Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/windows/gather/checkvm.rb
19535 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Post

7
  include Msf::Post::Windows::Process

8
  include Msf::Post::Windows::Registry

9
  include Msf::Auxiliary::Report

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Windows Gather Virtual Environment Detection',

16
        'Description' => %q{

17
          This module attempts to determine whether the system is running

18
          inside of a virtual environment and if so, which one. This

19
          module supports detection of Hyper-V, VMWare, VirtualBox, Xen, QEMU,

20
          and Parallels.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'Carlos Perez <carlos_perez[at]darkoperator.com>',

25
          'Aaron Soto <aaron_soto[at]rapid7.com>'

26
        ],

27
        'Platform' => [ 'win' ],

28
        'SessionTypes' => %w[meterpreter powershell shell],

29
        'References' => [

30
          ['URL', 'https://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf'],

31
          ['URL', 'https://www.heise.de/security/downloads/07/1/1/8/3/5/5/9/vmde.pdf'],

32
          ['URL', 'https://evasions.checkpoint.com/techniques/registry.html']

33
        ],

34
        'Notes' => {

35
          'Stability' => [CRASH_SAFE],

36
          'Reliability' => [],

37
          'SideEffects' => []

38
        }

39
      )

40
    )

41
  end

42


43
  # enumerates through a list of VM signature processes and compares them to

44
  # the processes running, returns true upon a match.

45
  def processes_exist?(vm_processes)

46
    vm_processes.each do |x|

47
      @processes.each do |p|

48
        return true if p['name'].casecmp?(x)

49
      end

50
    end

51
    false

52
  end

53


54
  # loops over a list of services that are known to be signatures of vm's and

55
  # compares them to the list of running services.

56
  def services_exist?(vm_services)

57
    vm_services.each do |srvc|

58
      return true if service_exists?(srvc)

59
    end

60
    false

61
  end

62


63
  def service_exists?(service)

64
    @services.include?(service)

65
  end

66


67
  # registers relevant keys and stores them in a hash

68
  def register_keys(key_list)

69
    @keys = {}

70
    key_list.each do |k|

71
      srvals = get_srval(k)

72
      srvals = [] if srvals.nil?

73
      @keys.store(k, srvals)

74
    end

75
    @keys

76
  end

77


78
  # checks the values of the keys and compares them to vm_k

79
  def key_present?(vm_k)

80
    @keys.each_value do |v|

81
      return true if v.include?(vm_k)

82
    end

83
    false

84
  end

85


86
  def get_srval(key)

87
    srvals = registry_enumkeys(key)

88
    srvals = [] if srvals.nil?

89
    srvals

90
  end

91


92
  # returns true if regval matches a regex

93
  def regval_match?(key, val, rgx)

94
    return true if get_regval_str(key, val) =~ rgx

95


96
    false

97
  end

98


99
  # returns true if regval is eql to a string

100
  def regval_eql?(key, val, str)

101
    get_regval_str(key, val) == str

102
  end

103


104
  def get_regval_str(key, valname)

105
    ret = registry_getvaldata(key, valname)

106
    if ret.is_a?(Array)

107
      ret = ret.join

108
    end

109
    ret

110
  end

111


112
  def parallels?

113
    @system_bios_version = get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion')

114


115
    @video_bios_version = get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion')

116


117
    if @system_bios_version =~ /parallels/i || @video_bios_version =~ /parallels/i

118
      return true

119
    end

120


121
    false

122
  end

123


124
  def hyperv?

125
    physical_host = get_regval_str('HKLM\\SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters', 'PhysicalHostNameFullyQualified')

126


127
    if physical_host

128
      report_note(

129
        host: session,

130
        type: 'host.physicalHost',

131
        data: { physicalHost: physical_host },

132
        update: :unique_data

133
      )

134


135
      print_good("This is a Hyper-V Virtual Machine running on physical host #{physical_host}")

136
      return true

137
    end

138


139
    sfmsvals = registry_enumkeys('HKLM\\SOFTWARE\\Microsoft')

140
    if sfmsvals

141
      %w[Hyper-V VirtualMachine].each do |vm|

142
        return true if sfmsvals.include?(vm)

143
      end

144
    end

145


146
    if @system_bios_version =~ /vrtual/i || @system_bios_version == 'Hyper-V'

147
      return true

148
    end

149


150
    keys = %w[HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT HKLM\\HARDWARE\\ACPI\\DSDT]

151


152
    register_keys(keys)

153


154
    return true if key_present?('VRTUAL')

155


156
    hyperv_services = %w[vmicexchange]

157


158
    return true if services_exist?(hyperv_services)

159


160
    false

161
  end

162


163
  def vmware?

