From dec237ce0a44945921016d785d39a579d65869be Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 11 Jul 2023 20:58:22 +0200 Subject: [PATCH 01/14] Add Parallels detection --- modules/post/windows/gather/checkvm.rb | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index f7340fbee567..503bcf30fbab 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -188,6 +188,13 @@ def qemu? false end + def parallels? + return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'SystemBiosVersion') =~ /parallels/i + return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'VideoBiosVersion') =~ /parallels/i + + false + end + def report_vm(hypervisor) print_good("This is a #{hypervisor} Virtual Machine") report_note( @@ -214,6 +221,8 @@ def run report_vm('Xen') elsif qemu? report_vm('Qemu/KVM') + elsif parallels? + report_vm('Parallels') else print_status('The target appears to be a Physical Machine') end From 04da17fc7b86391e8497779ab71baadf5625a536 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 11 Jul 2023 21:00:37 +0200 Subject: [PATCH 02/14] Add detection for JoeSandbox --- modules/post/windows/gather/checkvm.rb | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index 503bcf30fbab..5c184e3368ef 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -195,6 +195,25 @@ def parallels? false end + def joesandbox? + vpcprocs = [ + 'joeboxcontrol.exe', + 'joeboxserver.exe' + ] + get_processes.each do |x| + vpcprocs.each do |p| + return true if p == x['name'].downcase + end + end + + key_path = 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion' + return true if registry_getvaldata(key_path, 'ProductId') == '55274-640-2673064-23950' + key_path = 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion' + return true if registry_getvaldata(key_path, 'ProductId') == '55274-640-2673064-23950' + + false + end + def report_vm(hypervisor) print_good("This is a #{hypervisor} Virtual Machine") report_note( @@ -223,6 +242,8 @@ def run report_vm('Qemu/KVM') elsif parallels? report_vm('Parallels') + elsif joesandbox? + report_vm('JoeSandbox') else print_status('The target appears to be a Physical Machine') end From fdd212625feb2c90b9bb2e5795c4386a53e6540c Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 11 Jul 2023 21:02:36 +0200 Subject: [PATCH 03/14] Improve VMWare detection --- modules/post/windows/gather/checkvm.rb | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index 5c184e3368ef..1730cdc9c93b 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -85,16 +85,20 @@ def hyperv? end def vmware? - %w[vmdebug vmmouse VMTools VMMEMCTL].each do |service| + %w[vmdebug vmmouse VMTools VMMEMCTL tpautoconnsvc tpvcgateway vmware wmci vmx86].each do |service| return true if service_exists?(service) end return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System\BIOS', 'SystemManufacturer') =~ /vmware/i return true if registry_getvaldata('HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0', 'Identifier') =~ /vmware/i + return true if registry_getvaldata('HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0', 'Identifier') =~ /vmware/i + return true if registry_getvaldata('HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000', 'DriverDesc') =~ /cl_vmx_svga|VMWare/i vmwareprocs = [ - 'vmwareuser.exe', - 'vmwaretray.exe' + 'vmtoolsd.exe', + 'vmwareservice.exe', + 'vmwaretray.exe', + 'vmwareuser.exe' ] get_processes.each do |x| vmwareprocs.each do |p| From 29d9908f2286e92ec13f0aaf1c5c5fb4aa184eb9 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 11 Jul 2023 21:03:10 +0200 Subject: [PATCH 04/14] Improve virtualpc detection --- modules/post/windows/gather/checkvm.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index 1730cdc9c93b..7dd5ca1641c1 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -115,6 +115,7 @@ def virtualpc? end vpcprocs = [ + 'vpcmap.exe', 'vmusrvc.exe', 'vmsrvc.exe' ] From 9bed3da364f51666a2053af79821ce9fcc2218c1 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 11 Jul 2023 21:06:14 +0200 Subject: [PATCH 05/14] Improve VirtualBox detection --- modules/post/windows/gather/checkvm.rb | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index 7dd5ca1641c1..37fd8a89d1f4 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -144,12 +144,15 @@ def virtualbox? return true if srvvals && srvvals.include?('VBOX__') end - key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0' - return true if registry_getvaldata(key_path, 'Identifier') =~ /vbox/i + for i in 0..2 do + return true if registry_getvaldata("HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port #{i}0\Scsi Bus 0\Target Id 0\Logical Unit Id 0", 'Identifier') =~ /vbox/i + end return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'SystemBiosVersion') =~ /vbox/i + return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'VideoBiosVersion') =~ /virtualbox/i + return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System\BIOS', 'SystemProductName') =~ /virtual/i - %w[VBoxMouse VBoxGuest VBoxService VBoxSF].each do |service| + %w[VBoxMouse VBoxGuest VBoxService VBoxSF VBoxVideo].each do |service| return true if service_exists?(service) end From fd45073d36a1b37fe76a310021615b8607b559d5 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 11 Jul 2023 21:07:03 +0200 Subject: [PATCH 06/14] Improve Xen detection --- modules/post/windows/gather/checkvm.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index 37fd8a89d1f4..bab82ded7942 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -178,6 +178,8 @@ def xen? return true if service_exists?(service) end + return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System\BIOS', 'SystemProductName') =~ /xen/i + false end From c3b77844cc5f6b28bea72503f15cca08cf9498e7 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 11 Jul 2023 21:08:19 +0200 Subject: [PATCH 07/14] Improve Qemu detection --- modules/post/windows/gather/checkvm.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index bab82ded7942..2b4e0f4de0f3 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -190,6 +190,10 @@ def qemu? key_path = 'HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0' return true if registry_getvaldata(key_path, 'ProcessorNameString') =~ /qemu/i + return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'SystemBiosVersion') =~ /qemu/i + return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'VideoBiosVersion') =~ /qemu/i + return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System\BIOS', 'SystemManufacturer') =~ /qemu/i + %w[HKLM\HARDWARE\ACPI\DSDT HKLM\HARDWARE\ACPI\FADT HKLM\HARDWARE\ACPI\RSDT].each do |key| srvvals = registry_enumkeys(key) return true if srvvals && srvvals.include?('BOCHS_') From f439ca4fb7ca424fa03619e1d151e1410511fe1e Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 11 Jul 2023 21:10:56 +0200 Subject: [PATCH 08/14] Fix Multi String value issues Spotted by @cdelafuente-r7 --- modules/post/windows/gather/checkvm.rb | 56 +++++++++++++------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index 2b4e0f4de0f3..623cbe90811d 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -36,7 +36,7 @@ module supports detection of Hyper-V, VMWare, Virtual PC, end def get_services - @services ||= registry_enumkeys('HKLM\SYSTEM\ControlSet001\Services') + @services ||= registry_enumkeys('HKLM\\SYSTEM\\ControlSet001\\Services') @services end @@ -45,7 +45,7 @@ def service_exists?(service) end def hyperv? - physical_host = registry_getvaldata('HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters', 'PhysicalHostNameFullyQualified') + physical_host = registry_getvaldata('HKLM\\SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters', 'PhysicalHostNameFullyQualified') if physical_host report_note( host: session, @@ -57,15 +57,15 @@ def hyperv? return true end - sfmsvals = registry_enumkeys('HKLM\SOFTWARE\Microsoft') + sfmsvals = registry_enumkeys('HKLM\\SOFTWARE\\Microsoft') if sfmsvals return true if sfmsvals.include?('Hyper-V') return true if sfmsvals.include?('VirtualMachine') end - return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'SystemBiosVersion') =~ /vrtual/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /vrtual/i - %w[HKLM\HARDWARE\ACPI\FADT HKLM\HARDWARE\ACPI\RSDT].each do |key| + %w[HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT].each do |key| srvvals = registry_enumkeys(key) return true if srvvals && srvvals.include?('VRTUAL') end @@ -74,11 +74,11 @@ def hyperv? return true if service_exists?(service) end - key_path = 'HKLM\HARDWARE\DESCRIPTION\System' + key_path = 'HKLM\\HARDWARE\\DESCRIPTION\\System' system_bios_version = registry_getvaldata(key_path, 'SystemBiosVersion') return true if system_bios_version && system_bios_version.include?('Hyper-V') - key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0' + key_path = 'HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0' return true if registry_getvaldata(key_path, 'Identifier') =~ /Msft Virtual Disk 1.0/i false @@ -89,10 +89,10 @@ def vmware? return true if service_exists?(service) end - return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System\BIOS', 'SystemManufacturer') =~ /vmware/i - return true if registry_getvaldata('HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0', 'Identifier') =~ /vmware/i - return true if registry_getvaldata('HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0', 'Identifier') =~ /vmware/i - return true if registry_getvaldata('HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000', 'DriverDesc') =~ /cl_vmx_svga|VMWare/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemManufacturer') =~ /vmware/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0', 'Identifier') =~ /vmware/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0', 'Identifier') =~ /vmware/i + return true if registry_getvaldata('HKLM\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000', 'DriverDesc') =~ /cl_vmx_svga|VMWare/i vmwareprocs = [ 'vmtoolsd.exe', @@ -139,18 +139,18 @@ def virtualbox? end end - %w[HKLM\HARDWARE\ACPI\DSDT HKLM\HARDWARE\ACPI\FADT HKLM\HARDWARE\ACPI\RSDT].each do |key| + %w[HKLM\\HARDWARE\\ACPI\\DSDT HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT].each do |key| srvvals = registry_enumkeys(key) return true if srvvals && srvvals.include?