@@ -19,71 +19,56 @@ class Metasploit3 < Msf::Post
1919
2020 def initialize ( info = { } )
2121 super ( update_info ( info ,
22- 'Name' => 'Windows Gather Virtual Environment Detection' ,
23- 'Description' => %q{
24- This module attempts to determine whether the system is running
25- inside of a virtual environment and if so, which one. This
26- module supports detectoin of Hyper-V, VMWare, Virtual PC,
27- VirtualBox, Xen, and QEMU.
28- } ,
29- 'License' => MSF_LICENSE ,
30- 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ] ,
31- 'Platform' => [ 'win' ] ,
32- 'SessionTypes' => [ 'meterpreter' ]
33- ) )
22+ 'Name' => 'Windows Gather Virtual Environment Detection' ,
23+ 'Description' => %q{
24+ This module attempts to determine whether the system is running
25+ inside of a virtual environment and if so, which one. This
26+ module supports detectoin of Hyper-V, VMWare, Virtual PC,
27+ VirtualBox, Xen, and QEMU.
28+ } ,
29+ 'License' => MSF_LICENSE ,
30+ 'Author' => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ] ,
31+ 'Platform' => [ 'win' ] ,
32+ 'SessionTypes' => [ 'meterpreter' ]
33+ ) )
3434 end
3535
3636 # Method for detecting if it is a Hyper-V VM
3737 def hypervchk ( session )
38- begin
39- vm = false
40- sfmsvals = registry_enumkeys ( 'HKLM\SOFTWARE\Microsoft' )
41- if sfmsvals . include? ( "Hyper-V" )
42- vm = true
43- elsif sfmsvals . include? ( "VirtualMachine" )
44- vm = true
45- end
46- rescue
38+ vm = false
39+ sfmsvals = registry_enumkeys ( 'HKLM\SOFTWARE\Microsoft' )
40+ if sfmsvals and sfmsvals . include? ( "Hyper-V" )
41+ vm = true
42+ elsif sfmsvals and sfmsvals . include? ( "VirtualMachine" )
43+ vm = true
4744 end
4845 if not vm
49- begin
50- if registry_getvaldata ( 'HKLM\HARDWARE\DESCRIPTION\System' , 'SystemBiosVersion' ) . data . downcase =~ /vrtual/
51- vm = true
52- end
53- rescue
46+ if registry_getvaldata ( 'HKLM\HARDWARE\DESCRIPTION\System' , 'SystemBiosVersion' ) =~ /vrtual/i
47+ vm = true
5448 end
5549 end
5650 if not vm
57- begin
58- srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\FADT' )
59- if srvvals . include? ( "VRTUAL" )
60- vm = true
61- end
62- rescue
51+ srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\FADT' )
52+ if srvvals and srvvals . include? ( "VRTUAL" )
53+ vm = true
6354 end
6455 end
6556 if not vm
66- begin
67- srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\RSDT' )
68- if srvvals . include? ( "VRTUAL" )
69- vm = true
70- end
71- rescue
57+ srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\RSDT' )
58+ if srvvals and srvvals . include? ( "VRTUAL" )
59+ vm = true
7260 end
7361 end
7462 if not vm
75- begin
76- srvvals = registry_enumkeys ( 'HKLM\SYSTEM\ControlSet001\Services' )
77- if srvvals . include? ( "vmicheartbeat" )
78- vm = true
79- elsif srvvals . include? ( "vmicvss" )
80- vm = true
81- elsif srvvals . include? ( "vmicshutdown" )
82- vm = true
83- elsif srvvals . include? ( "vmicexchange" )
84- vm = true
85- end
86- rescue
63+ srvvals = registry_enumkeys ( 'HKLM\SYSTEM\ControlSet001\Services' )
64+ if srvvals and srvvals . include? ( "vmicheartbeat" )
65+ vm = true
66+ elsif srvvals and srvvals . include? ( "vmicvss" )
67+ vm = true
68+ elsif srvvals and srvvals . include? ( "vmicshutdown" )
69+ vm = true
70+ elsif srvvals and srvvals . include? ( "vmicexchange" )
71+ vm = true
8772 end
8873 end
8974 if vm
@@ -101,34 +86,25 @@ def hypervchk(session)
10186 # Method for checking if it is a VMware VM
10287 def vmwarechk ( session )
10388 vm = false
104- begin
105- srvvals = registry_enumkeys ( 'HKLM\SYSTEM\ControlSet001\Services' )
106- if srvvals . include? ( "vmdebug" )
107- vm = true
108- elsif srvvals . include? ( "vmmouse" )
109- vm = true
110- elsif srvvals . include? ( "VMTools" )
111- vm = true
112- elsif srvvals . include? ( "VMMEMCTL" )
113- vm = true
114- end
115- rescue
89+ srvvals = registry_enumkeys ( 'HKLM\SYSTEM\ControlSet001\Services' )
90+ if srvvals and srvvals . include? ( "vmdebug" )
91+ vm = true
92+ elsif srvvals and srvvals . include? ( "vmmouse" )
93+ vm = true
94+ elsif srvvals and srvvals . include? ( "VMTools" )
95+ vm = true
96+ elsif srvvals and srvvals . include? ( "VMMEMCTL" )
97+ vm = true
11698 end
11799 if not vm
118- begin
119- if registry_getvaldata ( 'HKLM\HARDWARE\DESCRIPTION\System\BIOS' , 'SystemManufacturer' ) . data . downcase =~ /vmware/
120- vm = true
121- end
122- rescue
100+ if registry_getvaldata ( 'HKLM\HARDWARE\DESCRIPTION\System\BIOS' , 'SystemManufacturer' ) =~ /vmware/i
101+ vm = true
123102 end
124103 end
125104 if not vm
126- begin
127- key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0'
128- if registry_getvaldata ( key_path , 'Identifier' ) . data . downcase =~ /vmware/
129- vm = true
130- end
131- rescue
105+ key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0'
106+ if registry_getvaldata ( key_path , 'Identifier' ) =~ /vmware/i
107+ vm = true
132108 end
133109 end
134110 if not vm
@@ -172,16 +148,13 @@ def checkvrtlpc(session)
172148 end
173149 end
174150 if not vm
175- begin
176- srvvals = registry_enumkeys ( 'HKLM\SYSTEM\ControlSet001\Services' )
177- if srvvals . include? ( "vpc-s3" )
178- vm = true
179- elsif srvvals . include? ( "vpcuhub" )
180- vm = true
181- elsif srvvals . include? ( "msvmmouf" )
182- vm = true
183- end
184- rescue
151+ srvvals = registry_enumkeys ( 'HKLM\SYSTEM\ControlSet001\Services' )
152+ if srvvals and srvvals . include? ( "vpc-s3" )
153+ vm = true
154+ elsif srvvals and srvvals . include? ( "vpcuhub" )
155+ vm = true
156+ elsif srvvals and srvvals . include? ( "msvmmouf" )
157+ vm = true
185158 end
186159 end
187160 if vm
@@ -211,62 +184,44 @@ def vboxchk(session)
211184 end
212185 end
213186 if not vm
214- begin
215- srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\DSDT' )
216- if srvvals . include? ( "VBOX__" )
217- vm = true
218- end
219- rescue
187+ srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\DSDT' )
188+ if srvvals and srvvals . include? ( "VBOX__" )
189+ vm = true
220190 end
221191 end
222192 if not vm
223- begin
224- srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\FADT' )
225- if srvvals . include? ( "VBOX__" )
226- vm = true
227- end
228- rescue
193+ srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\FADT' )
194+ if srvvals and srvvals . include? ( "VBOX__" )
195+ vm = true
229196 end
230197 end
231198 if not vm
232- begin
233- srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\RSDT' )
234- if srvvals . include? ( "VBOX__" )
235- vm = true
236- end
237- rescue
199+ srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\RSDT' )
200+ if srvvals and srvvals . include? ( "VBOX__" )
201+ vm = true
238202 end
239203 end
240204 if not vm
241- begin
242- key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0'
243- if registry_getvaldata ( key_path , 'Identifier' ) . data . downcase =~ /vbox/
244- vm = true
245- end
246- rescue
205+ key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0'
206+ if registry_getvaldata ( key_path , 'Identifier' ) =~ /vbox/i
207+ vm = true
247208 end
248209 end
249210 if not vm
250- begin
251- if registry_getvaldata ( 'HKLM\HARDWARE\DESCRIPTION\System' , 'SystemBiosVersion' ) . data . downcase =~ /vbox/
252- vm = true
253- end
254- rescue
211+ if registry_getvaldata ( 'HKLM\HARDWARE\DESCRIPTION\System' , 'SystemBiosVersion' ) =~ /vbox/i
212+ vm = true
255213 end
256214 end
257215 if not vm
258- begin
259- srvvals = registry_enumkeys ( 'HKLM\SYSTEM\ControlSet001\Services' )
