12DB}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{70E8F229-FE8C-4CEE-B336-DC5F2EBA12DB}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU
 		{70E8F229-FE8C-4CEE-B336-DC5F2EBA12DB}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU
-		{70E8F229-FE8C-4CEE-B336-DC5F2EBA12DB}.Debug|x64.ActiveCfg = Debug|Any CPU
-		{70E8F229-FE8C-4CEE-B336-DC5F2EBA12DB}.Debug|x64.Build.0 = Debug|Any CPU
+		{70E8F229-FE8C-4CEE-B336-DC5F2EBA12DB}.Debug|x64.ActiveCfg = Debug|x64
+		{70E8F229-FE8C-4CEE-B336-DC5F2EBA12DB}.Debug|x64.Build.0 = Debug|x64
 		{70E8F229-FE8C-4CEE-B336-DC5F2EBA12DB}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{70E8F229-FE8C-4CEE-B336-DC5F2EBA12DB}.Release|Any CPU.Build.0 = Release|Any CPU
 		{70E8F229-FE8C-4CEE-B336-DC5F2EBA12DB}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU

diff --git a/AnalysisEngine/Program.cs b/AnalysisEngine/Program.cs
@@ -482,7 +482,7 @@ private void procListUpdater_DoWork(object sender, System.ComponentModel.DoWorkE
                     if (!p.HasExited)
                     {
                         //Filter out ourselves as well as the Windows Defender module. Windows Defender will almost always have the signature we're looking for provided AntiPwny is running
-                        if (!p.MainModule.FileName.Contains(Path.GetFileName(System.Reflection.Assembly.GetEntryAssembly().Location)) && !p.MainModule.FileName.ToLower().Contains("msmpeng"))
+                        if (!p.MainModule.FileName.ToLower().Contains("msmpeng"))
                         {
                             //Use a different scan for Java. We still need to look for meterpreter in java as well, because it can be migrated. This will look specifically for Java Meterpreter
                             if (p.ProcessName == "java")

diff --git a/AnalysisEngine/Properties/AssemblyInfo.cs b/AnalysisEngine/Properties/AssemblyInfo.cs
@@ -5,11 +5,11 @@
 // General Information about an assembly is controlled through the following 
 // set of attributes. Change these attribute values to modify the information
 // associated with an assembly.
-[assembly: AssemblyTitle("AnalysisEngine")]
-[assembly: AssemblyDescription("")]
+[assembly: AssemblyTitle("AntiPwny")]
+[assembly: AssemblyDescription("An IDS/IPS Solution")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("")]
-[assembly: AssemblyProduct("AnalysisEngine")]
+[assembly: AssemblyProduct("AntiPwny")]
 [assembly: AssemblyCopyright("Copyright ©  2013")]
 [assembly: AssemblyTrademark("")]
 [assembly: AssemblyCulture("")]
@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.0.0.0")]
+[assembly: AssemblyVersion("1.1.0.0")]
+[assembly: AssemblyFileVersion("1.1.0.0")]
diff --git a/AnalysisEngine/Utilities.cs b/AnalysisEngine/Utilities.cs
@@ -29,8 +29,8 @@ public static string GetCmdArguments(Process p)
             catch (Exception) { return ""; }
         }
         #region Memory Scanner
-        static byte[] meterpreter = new byte[] { 0x73, 0x74, 0x64, 0x61, 0x70, 0x69, 0x5F, 0x73, 0x79, 0x73, 0x5F, 0x70, 0x72, 0x6F, 0x63, 0x65, 0x73, 0x73, 0x5F, 0x67, 0x65, 0x74, 0x70, 0x69, 0x64 };
-        static byte[] javameter = new byte[] { 0x6d, 0x65, 0x74, 0x61, 0x73, 0x70, 0x6c, 0x6f, 0x69, 0x74 };
+        static byte[] metxor = new byte[] { 0x8C, 0x8B, 0x9B, 0x9E, 0x8F, 0x96, 0xA0, 0x8C, 0x86, 0x8C, 0xA0, 0x8F, 0x8D, 0x90, 0x9C, 0x9A, 0x8C, 0x8C, 0xA0, 0x98, 0x9A, 0x8B, 0x8F, 0x96, 0x9B };
+        static byte[] javameter = new byte[] { 0x92, 0x9a, 0x8B, 0x9E, 0x8C, 0x8F, 0x93, 0x90, 0x96, 0x8B };
 
         [StructLayout(LayoutKind.Sequential)]
         public struct ParentProcessUtilities
@@ -109,7 +109,12 @@ public static bool scanProcess(Process p)
                 byte[] buff = new byte[MemReg[i].RegionSize.ToInt32()];
                 ReadProcessMemory(p.Handle, MemReg[i].BaseAddress, buff, MemReg[i].RegionSize.ToInt32(), IntPtr.Zero);
 
-                long Result = IndexOf(buff, meterpreter);
+                for (int j = 0; j < buff.Length; j++)
+                {
+                    buff[j] = (byte)(buff[j] ^ 0xFF);
+                }
+
+                long Result = IndexOf(buff, metxor);
                 if (Result > 0)
                 {
                     buff = null;