Monday, January 14, 2013

(Quick Post) Check if your payload is running inside a VM using PowerShell

I was trying to improve some existing payloads of Nishang and Kautilya. One idea was to enumerate the environment in which the payloads would be running. I decided to start with detection of Virtual Environment. I found this post module in msf by Carlos Perez which is easy to understand. I quickly ported the script to powershell. This post is about that script. Though I still need to figure out a way to integrate this in other payloads without increasing the complexity, I am sharing the current script anyway :)

The script checks for a number of parameters like, registry keys and running services for Hyper-V, VMWare, Virtual PC, Virtual Box, Xen and QEMU.

A code snippet showing the logic for detection of Hyper-V.



This is how it looks like when ran inside a Windows 7 on VMWare.


I checked it only on VMWare. If somebody tests this for all the environments that would be great ;)

UPDATE: Thomas hac confirmed that the script detected a Hyper-V machine.

The script has been added to Nishang repo, please update your repo to get the script.

Hope this would be useful. Comments and suggestions are welcome.

6 comments:

  1. This correctly identifies a Hyper-V VM running under Windows 8.

    ReplyDelete
  2. That's cute. Makes me wonder if a non-VM machine, with suitable reg keys or drivers loaded, could fool malware into thinking it's in a sandbox and aborting.

    ReplyDelete
    Replies
    1. That would be possible in this case. This script depends entirely on Registry keys and names of processes to detect VM.

      Delete
  3. Hi Successfully detected a windows 2012 server running on vkvm/Qemu.
    It also detect as a HyperV machine, perhaps cause Windows 2012 host hyperv...

    ReplyDelete
  4. Navigation on a touch screen is very tedious, it keeps taking me to next/prev page when I scroll or zoom, plz fix as I am quite enjoying your research good sir.

    ReplyDelete

Note: Only a member of this blog may post a comment.