Massively improve windows' vm fingerprinting module#18140
Massively improve windows' vm fingerprinting module#18140jvoisin wants to merge 8 commits intorapid7:masterfrom jvoisin:improve_vm_detection
Conversation
cdelafuente-r7
left a comment
There was a problem hiding this comment.
Thanks @jvoisin for improving this module. I left some comments and suggestions for you to review when you get a chance.
| return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System\BIOS', 'SystemManufacturer') =~ /vmware/i | ||
| return true if registry_getvaldata('HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0', 'Identifier') =~ /vmware/i | ||
| return true if registry_getvaldata('HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0', 'Identifier') =~ /vmware/i | ||
| return true if registry_getvaldata('HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000', 'DriverDesc') =~ /cl_vmx_svga/i |
There was a problem hiding this comment.
I checked this with Windows 11 on VMware Fusion 12.2.5 and the value of the is registry key is VMware SVGA 3D. Should this value also be checked?
| return true if registry_getvaldata('HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0', 'Identifier') =~ /vmware/i | ||
| return true if registry_getvaldata('HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0', 'Identifier') =~ /vmware/i | ||
| return true if registry_getvaldata('HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000', 'DriverDesc') =~ /cl_vmx_svga/i | ||
| return true if registry_getvaldata('HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall', 'DisplayName') =~ /vmware tools/i |
There was a problem hiding this comment.
This registry key looks weird to me. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall usually includes sub-keys for each installed software. VMware Tools seems to be in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1FF5D624-5515-4343-837A-E54C101573E6} on my environment.
| module supports detection of JoeSandbox, Hyper-V, VMWare, Virtual PC, | ||
| VirtualBox, Xen, MicrosoftSandbox, Parallels, Bochs and QEMU. | ||
| }, | ||
| 'License' => MSF_LICENSE, |
There was a problem hiding this comment.
That would be interesting to also add a References key with the links you mentioned in this PR's description:
https://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf
https://www.heise.de/security/downloads/07/1/1/8/3/5/5/9/vmde.pdf
https://evasions.checkpoint.com/
In particular https://evasions.checkpoint.com/techniques/registry.html
|
|
||
| %w[HKLM\HARDWARE\ACPI\DSDT HKLM\HARDWARE\ACPI\FADT HKLM\HARDWARE\ACPI\RSDT].each do |key| | ||
| srvvals = registry_enumkeys(key) | ||
| return true if srvvals && srvvals.include?('BOCHS_') |
There was a problem hiding this comment.
If I understand it correctly, this check is now exclusively for bochs emulation software. It has been removed from qemu detection logic. Is there a specific reason for this?
According to the documentation, qemu also uses some bochs components.
QEMU uses the PC BIOS from the Seabios project and the Plex86/Bochs LGPL VGA BIOS.
| include Msf::Post::Windows::Process | ||
| include Msf::Post::Windows::Registry | ||
| include Msf::Post::Windows::UserProfiles | ||
| include Msf::Post::Windows::WMIC |
There was a problem hiding this comment.
This mixin brings the SMB* options to authenticate. Since it is a local connection, they should not be used. I would recommend deregistering these options:
deregister_options('SMBUser', 'SMBPass', 'SMBDomain')| key_path = 'HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0' | ||
| return true if registry_getvaldata(key_path, 'ProcessorNameString') =~ /qemu/i | ||
|
|
||
| return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'SystemBiosVersion') =~ /qemu/i |
There was a problem hiding this comment.
HKLM\HARDWARE\DESCRIPTION\System\SystemBiosVersion is a Multi String value and this call returns an array of characters:
[4] pry(#<Msf::Modules::Post__Windows__Gather__Checkvm::MetasploitModule>)> registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'SystemBiosVersion')
=> ["I",
"N",
"T",
"E",
"L",
" ",
" ",
"-",
...
So, this regex won't work. Maybe this would be enough to fix it (not tested):
| return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'SystemBiosVersion') =~ /qemu/i | |
| return true if registry_getvaldata('HKLM\HARDWARE\DESCRIPTION\System', 'SystemBiosVersion').join =~ /qemu/i |
I also noticed this issue in many times in this file and they should also be fixed.
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
Co-authored-by: Christophe De La Fuente <56716719+cdelafuente-r7@users.noreply.github.com>
| def get_computer_model | ||
| wmic_query('computersystem get model') | ||
| end |
There was a problem hiding this comment.
| def get_computer_model | |
| wmic_query('computersystem get model') | |
| end | |
| def get_computer_model | |
| @get_computer_model ||= wmic_query('computersystem get model') | |
| end |
This prevents us from executing the command multiple times- same for the other data retrieval methods below.
|
I'll re-open smaller PR. |
|
Superseeded by #18179 |
The following resources were used: