-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheckvm.rb
352 lines (340 loc) · 8.77 KB
/
checkvm.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
# Meterpreter script for detecting if target host is a Virtual Machine
# Provided by Carlos Perez at carlos_perez[at]darkoperator.com
# Version: 0.2.0
session = client
@@exec_opts = Rex::Parser::Arguments.new(
"-h" => [ false,"Help menu." ]
)
@@exec_opts.parse(args) { |opt, idx, val|
case opt
when "-h"
print_line("CheckVM -- Check various attributes on the target for evidence that it is a virtual machine")
print_line("USAGE: run checkvm")
print_line(@@exec_opts.usage)
raise Rex::Script::Completed
end
}
# Function for detecting if it is a Hyper-V VM
def hypervchk(session)
begin
vm = false
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft', KEY_READ)
sfmsvals = key.enum_key
if sfmsvals.include?("Hyper-V")
print_status("This is a Hyper-V Virtual Machine")
vm = true
elsif sfmsvals.include?("VirtualMachine")
print_status("This is a Hyper-V Virtual Machine")
vm = true
end
key.close
rescue
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
srvvals = key.enum_key
if srvvals.include?("vmicheartbeat")
print_status("This is a Hyper-V Virtual Machine")
vm = true
elsif srvvals.include?("vmicvss")
print_status("This is a Hyper-V Virtual Machine")
vm = true
elsif srvvals.include?("vmicshutdown")
print_status("This is a Hyper-V Virtual Machine")
vm = true
elsif srvvals.include?("vmicexchange")
print_status("This is a Hyper-V Virtual Machine")
vm = true
end
rescue
end
end
return vm
end
# Function for checking if it is a VMware VM
def vmwarechk(session)
vm = false
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
srvvals = key.enum_key
if srvvals.include?("vmdebug")
print_status("This is a VMware Virtual Machine")
vm = true
elsif srvvals.include?("vmmouse")
print_status("This is a VMware Virtual Machine")
vm = true
elsif srvvals.include?("VMTools")
print_status("This is a VMware Virtual Machine")
vm = true
elsif srvvals.include?("VMMEMCTL")
print_status("This is a VMware Virtual Machine")
vm = true
end
key.close
rescue
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
if key.query_value('Identifier').data.downcase =~ /vmware/
print_status("This is a VMware Virtual Machine")
vm = true
end
rescue
end
end
if not vm
vmwareprocs = [
"vmwareuser.exe",
"vmwaretray.exe"
]
vmwareprocs.each do |p|
session.sys.process.get_processes().each do |x|
if p == (x['name'].downcase)
print_status("This is a VMware Virtual Machine") if not vm
vm = true
end
end
end
end
key.close
return vm
end
# Function for checking if it is a Virtual PC VM
def checkvrtlpc(session)
vm = false
vpcprocs = [
"vmusrvc.exe",
"vmsrvc.exe"
]
vpcprocs.each do |p|
session.sys.process.get_processes().each do |x|
if p == (x['name'].downcase)
print_status("This is a VirtualPC Virtual Machine") if not vm
vm = true
end
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
srvvals = key.enum_key
if srvvals.include?("vpcbus")
print_status("This is a VirtualPC Virtual Machine")
vm = true
elsif srvvals.include?("vpc-s3")
print_status("This is a VirtualPC Virtual Machine")
vm = true
elsif srvvals.include?("vpcuhub")
print_status("This is a VirtualPC Virtual Machine")
vm = true
elsif srvvals.include?("msvmmouf")
print_status("This is a VirtualPC Virtual Machine")
vm = true
end
key.close
rescue
end
end
return vm
end
def vboxchk(session)
vm = false
vboxprocs = [
"vboxservice.exe",
"vboxtray.exe"
]
vboxprocs.each do |p|
session.sys.process.get_processes().each do |x|
if p == (x['name'].downcase)
print_status("This is a Sun VirtualBox Virtual Machine") if not vm
vm = true
end
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\DSDT', KEY_READ)
srvvals = key.enum_key
if srvvals.include?("VBOX__")
