PowerCLI

 View Only
Back to discussions
Expand all | Collapse all

RedPill: Am I a VM?

  • 1.  RedPill: Am I a VM?

    Posted Apr 11, 2009 02:05 AM

    Is there any quick way to test if the machine running the posh script is a VM?



  • 2.  RE: RedPill: Am I a VM?
    Best Answer

    Posted Apr 11, 2009 02:14 AM

    It's not perfect, but you could easily use Get-Service to check for presence of the tools service.




    [vExpert|http://www.vmware.com/communities/vexpert/], PowerShell MVP, VI Toolkit forum moderator

    Author of the book: Managing VMware Infrastructure with PowerShell

    Co-Host, PowerScripting Podcast (http://powerscripting.net)

    Need general, non-VMware-related PowerShell Help? Try the forums at PowerShellCommunity.org



  • 3.  RE: RedPill: Am I a VM?

    Posted Apr 11, 2009 03:17 AM

    That will do Hal.

    function myIsLocalhostVM()
	{
		$VMTools = Get-Service VMTools -EA 0
		if ( -not $VMTools ) 
			{ return $false }
		else
			{ return $true };
	}



  • 4.  RE: RedPill: Am I a VM?

    Posted Apr 11, 2009 03:27 AM

    Or,

    function myIsLocalhostVM { if ( Get-Service VMTools ) { return $true } }

    :smileyhappy:






    [vExpert|http://www.vmware.com/communities/vexpert/], PowerShell MVP, VI Toolkit forum moderator

    Author of the book: Managing VMware Infrastructure with PowerShell

    Co-Host, PowerScripting Podcast (http://powerscripting.net)

    Need general, non-VMware-related PowerShell Help? Try the forums at PowerShellCommunity.org



  • 5.  RE: RedPill: Am I a VM?

    Posted Apr 11, 2009 04:43 PM

    If you can't run the VMware Tools service, for whatever reason, on your Windows guest, you could use the BIOS SerialNumber.

    function myIslocalhostVM{
  if ((Get-WmiObject Win32_BIOS).SerialNumber -match "VMware"){return $true}
}



  • 6.  RE: RedPill: Am I a VM?

    Posted Apr 11, 2009 05:01 PM

    Nice one, Luc.

    --

    Hal Rottenberg / hal@halr9000.com<mailto:hal@halr9000.com> / halr9000.com<http://halr9000.com>

    Microsoft MVP (PowerShell) / VMware vExpert

    Co-Host, PowerScripting Podcast / Director, PowerShellCommunity.org

    "Managing VMware Infrastructure with PowerShell: TFM", due in April!

    Follow me on Twitter: http://twitter.com/halr9000



  • 7.  RE: RedPill: Am I a VM?

    Posted Apr 11, 2009 05:49 PM

    Good find.



  • 8.  RE: RedPill: Am I a VM?

    Posted Apr 11, 2009 06:03 PM

    If I know LucD he did not just find it :smileygrin: he most likely knew it already LOL

    If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

    Tom Howarth VCP / vExpert

    VMware Communities User Moderator

    Blog: www.planetvm.net

    Contributing author for the upcoming book "VMware Virtual Infrastructure Security: Securing ESX and the Virtual Environment”.



  • 9.  RE: RedPill: Am I a VM?

    Posted Jul 21, 2009 08:17 AM

    I think checking against the existence of VMWare Tools service might raise a false positive in at least one situation:

    converting a VM to a real computer and the service isn't uninstalled.

    OTOH, I had just tried to install VMWare Tools (using ISO image provided by WorkStation 6.5.2) in a real PC and I noticed that the setup.exe refused to go on, saying that the computer isn't virtual. So that means there's an official way to detect if one's inside a VMWare VM. The question is: is VMWare going to release an official tool to check if one is within a VM.



  • 10.  RE: RedPill: Am I a VM?

    Posted Jul 21, 2009 12:08 PM

    Did you have a chance to test this theory also against a *nix client ?



  • 11.  RE: RedPill: Am I a VM?

    Posted Jul 22, 2009 10:55 AM

    What theory? What do you mean by client? Guest Linux?



  • 12.  RE: RedPill: Am I a VM?

    Posted Jul 22, 2009 02:07 PM

    I meant if you tried to install the VMware Tools on a physical *nix client (Linux guest indeed).

    Did it also say that it wasn't a virtual client ?



  • 13.  RE: RedPill: Am I a VM?

    Posted Jul 22, 2009 03:11 PM

    Oh, that, my friend, I'm afraid I couldn't fulfill your wish, as I don't have any real and spare PC having Linux. All my Linux are within VM.

    Hope somebody else could do this test and tell you the answer.



  • 14.  RE: RedPill: Am I a VM?

    Posted Apr 11, 2009 06:09 PM

    You could also try by MAC address so long as the guest hasn't been manually set with a MAC address.

    ESX server VMs begin with 00:0C:29

    VirtualCenter created ESX Server VMs begin with 00:50:56

    If you ping the server in question and then run an Arp -a from your workstation you should be able to look at the MAC address and know if it is a VMWare VM.

    -MattG



  • 15.  RE: RedPill: Am I a VM?



  • 16.  RE: RedPill: Am I a VM?

    Posted Apr 11, 2009 11:34 PM

    Chris, you are asking to re-write the Red Pill exploit in PS.

    That is in fact not a big problem since one can easily use any .Net language with the CompileAssemblyFromSource method.

    But is there really a point in doing this ?

    I can only see the Red Pill being used in honeypots, not in 'regular' guests. For me there is no real value in accepting your challenge (albeit it an interesting exercise).



  • 17.  RE: RedPill: Am I a VM?

    Posted Apr 12, 2009 05:05 AM

    I might need the exercise in ps pinvoke...