Monday, January 14, 2013

(Quick Post) Check if your payload is running inside a VM using PowerShell

I was trying to improve some existing payloads of Nishang and Kautilya. One idea was to enumerate the environment in which the payloads would be running. I decided to start with detection of Virtual Environment. I found this post module in msf by Carlos Perez which is easy to understand. I quickly ported the script to powershell. This post is about that script. Though I still need to figure out a way to integrate this in other payloads without increasing the complexity, I am sharing the current script anyway :)

The script checks for a number of parameters like, registry keys and running services for Hyper-V, VMWare, Virtual PC, Virtual Box, Xen and QEMU.

A code snippet showing the logic for detection of Hyper-V.

This is how it looks like when ran inside a Windows 7 on VMWare.

I checked it only on VMWare. If somebody tests this for all the environments that would be great ;)

UPDATE: Thomas hac confirmed that the script detected a Hyper-V machine.

The script has been added to Nishang repo, please update your repo to get the script.

Hope this would be useful. Comments and suggestions are welcome.


  1. This correctly identifies a Hyper-V VM running under Windows 8.

  2. That's cute. Makes me wonder if a non-VM machine, with suitable reg keys or drivers loaded, could fool malware into thinking it's in a sandbox and aborting.

    1. That would be possible in this case. This script depends entirely on Registry keys and names of processes to detect VM.

  3. Hi Successfully detected a windows 2012 server running on vkvm/Qemu.
    It also detect as a HyperV machine, perhaps cause Windows 2012 host hyperv...

  4. Navigation on a touch screen is very tedious, it keeps taking me to next/prev page when I scroll or zoom, plz fix as I am quite enjoying your research good sir.


Note: Only a member of this blog may post a comment.