Skip to content

Improve post/windows/gather/checkvm#18179

Merged
jheysel-r7 merged 14 commits intorapid7:masterfrom
jvoisin:improve_vm
Sep 6, 2023
Merged

Improve post/windows/gather/checkvm#18179
jheysel-r7 merged 14 commits intorapid7:masterfrom
jvoisin:improve_vm

Conversation

@jvoisin
Copy link
Copy Markdown
Contributor

@jvoisin jvoisin commented Jul 11, 2023
edited by jheysel-r7
Loading

I tried to split this PR into meaningful commits.

Verification

List the steps needed to make sure this thing works

  • Test Parallels detection
  • Test VirtualBox detection
  • Test VMware detection
  • Test Qemu detection
  • Test Hyper-V detection
  • Test Xen detection

@jvoisin jvoisin mentioned this pull request Jul 11, 2023
Closed
smcintyre-r7
smcintyre-r7 reviewed Jul 13, 2023
View reviewed changes
@jvoisin jvoisin mentioned this pull request Jul 16, 2023
Merged
5 tasks
@jheysel-r7 jheysel-r7 self-assigned this Jul 17, 2023
jheysel-r7
jheysel-r7 reviewed Jul 17, 2023
View reviewed changes
@jvoisin jvoisin requested a review from jheysel-r7 July 18, 2023 17:32
jheysel-r7
jheysel-r7 reviewed Jul 21, 2023
View reviewed changes
jheysel-r7
jheysel-r7 reviewed Jul 22, 2023
View reviewed changes
@jheysel-r7
Copy link
Copy Markdown
Contributor

jheysel-r7 commented Jul 22, 2023

Testing Windows 7 running in Qemu

msf6 post(windows/gather/checkvm) > sessions -i -1
[*] Starting interaction with 2...
meterpreter > getuid
Server username: msfuser-PC\msfuser
meterpreter > sysinfo
Computer        : MSFUSER-PC
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > use post/windows/gather/checkvm
msf6 post(windows/gather/checkvm) > set session -1
session => -1
msf6 post(windows/gather/checkvm) > run
[*] Checking if the target is a Virtual Machine ...
[+] This is a Qemu/KVM Virtual Machine
[*] Post module execution completed

Testing Windows 7 running in Virtual Box

msf6 post(windows/gather/checkvm) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: WINDOW7\msfuser
meterpreter > sysinfo
Computer        : WINDOW7
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/gather/checkvm
msf6 post(windows/gather/checkvm) > rexploit
[*] Reloading module...
[*] Checking if the target is a Virtual Machine ...
[+] This is a VirtualBox Virtual Machine
[*] Post module execution completed

Testing Windows 11 running in VMware (with Hyper-V enabled)

msf6 exploit(multi/handler) > sessions -i -1
[*] Starting interaction with 3...
meterpreter > getuid
Server username: msfdevice\msfuser
meterpreter > sysinfo
Computer        : MSFDEVICE
OS              : Windows 10 (10.0 Build 22621).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 3...
msf6 exploit(multi/handler) > use post/windows/gather/checkvm
msf6 post(windows/gather/checkvm) > set session -1
session => -1
msf6 post(windows/gather/checkvm) > rexploit
[*] Reloading module...
[*] Checking if the target is a Virtual Machine ...
[+] This is a VMware Virtual Machine
[*] Post module execution completed

Testing Windows 11 running in Parallels

msf6 exploit(multi/handler) > sessions -i -1
[*] Starting interaction with 4...
meterpreter > getuid
Server username: JACKHEYSELAAD5\jheysel
meterpreter > sysinfo
Computer        : JACKHEYSELAAD5
OS              : Windows 10 (10.0 Build 22621).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > bg
[*] Backgrounding session 4...
msf6 exploit(multi/handler) > use multi/handler
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > use post/windows/gather/checkvm
msf6 post(windows/gather/checkvm) > set session -1
session => -1
msf6 post(windows/gather/checkvm) > run
[*] Checking if the target is a Virtual Machine ...
[+] This is a Parallels Virtual Machine
[*] Post module execution completed

@gardnerapp gardnerapp mentioned this pull request Jul 24, 2023
Open
@gardnerapp
Copy link
Copy Markdown
Contributor

gardnerapp commented Jul 24, 2023

I have attempted to DRY up this modules code and avoid redundant queries to the registry, processes and services. You can find my code here and a deeper explanation of the improvements in my comments at #18149 . Is it OK to request a pull ?

@jvoisin
Copy link
Copy Markdown
Contributor Author

jvoisin commented Jul 24, 2023

Absolutely :)

@jheysel-r7
Copy link
Copy Markdown
Contributor

jheysel-r7 commented Aug 8, 2023

Hey @jvoisin, after speaking with the team we think the Virtual PC (due to it's age) and JoeSandbox (due to it being a cloud based malware analysis tool and not a hypervisor) detections should probably be removed from this PR.

Xen testing is still blocking this PR and the post/linux/gather/checkvm changes.

@jvoisin
Copy link
Copy Markdown
Contributor Author

jvoisin commented Aug 11, 2023

Sure, done :)

@jheysel-r7 jheysel-r7 added the blocked Blocked by one or more additional tasks label Aug 16, 2023
jheysel-r7
jheysel-r7 approved these changes Sep 6, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After reviewing the two untested detections Hyper-V and Xen I think this should be good to be landed.

The only change to Hyper-V detection was changing all the registry_getvaldata to get_regval_str which we know helps prevent against an array being return instead of a string.

As for the Xen detection looking in the reg value HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName for the string xen is backed by this blog titled Determine if a machine is virtual

@jheysel-r7 jheysel-r7 added enhancement and removed blocked Blocked by one or more additional tasks labels Sep 6, 2023
@jheysel-r7 jheysel-r7 merged commit 1317438 into rapid7:master Sep 6, 2023
@jheysel-r7 jheysel-r7 added the rn-enhancement release notes enhancement label Sep 6, 2023
@jheysel-r7
Copy link
Copy Markdown
Contributor

jheysel-r7 commented Sep 6, 2023

Release Notes

This PR improves the windows checkvm post module by adding new techniques to identify the hypervisor in which the session is running.

@jvoisin jvoisin deleted the improve_vm branch September 6, 2023 18:33
zgoldman-r7 pushed a commit to zgoldman-r7/metasploit-framework that referenced this pull request Sep 11, 2023
@jvoisin @zgoldman-r7
Run HyperV check after Parallels
ee13512 
As suggested in rapid7#18179 (comment)
zgoldman-r7 pushed a commit to zgoldman-r7/metasploit-framework that referenced this pull request Sep 11, 2023
@jvoisin @zgoldman-r7
Stringy arrays before checking anything
89ae2e8 
As suggested in rapid7#18179 (review)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels

enhancement rn-enhancement release notes enhancement

Projects

Metasploit Kanban
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jvoisin @jheysel-r7 @gardnerapp @smcintyre-r7