260- if srvvals . include? ( "VBoxMouse" )
261- vm = true
262- elsif srvvals . include? ( "VBoxGuest" )
263- vm = true
264- elsif srvvals . include? ( "VBoxService" )
265- vm = true
266- elsif srvvals . include? ( "VBoxSF" )
267- vm = true
268- end
269- rescue
216+ srvvals = registry_enumkeys ( 'HKLM\SYSTEM\ControlSet001\Services' )
217+ if srvvals and srvvals . include? ( "VBoxMouse" )
218+ vm = true
219+ elsif srvvals and srvvals . include? ( "VBoxGuest" )
220+ vm = true
221+ elsif srvvals and srvvals . include? ( "VBoxService" )
222+ vm = true
223+ elsif srvvals and srvvals . include? ( "VBoxSF" )
224+ vm = true
270225 end
271226 end
272227 if vm
@@ -295,47 +250,35 @@ def xenchk(session)
295250 end
296251 end
297252 if not vm
298- begin
299- srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\DSDT' )
300- if srvvals . include? ( "Xen" )
301- vm = true
302- end
303- rescue
253+ srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\DSDT' )
254+ if srvvals and srvvals . include? ( "Xen" )
255+ vm = true
304256 end
305257 end
306258 if not vm
307- begin
308- srvvals = registry_enumkeys ( 'HARDWARE\ACPI\FADT' )
309- if srvvals . include? ( "Xen" )
310- vm = true
311- end
312- rescue
259+ srvvals = registry_enumkeys ( 'HARDWARE\ACPI\FADT' )
260+ if srvvals and srvvals . include? ( "Xen" )
261+ vm = true
313262 end
314263 end
315264 if not vm
316- begin
317- srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\RSDT' )
318- if srvvals . include? ( "Xen" )
319- vm = true
320- end
321- rescue
265+ srvvals = registry_enumkeys ( 'HKLM\HARDWARE\ACPI\RSDT' )
266+ if srvvals and srvvals . include? ( "Xen" )
267+ vm = true
322268 end
323269 end
324270 if not vm
325- begin
326- srvvals = registry_enumkeys ( 'HKLM\SYSTEM\ControlSet001\Services' )
327- if srvvals . include? ( "xenevtchn" )
328- vm = true
329- elsif srvvals . include? ( "xennet" )
330- vm = true
331- elsif srvvals . include? ( "xennet6" )
332- vm = true
333- elsif srvvals . include? ( "xensvc" )
334- vm = true
335- elsif srvvals . include? ( "xenvdb" )
336- vm = true
337- end
338- rescue
271+ srvvals = registry_enumkeys ( 'HKLM\SYSTEM\ControlSet001\Services' )
272+ if srvvals and srvvals . include? ( "xenevtchn" )
273+ vm = true
274+ elsif srvvals and srvvals . include? ( "xennet" )
275+ vm = true
276+ elsif srvvals and srvvals . include? ( "xennet6" )
277+ vm = true
278+ elsif srvvals and srvvals . include? ( "xensvc" )
279+ vm = true
280+ elsif srvvals and srvvals . include? ( "xenvdb" )
281+ vm = true
339282 end
340283 end
341284 if vm
@@ -353,23 +296,17 @@ def xenchk(session)
353296 def qemuchk ( session )
354297 vm = false
355298 if not vm
356- begin
357- key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0'
358- if registry_getvaldata ( key_path , 'Identifier' ) . data . downcase =~ /qemu/
359- print_status ( "This is a QEMU/KVM Virtual Machine" )
360- vm = true
361- end
362- rescue
299+ key_path = 'HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0'
300+ if registry_getvaldata ( key_path , 'Identifier' ) =~ /qemu/i
301+ print_status ( "This is a QEMU/KVM Virtual Machine" )
302+ vm = true
363303 end
364304 end
365305 if not vm
366- begin
367- key_path = 'HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0'
368- if registry_getvaldata ( key_path , 'ProcessorNameString' ) . data . downcase =~ /qemu/
369- print_status ( "This is a QEMU/KVM Virtual Machine" )
370- vm = true
371- end
372- rescue
306+ key_path = 'HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0'
307+ if registry_getvaldata ( key_path , 'ProcessorNameString' ) =~ /qemu/i
308+ print_status ( "This is a QEMU/KVM Virtual Machine" )
309+ vm = true
373310 end
374311 end
375312
0 commit comments