('VBOX__') end for i in 0..2 do - return true if registry_getvaldata("HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port #{i}0\Scsi Bus 0\Target Id 0\Logical Unit Id 0", 'Identifier') =~ /vbox/i + return true if registry_getvaldata("HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port #{i}0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 'Identifier') =~ /vbox/i end - return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'SystemBiosVersion') =~ /vbox/i - return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'VideoBiosVersion') =~ /virtualbox/i - return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System\BIOS', 'SystemProductName') =~ /virtual/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /vbox/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /virtualbox/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName') =~ /virtual/i %w[VBoxMouse VBoxGuest VBoxService VBoxSF VBoxVideo].each do |service| return true if service_exists?(service) @@ -169,7 +169,7 @@ def xen? end end - %w[HKLM\HARDWARE\ACPI\DSDT HKLM\HARDWARE\ACPI\FADT HKLM\HARDWARE\ACPI\RSDT].each do |key| + %w[HKLM\\HARDWARE\\ACPI\\DSDT HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT].each do |key| srvvals = registry_enumkeys(key) return true if srvvals && srvvals.include?('Xen') end @@ -178,23 +178,23 @@ def xen? return true if service_exists?(service) end - return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System\BIOS', 'SystemProductName') =~ /xen/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName') =~ /xen/i false end def qemu? - key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0' + key_path = 'HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0' return true if registry_getvaldata(key_path, 'Identifier') =~ /qemu|virtio/i - key_path = 'HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0' + key_path = 'HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0' return true if registry_getvaldata(key_path, 'ProcessorNameString') =~ /qemu/i - return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'SystemBiosVersion') =~ /qemu/i - return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'VideoBiosVersion') =~ /qemu/i - return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System\BIOS', 'SystemManufacturer') =~ /qemu/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /qemu/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /qemu/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemManufacturer') =~ /qemu/i - %w[HKLM\HARDWARE\ACPI\DSDT HKLM\HARDWARE\ACPI\FADT HKLM\HARDWARE\ACPI\RSDT].each do |key| + %w[HKLM\\HARDWARE\\ACPI\\DSDT HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT].each do |key| srvvals = registry_enumkeys(key) return true if srvvals && srvvals.include?('BOCHS_') end @@ -203,8 +203,8 @@ def qemu? end def parallels? - return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'SystemBiosVersion') =~ /parallels/i - return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'VideoBiosVersion') =~ /parallels/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /parallels/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /parallels/i false end @@ -220,9 +220,9 @@ def joesandbox? end end - key_path = 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion' + key_path = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion' return true if registry_getvaldata(key_path, 'ProductId') == '55274-640-2673064-23950' - key_path = 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion' + key_path = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' return true if registry_getvaldata(key_path, 'ProductId') == '55274-640-2673064-23950' false From 89dd8ce9306d08d16a50f5f69394d7989a6e246b Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 11 Jul 2023 21:12:50 +0200 Subject: [PATCH 09/14] Add some references --- modules/post/windows/gather/checkvm.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index 623cbe90811d..70dea7396196 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -26,6 +26,11 @@ module supports detection of Hyper-V, VMWare, Virtual PC, ], 'Platform' => [ 'win' ], 'SessionTypes' => %w[meterpreter powershell shell], + 'References' => [ + ['URL', 'https://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf'], + ['URL', 'https://www.heise.de/security/downloads/07/1/1/8/3/5/5/9/vmde.pdf'], + ['URL', 'https://evasions.checkpoint.com/techniques/registry.html'] + ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [], From 1188256260dbe32360aa5ce974a81b72a7634d2f Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 11 Jul 2023 21:13:21 +0200 Subject: [PATCH 10/14] Update the Description to add newly detected VM --- modules/post/windows/gather/checkvm.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index 70dea7396196..8542d8e2247b 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -17,7 +17,7 @@ def initialize(info = {}) This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This module supports detection of Hyper-V, VMWare, Virtual PC, - VirtualBox, Xen, and QEMU. + VirtualBox, Xen, QEMU, Parallels and JoeSandbox. }, 'License' => MSF_LICENSE, 'Author' => [ From 075a7e9a145f82cf5e64e80b4698ccd92203584d Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 18 Jul 2023 19:28:45 +0200 Subject: [PATCH 11/14] Narrow a virtualbox check --- modules/post/windows/gather/checkvm.