You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am trying to learn more about the specific signature that you're using to detect Meterpreter sessions in memory. I am seeing a lot of false positives and I would like to see if there's a way to make AntiPwny provide more information into it's detections.
In "AnalysisEngine/Utilities.cs" the Meterpreter signature is defined as a byte array containing.....
So I fired up HeapMemView and tried to manually go looking for partial signatures in the false positives I was seeing. I cannot find sequences of bytes from the array that match in the processes where AntiPwny claims to have found a Meterpreter.
I am wondering where you found the data contained in your byte array? Did you just inject a target PC and then run HeapMemView on the target to copy/paste a sample of a Meterpreter infection? Is the data inside that byte array mostly static during Meterpreter infection? Does the byte array's data have any specific significance? If I knew how you obtained that sample of bytes I could create my own byte arrays and experiment. I'm thinking that we need a larger signature to avoid these false positives due to entropy in other programs being picked up as a match to the Meterpreter signature.
I'm not an expert with C# either (getting better and better though) so please correct me if wrong. But after looking at the following code.....
` long Result = IndexOf(buff, metxor);
if (Result > 0)
{
buff = null;
GC.Collect();
return true;
}
Result = IndexOf(buff, javameter);
if (Result > 0)
{
buff = null;
GC.Collect();
return true;
}
buff = null;`
It kinda looks like if the meterpreter signature begins at buff[0] it will slip right by undetected; because IndexOf starts counting at 0. This might be impossible depending on where the signature byte array sample came from in the original processes memory but I can't say that for sure because there's not much describing the signature itself.
I'm really excited about this application. I really appreciate you making it and posting it on Github.
Thank you!
The text was updated successfully, but these errors were encountered:
Hello,
I am trying to learn more about the specific signature that you're using to detect Meterpreter sessions in memory. I am seeing a lot of false positives and I would like to see if there's a way to make AntiPwny provide more information into it's detections.
In "AnalysisEngine/Utilities.cs" the Meterpreter signature is defined as a byte array containing.....
0x8C, 0x8B, 0x9B, 0x9E, 0x8F, 0x96, 0xA0, 0x8C, 0x86, 0x8C, 0xA0, 0x8F, 0x8D, 0x90, 0x9C, 0x9A, 0x8C, 0x8C, 0xA0, 0x98, 0x9A, 0x8B, 0x8F, 0x96, 0x9B
In Hex format this translates to.....
8c 8b 9b 9e 8f 96 a0 8c 86 8c a0 8f 8d 90 9c 9a 8c 8c a0 98 9a 8b 8f 96 9b
So I fired up HeapMemView and tried to manually go looking for partial signatures in the false positives I was seeing. I cannot find sequences of bytes from the array that match in the processes where AntiPwny claims to have found a Meterpreter.
I am wondering where you found the data contained in your byte array? Did you just inject a target PC and then run HeapMemView on the target to copy/paste a sample of a Meterpreter infection? Is the data inside that byte array mostly static during Meterpreter infection? Does the byte array's data have any specific significance? If I knew how you obtained that sample of bytes I could create my own byte arrays and experiment. I'm thinking that we need a larger signature to avoid these false positives due to entropy in other programs being picked up as a match to the Meterpreter signature.
I'm not an expert with C# either (getting better and better though) so please correct me if wrong. But after looking at the following code.....
` long Result = IndexOf(buff, metxor);
if (Result > 0)
{
buff = null;
GC.Collect();
return true;
}
It kinda looks like if the meterpreter signature begins at buff[0] it will slip right by undetected; because IndexOf starts counting at 0. This might be impossible depending on where the signature byte array sample came from in the original processes memory but I can't say that for sure because there's not much describing the signature itself.
I'm really excited about this application. I really appreciate you making it and posting it on Github.
Thank you!
The text was updated successfully, but these errors were encountered: