diff --git a/VM-Detection-Report/VM-Detection-Report.txt b/VM-Detection-Report/VM-Detection-Report.txt new file mode 100644 index 0000000..74ca4d3 --- /dev/null +++ b/VM-Detection-Report/VM-Detection-Report.txt @@ -0,0 +1,15 @@ +REM Title: VM-Detection-Report +REM Author: @beigeworm +REM Description: Uses various methods to determine if the machine is a VM or if debugging or system monitoring software is running. +REM Description: Will generate a console readout and verbose text file +REM Target: Windows 10 + +REM some setup for dukie script +DEFAULT_DELAY 100 + +REM open powershell (remove "-W H" to show the window) +DELAY 1000 +GUI r +DELAY 750 +STRING powershell -NoP -Ep Bypass -W H -C irm https://raw.githubusercontent.com/beigeworm/BadUSB-Files-For-FlipperZero/main/VM-Detection-Report/main.ps1 | iex +ENTER diff --git a/VM-Detection-Report/main.ps1 b/VM-Detection-Report/main.ps1 new file mode 100644 index 0000000..117e664 --- /dev/null +++ b/VM-Detection-Report/main.ps1 @@ -0,0 +1,516 @@ +<# ============================ VIRTUAL MACHINE + DEBUGGING AND MONITORING DETECTION REPORT =============================== + +SYNOPSIS +Uses various methods to determine if the machine is a VM or if debugging or system monitoring software is running. +Will generate a console readout and verbose text file + +USAGE +1. Run the script to generate a report. +2. View more detailed logs in the generated text file. + +#> + +$Host.UI.RawUI.BackgroundColor = "Black" +Clear-Host +[Console]::SetWindowSize(75, 40) +[Console]::Title = "VM and Anti-Analysis Detection" + +$log = "$env:temp\VMdetect.log" +$isVMHost = $false +$isVM = $false + +Add-Type -AssemblyName System.Windows.Forms +[System.Windows.Forms.Application]::EnableVisualStyles() + +Write-Host "VM and Anti-Analysis software Detection by @beigeworm" -ForegroundColor White -BackgroundColor Green +"VM and Anti-Analysis software Detection by @beigeworm `n" | Out-File -FilePath $log + +function Test-VMHostNetwork { + Write-Host "=== Virtual Machine Host ===" -ForegroundColor Gray + + # Check VMWARE network adapter (HOST) + Write-Host "VMware Network Adapters.. " -NoNewline + $isVMwareHost = $false + + $networkAdapters = Get-WmiObject Win32_NetworkAdapter -Filter "AdapterTypeId=0" + foreach ($adapter in $networkAdapters) { + if ($adapter.ServiceName -match 'vmxnet') { + $isVMwareHost = $true + $script:isVMHost = $true + "Detected VMware host network adapter: $adapter.ServiceName" | Out-File -FilePath $log -Append + } + } + + Sleep -m 200 + if ($isVMwareHost) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + + # Check VIRTUALBOX network adapter (HOST) + Write-Host "VirtualBox Network Adapters.. " -NoNewline + $isVirtualBoxHost = $false + + $networkAdapters = Get-WmiObject Win32_NetworkAdapter -Filter "AdapterTypeId=0" + foreach ($adapter in $networkAdapters) { + if ($adapter.ServiceName -match 'VBoxNet') { + $isVirtualBoxHost = $true + $script:isVMHost = $true + "Detected VirtualBox host network adapter: $adapter.ServiceName" | Out-File -FilePath $log -Append + } + } + + Sleep -m 200 + if ($isVirtualBoxHost) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + + # VirtualBox host reg checks + $isVirtualBoxHostreg = $false + Write-Host "VirtualBox Host Registry Keys.. " -NoNewline + $vboxhostChecks = @{ + "VBoxServices" = "HKLM:\SYSTEM\CurrentControlSet\Services\VBox*"; + "VBoxDrivers" = "C:\WINDOWS\system32\drivers\VBox*"; + } + + foreach ($check in $vboxhostChecks.GetEnumerator()) { + if (Test-Path $check.Value) { + $isVirtualBoxHostreg = $true + $script:isVMHost = $true + "Detected VirtualBox host indicator: $($check.Key)" | Out-File -FilePath $log -Append + + $vboxChecks = @{ + "VBoxDSDT" = "HKLM:\HARDWARE\ACPI\DSDT\VBOX__"; + "VBoxFADT" = "HKLM:\HARDWARE\ACPI\FADT\VBOX__"; + "VBoxRSDT" = "HKLM:\HARDWARE\ACPI\RSDT\VBOX__"; + } + foreach ($check in $vboxChecks.GetEnumerator()) { + if (Test-Path $check.Value) {$script:isVMHost = $false;$isVirtualBoxHostreg = $false} + } + } + } + + if ($isVirtualBoxHostreg) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + + + # Additional MAC address checks + Write-Host "VMware Host MAC addresses.. " -NoNewline + + $networkAdapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.MACAddress -ne $null } + foreach ($adapter in $networkAdapters) { + $macAddress = $adapter.MACAddress -replace ":", "" + if ($macAddress.StartsWith("005056")) { + $isVMwaremachost = $true + $script:isVMHost = $true + "Detected VMware Host MAC address: $($adapter.MACAddress)" | Out-File -FilePath $log -Append + } + } + + if ($isVMwaremachost) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + +} + +function Test-VirtualMachine { + + $VMservicename = $false + $VMmanufact = $false + $VMModelname = $false + $VMbiosname = $false + + Write-Host "`n=== Virtual Machine ===" -ForegroundColor Gray + + # VMware registry checks + Write-Host "--- Registry Keys ---" -ForegroundColor Gray + $isVMwarebox = $false + Write-Host "VMware Registry Keys.. " -NoNewline + $vmwareChecks = @{ + "VMwareTools" = "HKLM:\SOFTWARE\VMware, Inc.\VMware Tools"; + "VMwareMouseDriver" = "C:\WINDOWS\system32\drivers\vmmouse.sys"; + "VMwareSharedFoldersDriver" = "C:\WINDOWS\system32\drivers\vmhgfs.sys"; + } + + foreach ($check in $vmwareChecks.GetEnumerator()) { + if (Test-Path $check.Value) { + $isVMwarebox = $true + $script:isVM = $true + "Detected VMware indicator: $($check.Key)" | Out-File -FilePath $log -Append + } + } + + Sleep -m 200 + if ($isVMwarebox) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + + # VirtualBox registry checks + $isVirtualBoxreg = $false + Write-Host "VirtualBox Registry Keys.. " -NoNewline + $vboxChecks = @{ + "SystemBiosVersion" = "HKLM:\HARDWARE\Description\System\SystemBiosVersion"; + "VBoxGuestAdditions" = "HKLM:\SOFTWARE\Oracle\VirtualBox Guest Additions"; + "VideoBiosVersion" = "HKLM:\HARDWARE\Description\System\VideoBiosVersion"; + "VBoxDSDT" = "HKLM:\HARDWARE\ACPI\DSDT\VBOX__"; + "VBoxFADT" = "HKLM:\HARDWARE\ACPI\FADT\VBOX__"; + "VBoxRSDT" = "HKLM:\HARDWARE\ACPI\RSDT\VBOX__"; + "SystemBiosDate" = "HKLM:\HARDWARE\Description\System\SystemBiosDate"; + } + + foreach ($check in $vboxChecks.GetEnumerator()) { + if (Test-Path $check.Value) { + $isVirtualBoxreg = $true + $script:isVM = $true + $script:isVMHost = $false + "Detected VirtualBox indicator: $($check.Key)" | Out-File -FilePath $log -Append + } + } + + Sleep -m 200 + if ($isVirtualBoxreg) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + + # Additional MAC address checks + Write-Host "Network MAC addresses.. " -NoNewline + + $networkAdapters = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.MACAddress -ne $null } + foreach ($adapter in $networkAdapters) { + $macAddress = $adapter.MACAddress -replace ":", "" + if ($macAddress.StartsWith("080027")) { + $isVirtualBoxmac = $true + "Detected VirtualBox MAC address: $($adapter.MACAddress)" | Out-File -FilePath $log -Append + } elseif ($macAddress.StartsWith("000569") -or $macAddress.StartsWith("000C29") -or $macAddress.StartsWith("001C14")) { + $isVMwaremac = $true + "Detected VMware MAC address: $($adapter.MACAddress)" | Out-File -FilePath $log -Append + } + } + + Sleep -m 200 + if ($isVirtualBoxmac -or $isVMwaremac) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + + + Write-Host "`n--- Virtual Machine Environment ---" -ForegroundColor Gray + + # Check common VM services + Write-Host "Virtual Machine Services.. " -NoNewline + $services = Get-Service + $vmServices = @('vmtools', 'vmmouse', 'vmhgfs', 'vmci', 'VBoxService', 'VBoxSF') + foreach ($service in $vmServices) { + if ($services -match $service) { + $VMservicename = $true + $script:isVM = $true + "Detected VM service: $service" | Out-File -FilePath $log -Append + } + } + + Sleep -m 200 + if ($VMservicename) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + + + # Check hardware + Write-Host "Virtual Machine Manufacturers.. " -NoNewline + $manufacturer = (Get-WmiObject Win32_ComputerSystem).Manufacturer + $vmManufacturers = @('Microsoft Corporation', 'VMware, Inc.', 'Xen', 'innotek GmbH', 'QEMU') + + if ($vmManufacturers -contains $manufacturer) { + $VMmanufact = $true + $script:isVM = $true + "Detected VM manufacturer: $manufacturer" | Out-File -FilePath $log -Append + } + + Sleep -m 200 + if ($VMmanufact) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + + # Check models + Write-Host "Virtual Machine Models.. " -NoNewline + $model = (Get-WmiObject Win32_ComputerSystem).Model + $vmModels = @('Virtual Machine', 'VirtualBox', 'KVM', 'Bochs') + + if ($vmModels -contains $model) { + $VMModelname = $true + $script:isVM = $true + "Detected VM model: $model" | Out-File -FilePath $log -Append + } + + Sleep -m 200 + if ($VMModelname) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + + # Check bios + Write-Host "Virtual Machine Bios.. " -NoNewline + $bios = (Get-WmiObject Win32_BIOS).Manufacturer + $vmBios = @('Phoenix Technologies LTD', 'innotek GmbH', 'Xen', 'SeaBIOS') + + if ($vmBios -contains $bios) { + $VMbiosname = $true + $script:isVM = $true + "Detected VM BIOS: $bios" | Out-File -FilePath $log -Append + } + + Sleep -m 200 + if ($VMbiosname) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + + +} + +function Test-Screensize { + + Write-Host "Current Screen Size.. " -NoNewline + Add-Type -AssemblyName System.Windows.Forms + $screen = [System.Windows.Forms.Screen]::PrimaryScreen + $Width = $screen.Bounds.Width + $Height = $screen.Bounds.Height + + "Screen Size: $Width x $Height" | Out-File -FilePath $log -Append + + # List of common screen resolutions + $commonResolutions = @( + "1280x720", + "1280x800", + "1280x1024", + "1366x768", + "1440x900", + "1600x900", + "1680x1050", + "1920x1080", + "1920x1200", + "2560x1440", + "3840x2160" + ) + + # Current resolution as a string + $currentResolution = "$Width`x$Height" + + if ($commonResolutions -contains $currentResolution) { + Write-Host "OK" -ForegroundColor Green + } else { + $script:isVM = $true + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + +} + +function Test-Debugger { + + # check if a debugger is present + Write-Host "`n=== Debugging + Monitoring ===" -ForegroundColor Gray + Write-Host "Debugging Software.. " -NoNewline + Add-Type @" + using System; + using System.Runtime.InteropServices; + + public class DebuggerCheck { + [DllImport("kernel32.dll")] + public static extern bool IsDebuggerPresent(); + + [DllImport("kernel32.dll", SetLastError=true)] + public static extern bool CheckRemoteDebuggerPresent(IntPtr hProcess, ref bool isDebuggerPresent); + } +"@ + + $isDebuggerPresent = [DebuggerCheck]::IsDebuggerPresent() + $isRemoteDebuggerPresent = $false + [DebuggerCheck]::CheckRemoteDebuggerPresent([System.Diagnostics.Process]::GetCurrentProcess().Handle, [ref]$isRemoteDebuggerPresent) | Out-Null + + if ($isDebuggerPresent -or $isRemoteDebuggerPresent) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + } + else { + Write-Host "OK" -ForegroundColor Green + } + + # check if a Monitoring is present + Write-Host "Monitoring Software.. " -NoNewline + $taskManagers = @( + "taskmgr", + "procmon", + "procmon64", + "procexp", + "procexp64", + "perfmon", + "perfmon64", + "resmon", + "resmon64", + "ProcessHacker" + ) + $runningTaskManagers = @() + foreach ($taskManager in $taskManagers) { + if (Get-Process -Name $taskManager -ErrorAction SilentlyContinue) { + $runningTaskManagers += $taskManager + } + } + + if ($runningTaskManagers.Count -gt 0) { + Write-Host "Detected!" -ForegroundColor White -BackgroundColor Red + $runningTaskManagers | ForEach-Object { "Monitoring software found: $_" | Out-File -FilePath $log -Append } + } else { + Write-Host "OK" -ForegroundColor Green + } +} + +function Verdict{ + Write-Host "`n=== Result ===" -ForegroundColor Gray + + + if ($isVMHost) { + Write-Host "The environment appears to HOST virtual machines." -ForegroundColor Cyan + } + else{ + if ($isVM) { + Write-Host "The environment appears to be a VIRTUAL MACHINE." -ForegroundColor Red + } + else { + Write-Host "The environment does NOT appear to be a virtual machine." -ForegroundColor Green + } + } + +} + +function Test-Hardware{ + + Write-Host "`n=== System Hardware + Input ===" -ForegroundColor Gray + + # Check operating system uptime + Write-Host "Operating System Uptime.. " -NoNewline + $lastBootUpTime = (Get-WmiObject Win32_OperatingSystem).LastBootUpTime + $uptime = (Get-Date) - ([System.Management.ManagementDateTimeConverter]::ToDateTime($lastBootUpTime)) + $uptimeCheck = $uptime.TotalHours -gt 1 + $uptimeHours = [math]::Floor($uptime.TotalHours) + + if ($uptimeCheck) { + Write-Host "$uptimeHours Hrs" -ForegroundColor Green + "Operating System Uptime: $uptimeHours Hrs" | Out-File -FilePath $log -Append + } else { + Write-Host "$uptimeHours Hrs" -ForegroundColor White -BackgroundColor Red + "Operating System Uptime: $uptimeHours Hrs" | Out-File -FilePath $log -Append + } + + # Check if disk size is <= 60GB using WMI + Write-Host "Hard Disk Size.. " -NoNewline + $diskSize = (Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='C:'").Size / 1GB + $roundedDiskSize = [math]::Floor($diskSize) + $diskSizeCheck = $diskSize -gt 64 + + if ($diskSizeCheck) { + Write-Host "$roundedDiskSize GB" -ForegroundColor Green + "HDD Size: $roundedDiskSize GB" | Out-File -FilePath $log -Append + } else { + Write-Host "$roundedDiskSize GB" -ForegroundColor White -BackgroundColor Red + "HDD Size: $roundedDiskSize GB" | Out-File -FilePath $log -Append + } + + # Check physical memory size + Write-Host "Total Physical Memory.. " -NoNewline + $memory = (Get-WmiObject Win32_ComputerSystem).TotalPhysicalMemory / 1GB + $roundedMemory = [math]::Floor($memory) + $memoryCheck = $memory -gt 1 + + if ($memoryCheck) { + Write-Host "$roundedMemory GB" -ForegroundColor Green + "Total Physical Memory: $roundedMemory GB" | Out-File -FilePath $log -Append + } else { + Write-Host "$roundedMemory GB" -ForegroundColor White -BackgroundColor Red + "Total Physical Memory: $roundedMemory GB" | Out-File -FilePath $log -Append + } + + # Check core count + Write-Host "CPU Core Count.. " -NoNewline + $coreCount = (Get-WmiObject Win32_Processor).NumberOfCores + $coreCheck = $coreCount -gt 2 + + if ($coreCheck) { + Write-Host "$coreCount" -ForegroundColor Green + "Number Of Cores: $coreCount" | Out-File -FilePath $log -Append + } else { + Write-Host "$coreCount" -ForegroundColor White -BackgroundColor Red + "Number Of Cores: $coreCount" | Out-File -FilePath $log -Append + } + + # Check if mouse is present + Write-Host "Mouse Presence.. " -NoNewline + $mousePresent = [System.Windows.Forms.SystemInformation]::MousePresent + + if ($mousePresent) { + Write-Host "OK" -ForegroundColor Green + "Mouse Input Detected" | Out-File -FilePath $log -Append + } else { + Write-Host "Not Detected!" -ForegroundColor White -BackgroundColor Red + "Mouse Input Not Detected!" | Out-File -FilePath $log -Append + } + + # Check if Wscript is allowed + try{ + Write-Host "Wscript + Dialog Boxes.. " -NoNewline + $testbox = (New-Object -ComObject Wscript.Shell).Popup("Confirm You Are Not A Robot",3,"Captcha",0x0) + if ($testbox -eq 1){ + Write-Host "OK" -ForegroundColor Green -NoNewline + Write-Host " (Clicked)" -ForegroundColor DarkGray + "Dialog Box Clicked" | Out-File -FilePath $log -Append + } + else{ + Write-Host "OK" -ForegroundColor Yellow -NoNewline + Write-Host " (Not Clicked)" -ForegroundColor DarkGray + "Dialog Box Not Clicked!" | Out-File -FilePath $log -Append + } + } + catch{ + Write-Host "Not Allowed!" -ForegroundColor White -BackgroundColor Red + "Dialog Box Not Allowed!" | Out-File -FilePath $log -Append + } +} + +# ------------ RUN ALL THE FUNCTIONS ------------- +Write-Host "`n" +Test-VMHostNetwork +Test-VirtualMachine +Test-Screensize +Verdict +Test-Debugger +Test-Hardware +# -------------------------------------------------- + +pause