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index 8542d8e2247b..520fea74f973 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -155,7 +155,7 @@ def virtualbox? return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /vbox/i return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /virtualbox/i - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName') =~ /virtual/i + return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName') =~ /virtualbox/i %w[VBoxMouse VBoxGuest VBoxService VBoxSF VBoxVideo].each do |service| return true if service_exists?(service) From 9b87a9d4f1491e54133db172893380c1ccc3a7e6 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 18 Jul 2023 19:29:02 +0200 Subject: [PATCH 12/14] Run HyperV check after Parallels As suggested in https://github.com/rapid7/metasploit-framework/pull/18179#discussion_r1265637311 --- modules/post/windows/gather/checkvm.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index 520fea74f973..f0dac96fd0a8 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -247,7 +247,9 @@ def report_vm(hypervisor) def run print_status('Checking if the target is a Virtual Machine ...') - if hyperv? + if parallels? + report_vm('Parallels') + elsif hyperv? report_vm('Hyper-V') elsif vmware? report_vm('VMware') @@ -259,8 +261,6 @@ def run report_vm('Xen') elsif qemu? report_vm('Qemu/KVM') - elsif parallels? - report_vm('Parallels') elsif joesandbox? report_vm('JoeSandbox') else From 88a5a52c1ab2e1ec7b2771ec3eeb410edb0b6f03 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Tue, 18 Jul 2023 19:31:42 +0200 Subject: [PATCH 13/14] Stringy arrays before checking anything As suggested in https://github.com/rapid7/metasploit-framework/pull/18179#pullrequestreview-1533226875 --- modules/post/windows/gather/checkvm.rb | 57 ++++++++++++++++---------- 1 file changed, 35 insertions(+), 22 deletions(-) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index f0dac96fd0a8..fb1f2ed4cc14 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -49,8 +49,17 @@ def service_exists?(service) get_services && get_services.include?(service) end + def get_regval_str(key, valname) + ret = registry_getvaldata(key, valname) + if ret.kind_of(Array) + ret = ret.join + end + ret + end + + def hyperv? - physical_host = registry_getvaldata('HKLM\\SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters', 'PhysicalHostNameFullyQualified') + physical_host = get_regval_str('HKLM\\SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters', 'PhysicalHostNameFullyQualified') if physical_host report_note( host: session, @@ -68,7 +77,7 @@ def hyperv? return true if sfmsvals.include?('VirtualMachine') end - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /vrtual/i + return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /vrtual/i %w[HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT].each do |key| srvvals = registry_enumkeys(key) @@ -80,11 +89,11 @@ def hyperv? end key_path = 'HKLM\\HARDWARE\\DESCRIPTION\\System' - system_bios_version = registry_getvaldata(key_path, 'SystemBiosVersion') + system_bios_version = get_regval_str(key_path, 'SystemBiosVersion') return true if system_bios_version && system_bios_version.include?('Hyper-V') key_path = 'HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0' - return true if registry_getvaldata(key_path, 'Identifier') =~ /Msft Virtual Disk 1.0/i + return true if get_regval_str(key_path, 'Identifier') =~ /Msft Virtual Disk 1.0/i false end @@ -94,10 +103,10 @@ def vmware? return true if service_exists?(service) end - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemManufacturer') =~ /vmware/i - return true if registry_getvaldata('HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0', 'Identifier') =~ /vmware/i - return true if registry_getvaldata('HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0', 'Identifier') =~ /vmware/i - return true if registry_getvaldata('HKLM\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000', 'DriverDesc') =~ /cl_vmx_svga|VMWare/i + return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemManufacturer') =~ /vmware/i + return true if get_regval_str('HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0', 'Identifier') =~ /vmware/i + return true if get_regval_str('HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 1\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0', 'Identifier') =~ /vmware/i + return true if get_regval_str('HKLM\\SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000', 'DriverDesc') =~ /cl_vmx_svga|VMWare/i vmwareprocs = [ 'vmtoolsd.exe', @@ -150,12 +159,12 @@ def virtualbox? end for i in 0..2 do - return true if registry_getvaldata("HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port #{i}0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 'Identifier') =~ /vbox/i + return true if get_regval_str("HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port #{i}0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0", 'Identifier') =~ /vbox/i end - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /vbox/i - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /virtualbox/i - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName') =~ /virtualbox/i + return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /vbox/i + return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /virtualbox/i + return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName') =~ /virtualbox/i %w[VBoxMouse VBoxGuest VBoxService VBoxSF VBoxVideo].each do |service| return true if service_exists?