print_status("This is a Sun VirtualBox Virtual Machine")
vm = true
end
rescue
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ)
srvvals = key.enum_key
if srvvals.include?("VBOX__")
print_status("This is a Sun VirtualBox Virtual Machine")
vm = true
end
rescue
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ)
srvvals = key.enum_key
if srvvals.include?("VBOX__")
print_status("This is a Sun VirtualBox Virtual Machine")
vm = true
end
rescue
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
if key.query_value('Identifier').data.downcase =~ /vbox/
print_status("This is a Sun VirtualBox Virtual Machine")
vm = true
end
rescue
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System')
if key.query_value('SystemBiosVersion').data.downcase =~ /vbox/
print_status("This is a Sun VirtualBox Virtual Machine")
vm = true
end
rescue
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
srvvals = key.enum_key
if srvvals.include?("VBoxMouse")
print_status("This is a Sun VirtualBox Virtual Machine")
vm = true
elsif srvvals.include?("VBoxGuest")
print_status("This is a Sun VirtualBox Virtual Machine")
vm = true
elsif srvvals.include?("VBoxService")
print_status("This is a Sun VirtualBox Virtual Machine")
vm = true
elsif srvvals.include?("VBoxSF")
print_status("This is a Sun VirtualBox Virtual Machine")
vm = true
end
key.close
rescue
end
end
return vm
end
def xenchk(session)
vm = false
xenprocs = [
"xenservice.exe"
]
xenprocs.each do |p|
session.sys.process.get_processes().each do |x|
if p == (x['name'].downcase)
print_status("This is a Xen Virtual Machine") if not vm
vm = true
end
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\DSDT', KEY_READ)
srvvals = key.enum_key
if srvvals.include?("Xen")
print_status("This is a Xen Virtual Machine")
vm = true
end
rescue
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\FADT', KEY_READ)
srvvals = key.enum_key
if srvvals.include?("Xen")
print_status("This is a Xen Virtual Machine")
vm = true
end
rescue
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\ACPI\RSDT', KEY_READ)
srvvals = key.enum_key
if srvvals.include?("Xen")
print_status("This is a Xen Virtual Machine")
vm = true
end
rescue
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SYSTEM\ControlSet001\Services', KEY_READ)
srvvals = key.enum_key
if srvvals.include?("xenevtchn")
print_status("This is a Xen Virtual Machine")
vm = true
elsif srvvals.include?("xennet")
print_status("This is a Xen Virtual Machine")
vm = true
elsif srvvals.include?("xennet6")
print_status("This is a Xen Virtual Machine")
vm = true
elsif srvvals.include?("xensvc")
print_status("This is a Xen Virtual Machine")
vm = true
elsif srvvals.include?("xenvdb")
print_status("This is a Xen Virtual Machine")
vm = true
end
key.close
rescue
end
end
return vm
end
def qemuchk(session)
vm = false
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0')
if key.query_value('Identifier').data.downcase =~ /qemu/
print_status("This is a QEMU/KVM Virtual Machine")
vm = true
end
rescue
end
end
if not vm
begin
key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'HARDWARE\DESCRIPTION\System\CentralProcessor\0')
if key.query_value('ProcessorNameString').data.downcase =~ /qemu/
print_status("This is a QEMU/KVM Virtual Machine")
vm = true
end
rescue
end
end
return vm
end
if client.platform =~ /win32|win64/
print_status("Checking if target is a Virtual Machine .....")
found = hypervchk(session)
found = vmwarechk(session) if not found
found = checkvrtlpc(session) if not found
found = vboxchk(session) if not found
found = xenchk(session) if not found
found = qemuchk(session) if not found
print_status("It appears to be physical host.") if not found
else
print_error("This version of Meterpreter is not supported with this Script!")
raise Rex::Script::Completed
end