164
    vmware_services = %w[

165
      vmdebug vmmouse VMTools VMMEMCTL tpautoconnsvc

166
      tpvcgateway vmware wmci vmx86

167
    ]

168


169
    return true if services_exist?(vmware_services)

170


171
    @system_manufacturer = get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS',

172
                                          'SystemManufacturer')

173


174
    return true if @system_manufacturer =~ /vmware/i

175


176
    @scsi_port_1 = get_regval_str('HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0',

177
                                  'Identifier')

178


179
    return true if @scsi_port_1 =~ /vmware/i

180


181
    return true if regval_match?(

182
      'HKLM\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000',

183
      'DriverDesc',

184
      /cl_vmx_svga|VMWare/i

185
    )

186


187
    vmwareprocs = [

188
      'vmtoolsd.exe',

189
      'vmwareservice.exe',

190
      'vmwaretray.exe',

191
      'vmwareuser.exe'

192
    ]

193


194
    return true if processes_exist?(vmwareprocs)

195


196
    false

197
  end

198


199
  def virtualbox?

200
    vboxprocs = [

201
      'vboxservice.exe',

202
      'vboxtray.exe'

203
    ]

204


205
    vbox_srvcs = %w[VBoxMouse VBoxGuest VBoxService VBoxSF VBoxVideo]

206


207
    if services_exist?(vbox_srvcs) || processes_exist?(vboxprocs)

208
      return true

209
    end

210


211
    return true if key_present?('VBOX__')

212


213
    for i in 0..2 do

214
      return true if regval_match?(

215
        "HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port #{i}0\\Scsi Bus 0\\Target

216
         Id 0\\Logical Unit Id 0",

217
        'Identifier',

218
        /vbox/i

219
      )

220
    end

221


222
    return true if @system_bios_version =~ /vbox/i || @video_bios_version =~ /virtualbox/i

223


224
    @system_product_name = get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName')

225


226
    return true if @system_product_name =~ /virtualbox/i

227


228
    false

229
  end

230


231
  def xen?

232
    xenprocs = [

233
      'xenservice.exe'

234
    ]

235


236
    xen_srvcs = %w[xenevtchn xennet xennet6 xensvc xenvdb]

237


238
    if processes_exist?(xenprocs) || services_exist?(xen_srvcs)

239
      return true

240
    end

241


242
    return true if key_present?('Xen')

243


244
    return true if @system_product_name =~ /xen/i

245


246
    false

247
  end

248


249
  def qemu?

250
    if @system_bios_version =~ /qemu/i || @video_bios_version =~ /qemu/i

251
      return true

252
    end

253


254
    if @scsi_port_0 =~ /qemu|virtio/i || @system_manufacturer =~ /qemu/i

255
      return true

256
    end

257


258
    return true if regval_match?(

259
      'HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0',

260
      'ProcessorNameString',

261
      /qemu/i

262
    )

263


264
    return true if key_present?('BOCHS_')

265


266
    false

267
  end

268


269
  def report_vm(hypervisor)

270
    print_good("This is a #{hypervisor} Virtual Machine")

271
    report_note(

272
      host: session,

273
      type: 'host.hypervisor',

274
      data: { hypervisor: hypervisor },

275
      update: :unique_data

276
    )

277
    report_virtualization(hypervisor)

278
  end

279


280
  def run

281
    print_status('Checking if the target is a Virtual Machine ...')

282
    @processes = get_processes

283
    @processes = [] if @processes.nil?

284


285
    @services = registry_enumkeys('HKLM\\SYSTEM\\ControlSet001\\Services')

286
    @services = [] if @services.nil?

287


288
    if parallels?

289
      report_vm('Parallels')

290
    elsif hyperv?

291
      report_vm('Hyper-V')

292
    elsif vmware?

293
      report_vm('VMware')

294
    elsif virtualbox?

295
      report_vm('VirtualBox')

296
    elsif xen?

297
      report_vm('Xen')

298
    elsif qemu?

299
      report_vm('Qemu/KVM')

300
    else

301
      print_status('The target appears to be a Physical Machine')

302
    end

303
  end

304
end

305


306