(Quick Post) Check if your payload is running inside a VM using PowerShell

I was trying to improve some existing payloads of Nishang and Kautilya. One idea was to enumerate the environment in which the payloads would be running. I decided to start with detection of Virtual Environment. I found this post module in msf by Carlos Perez which is easy to understand. I quickly ported the script to powershell. This post is about that script. Though I still need to figure out a way to integrate this in other payloads without increasing the complexity, I am sharing the current script anyway :)

The script checks for a number of parameters like, registry keys and running services for Hyper-V, VMWare, Virtual PC, Virtual Box, Xen and QEMU.

A code snippet showing the logic for detection of Hyper-V.

#Hyper-V<br>$hyperv = Get-ChildItem HKLM:\SOFTWARE\Microsoft<br>if (($hyperv -match "Hyper-V") -or ($hyperv -match "VirtualMachine"))<br>    {<br>        $hypervm = $true<br>    }<br><br>if (!$hypervm)<br>    {<br>        $hyperv = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion<br>        if ($hyperv -match "vrtual")<br>            {<br>                $hypervm = $true<br>            }<br>    }<br><br>if (!$hypervm)<br>    {<br>        $hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT<br>        if ($hyperv -match "vrtual")<br>            {<br>                $hypervm = $true<br>            }<br>    }<br><br>if (!$hypervm)<br>    {<br>        $hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT<br>        if ($hyperv -match "vrtual")<br>            {<br>                $hypervm = $true<br>            }<br>    }<br><br>if (!$hypervm)<br>    {<br>        $hyperv = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services<br>        if (($hyperv -match "vmicheartbeat") -or ($hyperv -match "vmicvss") -or ($hyperv -match "vmicshutdown") -or ($hyperv -match "vmiexchange"))<br>            {<br>                $hypervm = $true<br>            }<br>    }<br><br>if ($hypervm)<br>    {<br><br>        "This is a Hyper-V machine."<br><br>    }<br>

This is how it looks like when ran inside a Windows 7 on VMWare.


I checked it only on VMWare. If somebody tests this for all the environments that would be great ;)

UPDATE: Thomas hac confirmed that the script detected a Hyper-V machine.

The script has been added to Nishang repo, please update your repo to get the script.

Hope this would be useful. Comments and suggestions are welcome.