(service) @@ -183,21 +192,21 @@ def xen? return true if service_exists?(service) end - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName') =~ /xen/i + return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemProductName') =~ /xen/i false end def qemu? key_path = 'HKLM\\HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0' - return true if registry_getvaldata(key_path, 'Identifier') =~ /qemu|virtio/i + return true if get_regval_str(key_path, 'Identifier') =~ /qemu|virtio/i key_path = 'HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0' - return true if registry_getvaldata(key_path, 'ProcessorNameString') =~ /qemu/i + return true if get_regval_str(key_path, 'ProcessorNameString') =~ /qemu/i - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /qemu/i - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /qemu/i - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemManufacturer') =~ /qemu/i + return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /qemu/i + return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /qemu/i + return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS', 'SystemManufacturer') =~ /qemu/i %w[HKLM\\HARDWARE\\ACPI\\DSDT HKLM\\HARDWARE\\ACPI\\FADT HKLM\\HARDWARE\\ACPI\\RSDT].each do |key| srvvals = registry_enumkeys(key) @@ -208,8 +217,12 @@ def qemu? end def parallels? - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') =~ /parallels/i - return true if registry_getvaldata('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /parallels/i + bios_version = get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'SystemBiosVersion') + if bios_version.kind_of?(Array) + bios_version = bios_version.join + end + return true if bios_version =~ /parallels/i + return true if get_regval_str('HKLM\\HARDWARE\\DESCRIPTION\\System', 'VideoBiosVersion') =~ /parallels/i false end @@ -226,9 +239,9 @@ def joesandbox? end key_path = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion' - return true if registry_getvaldata(key_path, 'ProductId') == '55274-640-2673064-23950' + return true if get_regval_str(key_path, 'ProductId') == '55274-640-2673064-23950' key_path = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' - return true if registry_getvaldata(key_path, 'ProductId') == '55274-640-2673064-23950' + return true if get_regval_str(key_path, 'ProductId') == '55274-640-2673064-23950' false end From 86c868084ca0b0644621d10453d79a1decf6e922 Mon Sep 17 00:00:00 2001 From: jvoisin Date: Fri, 11 Aug 2023 14:42:51 +0200 Subject: [PATCH 14/14] Remove joesandbox and virtualpc --- modules/post/windows/gather/checkvm.rb | 46 ++------------------------ 1 file changed, 2 insertions(+), 44 deletions(-) diff --git a/modules/post/windows/gather/checkvm.rb b/modules/post/windows/gather/checkvm.rb index fb1f2ed4cc14..457acbfef085 100644 --- a/modules/post/windows/gather/checkvm.rb +++ b/modules/post/windows/gather/checkvm.rb @@ -16,8 +16,8 @@ def initialize(info = {}) 'Description' => %q{ This module attempts to determine whether the system is running inside of a virtual environment and if so, which one. This - module supports detection of Hyper-V, VMWare, Virtual PC, - VirtualBox, Xen, QEMU, Parallels and JoeSandbox. + module supports detection of Hyper-V, VMWare, VirtualBox, Xen, QEMU, + and Parallels. }, 'License' => MSF_LICENSE, 'Author' => [ @@ -123,25 +123,6 @@ def vmware? false end - def virtualpc? - %w[vpc-s3 vpcbus vpcuhub msvmmouf].each do |service| - return true if service_exists?(service) - end - - vpcprocs = [ - 'vpcmap.exe', - 'vmusrvc.exe', - 'vmsrvc.exe' - ] - get_processes.each do |x| - vpcprocs.each do |p| - return true if p == x['name'].downcase - end - end - - false - end - def virtualbox? vboxprocs = [ 'vboxservice.exe', @@ -227,25 +208,6 @@ def parallels? false end - def joesandbox? - vpcprocs = [ - 'joeboxcontrol.exe', - 'joeboxserver.exe' - ] - get_processes.each do |x| - vpcprocs.each do |p| - return true if p == x['name'].downcase - end - end - - key_path = 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion' - return true if get_regval_str(key_path, 'ProductId') == '55274-640-2673064-23950' - key_path = 'HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion' - return true if get_regval_str(key_path, 'ProductId') == '55274-640-2673064-23950' - - false - end - def report_vm(hypervisor) print_good("This is a #{hypervisor} Virtual Machine") report_note( @@ -266,16 +228,12 @@ def run report_vm('Hyper-V') elsif vmware? report_vm('VMware') - elsif virtualpc? - report_vm('VirtualPC') elsif virtualbox? report_vm('VirtualBox') elsif xen? report_vm('Xen') elsif qemu? report_vm('Qemu/KVM') - elsif joesandbox? - report_vm('JoeSandbox') else print_status('The target appears to be a Physical Machine') end