# --- Author: zetod1ce (github.com/ztd38f) --- # # --- DISCLAIMER: Provided as-is, without warranties. For educational and testing use only in controlled environments. Use at your own risk. --- # function PS.VMDetect { # Check processes function Check-ProcessPresence([string[]]$processes){foreach($proc in $processes){if (gps $proc -ea 0){return $true}}$false} # Check services function Check-ServicePresence([string[]]$services){foreach($svc in $services){if (gsv $svc -ea 0){return $true}}$false} # Check registry keys function Check-RegistryKeyPresence([string[]]$keys){foreach($key in $keys){if (Test-Path "Registry::$key"){return $true}}$false} # Check if registry value matches pattern function Check-RegistryValuePattern([string]$key,[string]$value,[string]$pattern){try {(gp "Registry::$key" $value -ea 1).$value -match $pattern} catch{$false}} # Get registry value as string function Get-RegistryValueText([string]$key,[string]$value){try {(gp "Registry::$key" $value -ea 1).$value} catch{$null}} # Detect Parallels function Detect-Parallels { $biosVersion = Get-RegistryValueText "HKLM\HARDWARE\DESCRIPTION\System" "SystemBiosVersion" $videoBiosVersion = Get-RegistryValueText "HKLM\HARDWARE\DESCRIPTION\System" "VideoBiosVersion" if ($biosVersion -match "parallels" -or $videoBiosVersion -match "parallels"){return $true} $false } # Detect Hyper-V function Detect-HyperV { if (Get-RegistryValueText "HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters" "PhysicalHostNameFullyQualified"){return $true} $microsoftKeys = gci "Registry::HKLM\SOFTWARE\Microsoft" -name if ($microsoftKeys -contains "Hyper-V" -or $microsoftKeys -contains "VirtualMachine"){return $true} $biosVersion = Get-RegistryValueText "HKLM\HARDWARE\DESCRIPTION\System" "SystemBiosVersion" if ($biosVersion -match "virtual" -or $biosVersion -eq "Hyper-V"){return $true} if (Check-RegistryKeyPresence $keys){return $true} if (Check-ServicePresence @("vmicexchange")){return $true} $false } # Detect VMware function Detect-VMware { $vmwareServices = @("vmdebug","vmmouse","VMTools","VMMEMCTL","tpautoconnsvc","tpvcgateway","vmware","wmci","vmx86") if (Check-ServicePresence $vmwareServices){return $true} $systemMaker = Get-RegistryValueText "HKLM\HARDWARE\DESCRIPTION\System\BIOS" "SystemManufacturer" if ($systemMaker -match "vmware"){return $true} $scsiPort = Get-RegistryValueText "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0" "Identifier" if ($scsiPort -match "vmware"){return $true} if (Check-RegistryValuePattern "HKLM\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000" "DriverDesc" "cl_vmx_svga|VMWare"){return $true} $vmwareProcesses = @("vmtoolsd","vmwareservice","vmwaretray","vmwareuser") if (Check-ProcessPresence $vmwareProcesses){return $true} $false } # Detect VirtualBox function Detect-VirtualBox { $vboxProcesses = @("vboxservice","vboxtray") $vboxServices = @("VBoxMouse","VBoxGuest","VBoxService","VBoxSF","VBoxVideo") if (Check-ServicePresence $vboxServices -or Check-ProcessPresence $vboxProcesses){return $true} $vboxKeys = @("HKLM\HARDWARE\ACPI\DSDT\VBOX__") if (Check-RegistryKeyPresence $vboxKeys){return $true} for ($i=0; $i-le2; $i++){if (Check-RegistryValuePattern "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port $i\Scsi Bus 0\Target Id 0\Logical Unit Id 0" "Identifier" "vbox"){return $true}} $biosVersion = Get-RegistryValueText "HKLM\HARDWARE\DESCRIPTION\System" "SystemBiosVersion" $videoBiosVersion = Get-RegistryValueText "HKLM\HARDWARE\DESCRIPTION\System" "VideoBiosVersion" if ($biosVersion -match "vbox" -or $videoBiosVersion -match "virtualbox"){return $true} $systemProductName = Get-RegistryValueText "HKLM\HARDWARE\DESCRIPTION\System\BIOS" "SystemProductName" if ($systemProductName -match "virtualbox"){return $true} $false } # Detect Xen function Detect-Xen { $xenProcesses = @("xenservice") $xenServices = @("xenevtchn","xennet","xennet6","xensvc","xenvdb") if (Check-ProcessPresence $xenProcesses -or Check-ServicePresence $xenServices){return $true} $xenKeys = @("HKLM\HARDWARE\ACPI\DSDT\Xen") if (Check-RegistryKeyPresence $xenKeys){return $true} $systemProductName = Get-RegistryValueText "HKLM\HARDWARE\DESCRIPTION\System\BIOS" "SystemProductName" if ($systemProductName -match "xen"){return $true} $false } # Detect QEMU/Bochs function Detect-QEMU { $biosVersion = Get-RegistryValueText "HKLM\HARDWARE\DESCRIPTION\System" "SystemBiosVersion" $videoBiosVersion = Get-RegistryValueText "HKLM\HARDWARE\DESCRIPTION\System" "VideoBiosVersion" if ($biosVersion -match "qemu" -or $videoBiosVersion -match "qemu"){return $true} $scsiPort = Get-RegistryValueText "HKLM\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0" "Identifier" $systemMaker = Get-RegistryValueText "HKLM\HARDWARE\DESCRIPTION\System\BIOS" "SystemManufacturer" if ($scsiPort -match "qemu|virtio" -or $systemMaker -match "qemu"){return $true} if (Check-RegistryValuePattern "HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0" "ProcessorNameString" "qemu"){return $true} $qemuKeys = @("HKLM\HARDWARE\ACPI\DSDT\BOCHS_") if (Check-RegistryKeyPresence $qemuKeys){return $true} $false } # Exit if VM detected if (Detect-Parallels -or Detect-HyperV -or Detect-VMware -or Detect-VirtualBox -or Detect-Xen -or Detect-QEMU){exit} else {return $false} }; PS.VMDetect