I was trying to improve some existing payloads of Nishang and Kautilya. One idea was to enumerate the environment in which the payloads would be running. I decided to start with detection of Virtual Environment. I found this post module in msf by Carlos Perez which is easy to understand. I quickly ported the script to powershell. This post is about that script. Though I still need to figure out a way to integrate this in other payloads without increasing the complexity, I am sharing the current script anyway :)
The script checks for a number of parameters like, registry keys and running services for Hyper-V, VMWare, Virtual PC, Virtual Box, Xen and QEMU.
A code snippet showing the logic for detection of Hyper-V.
This is how it looks like when ran inside a Windows 7 on VMWare.
I checked it only on VMWare. If somebody tests this for all the environments that would be great ;)
UPDATE: Thomas hac confirmed that the script detected a Hyper-V machine.
The script has been added to Nishang repo, please update your repo to get the script.
Hope this would be useful. Comments and suggestions are welcome.
The script checks for a number of parameters like, registry keys and running services for Hyper-V, VMWare, Virtual PC, Virtual Box, Xen and QEMU.
A code snippet showing the logic for detection of Hyper-V.
This is how it looks like when ran inside a Windows 7 on VMWare.
I checked it only on VMWare. If somebody tests this for all the environments that would be great ;)
UPDATE: Thomas hac confirmed that the script detected a Hyper-V machine.
The script has been added to Nishang repo, please update your repo to get the script.
Hope this would be useful. Comments and suggestions are welcome.
This correctly identifies a Hyper-V VM running under Windows 8.
ReplyDeleteThanks Thomas, I have updated the post.
DeleteThat's cute. Makes me wonder if a non-VM machine, with suitable reg keys or drivers loaded, could fool malware into thinking it's in a sandbox and aborting.
ReplyDeleteThat would be possible in this case. This script depends entirely on Registry keys and names of processes to detect VM.
DeleteHi Successfully detected a windows 2012 server running on vkvm/Qemu.
ReplyDeleteIt also detect as a HyperV machine, perhaps cause Windows 2012 host hyperv...
Navigation on a touch screen is very tedious, it keeps taking me to next/prev page when I scroll or zoom, plz fix as I am quite enjoying your research good sir.
ReplyDelete