Skip to content

Commit fff1c16

Browse files
asoto-r7asoto-r7
committed
Created checkvm documentation
1 parent 10cf327 commit fff1c16

File tree

1 file changed

+47
-0
lines changed
  • documentation/modules/post/windows/gather

1 file changed

+47
-0
lines changed

documentation/modules/post/windows/gather/checkvm.md

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
This is a post-exploitation module that checks several known registry keys and process names, as a simple way to determine if your target is running inside of a virtual machine. While many of these are easy to change, triggering a false negative, this script services as a simple pre-check.
2+
3+
The script has been tested on a variety of Windows 10 targets, but changes to hypervisors and VM-related drivers are common. If you identify misleading output from this tool, please [file an issue](https://github.com/rapid7/metasploit-framework/issues/new) or, even better, [submit a pull request](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md#contributing-to-metasploit).
4+
5+
The script can be run from within a Meterpreter session or from the Metasploit shell:
6+
7+
### Within Meterpreter
8+
```
9+
meterpreter > run post/windows/gather/checkvm
10+
```
11+
12+
### From the Metasploit console
13+
```
14+
msf > use post/windows/gather/checkvm
15+
msf post(windows/gather/checkvm) > set SESSION 1
16+
SESSION => 1
17+
msf post(windows/gather/checkvm) > run
18+
19+
[*] Checking if DESKTOP-Q05UKIU is a Virtual Machine .....
20+
[+] This is a VMware Virtual Machine
21+
[*] Post module execution completed
22+
```
23+
24+
# Example Output
25+
26+
### On a Windows 10 x64 physical machine
27+
```
28+
[*] Checking if DESKTOP-Q05UKIU is a Virtual Machine .....
29+
[*] DESKTOP-Q05UKIU appears to be a Physical Machine
30+
```
31+
32+
### On a Windows 10 x64 VMware VM
33+
```
34+
[*] Checking if DESKTOP-Q05UKIU is a Virtual Machine .....
35+
[+] This is a VMware Virtual Machine
36+
```
37+
38+
### On a Windows 10 x64 Hyper-V VM
39+
```
40+
[*] Checking if DESKTOP-Q05UKIU is a Virtual Machine .....
41+
[+] This is a Hyper-V Virtual Machine running on physical host ASOTO-HYPERV-SERVER
42+
43+
msf > notes
44+
45+
[*] Time: 2018-01-17 18:31:24 UTC Note: host=192.168.77.2 type=host.hypervisor data={:hypervisor=>"MS Hyper-V"}
46+
[*] Time: 2018-01-17 18:31:24 UTC Note: host=192.168.77.2 type=host.physicalHost data={:hypervisor=>"ASOTO-HYPERV-SERVER"}
47+
```

0 commit comments

Comments
 (0)