Metasploit mailing list archives

Re: Fun with antimeter

From: Chao Mu <chao.mu () minorcrash com>
Date: Sun, 17 Apr 2011 12:05:53 -0400

I truly laughed out loud when I read your email. Great job Nikhil, truly
creative work!

I recommend creating an account on the Metasploit issue tracker (
https://dev.metasploit.com/redmine/account/register ) and then submitting
the patch as a "feature" (
https://dev.metasploit.com/redmine/projects/framework/issues/new ). While
the official Metasploit team gives the thumbs up on mailing list submissions
(someone correct me if I'm wrong), I find it fun to have an account.

However, before you do, I noticed that you accidentally mixed tabs and
spaces for indentation. Metasploit is tab-pure (as in, only use tabs for
indentation) code base. Take another look at the file called HACKING in your
metasploit director, if you haven't already.

Also, we are transitioning from Meterpreter scripts to the brand new Post
Modules, so you might want to take advantage of some of the awesomeness and
convert it into a module. Take a look at
modules/post/windows/gather/resolve_sid.rb if you want a simple reference.
It's fairly trivial.

Again, great work, keep it up :-)

Let me know if you need any help.
chao-mu.

On Sat, Apr 16, 2011 at 11:43 AM, Nikhil Mittal
<nikhil_uitrgpv () yahoo co in>wrote:

Hi List,

Today I was playing with antimeter (A program from hack4career.com to
detect and kill meterpreter in memory). It indeed detects and kills
meterpreter. One thing I noticed is that antimeter do not checks its own
memory for meterpreter.

So I wrote this very small script which can be used to either kill
antimeter or to migrate into it to avoid detection. I name it antiantimeter.
hehe

meterpreter > run antiantimeter -k
[*] Searching for antimeter...
[*] Found antimeter process 5116...Killing

--------------------------------------------------------------------------------------------------------------------------------
meterpreter > run antiantimeter -m
[*] Searching for antimeter...
[*] Found antimeter process 2488...Migrating in it
[*] Migrated into antimeter.exe -  2488


P.S. I have borrowed code from some existing scripts. Its just a script for
fun do not expect anything useful ;)

Nikhil Mittal
@nikhil_mitt

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Fun with antimeter Nikhil Mittal (Apr 16)
- Re: Fun with antimeter Chao Mu (Apr 17)