v2.6.0 🎉

Important

🎉 1,000 Stars Milestone

We are proud to announce that VMAware has reached 1000 stars!

This milestone marks the evolution of this project from a simple experiment into one of the gold standards for open-source virtual machine detection. What started as just a hobby side project 3 years ago has brought us here, running on tens of thousands of machines, collaborating with anticheats and security-related projects, appearing on scientific papers, and further advancing the field of VM detections.

Thank you to all our contributors and users for supporting the project ❤️

- @kernelwernel and @NotRequiem

Main Changes (Detections)

Added

• VM::SMBIOS_INTEGRITY: Specifically targeting Oracle hypervisors.
• VM::EDID: This technique aims to detect non-standard EDID values used by patches.
• VM::CPU_HEURISTIC: This technique aims to detect spoofed CPUs commonly used in public hardened setups, such as Nika-Read-Only.
  • Detection of hidden instruction capabilities (AES, YMM state, RDRAND).
  • Detection of spoofed CPU vendors (AMD CPU spoofed as Intel, or vice versa).
  • Detection of spoofed motherboards (AMD motherboard having an Intel CPU, and vice versa).
• VM::CLOCK: Detection of "must-have" bare-metal system timers:
  • PIT/AT timer (PC-class System Timer).
  • HPET (PNP0103, checked in VM::FIRMWARE).

Improved

• VM::BOCHS_CPU
• VM::TIMER:
  • New latency thresholds based on more than 100,000 tests over 10,000 different machines.
  • New mathematical algorithm based on gap-based clustering, able to detect contaminated results due to kernel noise.
  • New tamper-proof algorithm to retrieve CPU base speed.
  • Improved unconditional vmexits.
  • Improved vCPU pinning and thread affinity.
  • Improved checks based on comparing TSC scale with clock frequency.
  • New check capable of detecting every RDTSC/RDTSCP patch by cross-referencing kernel interrupt timers vs. TSC scaling.
• VM::DMI_SCAN
• VM::FIRMWARE
• VM::PCI_DEVICES
• VM::HW_MODEL
• VM::MAC_SIP
• VM::WINE
• VM::POWER_CAPABILITIES
• VM::GAMARUE
• VM::SGDT
• VM::SLDT
• VM::MUTEX
• VM::CUCKOO_DIR
• VM::CUCKOO_PIPE
• VM::DISPLAY
• VM::DRIVERS
• VM::DISK_SERIAL
• VM::IVSHMEM
• VM::DEVICE_HANDLES
• VM::VIRTUAL_REGISTRY
• VM::AUDIO
• VM::ACPI_SIGNATURE
• VM::TRAP
• VM::UD
• VM::DBVM
• VM::OBJECTS
• VM::NVRAM:
  • Detection of missing EFI vars found in every bare-metal system.
  • Detection of illegitimate injected Secure Boot certificates.
  • Detection of mismatched EFI var relationships.
  • Detection of OVMF firmware patterns.
• util::is_proc_running: Updated to read /proc/[pid]/cmdline binary data more accurately to handle embedded nulls.
• util::hyper_x(): Updated detection logic for Hyper-V artifact types (Root partition vs. Guest vs. Enlightenment).

Fixed

• std::source_location usage for Apple systems.
• Compilation for crc32 function targets on ARM.
• Linux cooling detections.
• Linux SIGSEGV exception on some (exotic) machines without PCI device storage.
• Support for the new MSVC v145 compiler, with enum underlying type canonicalization.
• Crashes in VM::TRAP in Clang when compiled with MSVC toolset with all stack optimizations enabled and frame pointers omitted, causing a non-volatile register (specifically RBX) being corrupted. This happened because cpuid clobbers RBX, and while we added push/pop rbx, the usage of EXCEPTION_EXECUTE_HANDLER causes the OS to unwind the stack without executing the pop rbx instruction.
• Every false flag known to date and/or reported in v2.5.0

Removed

• VM::TPM
• VM::REGISTRY_VALUES
• VM::REGISTRY_KEYS
• VM::HYPERV_QUERY (Renamed to VM::HYPERVISOR_QUERY)
• VM::BOOT_MANAGER
• VM::SMBIOS_PASSTHROUGH (Renamed to VM::SMBIOS_INTEGRITY)
• VM::GENERAL_HOSTNAME
• VM::VBOX_DEFAULT
• VM::INTEL_THREAD_MISMATCH (Moved to VM::THREAD_MISMATCH)
• VM::AMD_THREAD_MISMATCH (Moved to VM::THREAD_MISMATCH)
• VM::XEON_THREAD_MISMATCH (Moved to VM::THREAD_MISMATCH)

Evaluated Detections

Those are detections that were tested in previous versions of VMAware but not added to production due to them not being reliable enough.

• MSR ranges not injecting #GP correctly, specifically KVM's 0x4b564d08-0x4b564dff ASCII tag; normally, VEH redirection happens on most hypervisors.
• Last Branch Record (LastBranchFromIp) virtualization checks using ICEBP (INT 01 kernel handler) with debug bits and trap flags.
• EDK II (TianoCore) EFI checks.
• BIOS POST timing checks.
• Kernel-Power log queries to detect nominal CPU frequency and timing status.
• ACPI divergence tests with SSDT and DSDT device scopes.

Secondary Changes

Additions

• cpu::get_model() and cpu::stepping_struct: To parse CPU brand strings and family/model/stepping data more accurately.
• util::get_ntdll(): Manually walks the PEB to find the base address of ntdll.dll.
• util::get_function_address(): Manually parses the Export Address Table (EAT) of a module to find function pointers by name.
• util::get_manufacturer_model(): Retrieves BIOS information via Registry (Windows).
• cpu::is_leaf_supported(): Caches supported CPUID leaves.
• French, Korean, and Chinese translations of our library.

Improvements

• Prevented RWX memory from being allocated entirely; prevented heap memory from being allocated in any part of the core.
• Rewrote every check using the Windows NT API. We concluded not to implement a direct/indirect syscall core due to incompatibilities with anti-cheat systems and other security products that currently use VMAware.
• Hardware-accelerated precomputed hashing + O(1) lookup for CPU DB fetches.
• Improved automatic hardened environment guesses.
• Removed redundant utility functions.
• More conclusive hypervisor detection reports.
• constexpr-ization.
• Memo caching for various elements.
• CPU fetching utility function performance.
• CPU database performance for the thread database technique.
• Code clarity in all core and technique functions.
• Windows module handling.
• Core technique management.
• Technique argument handler.
• Brand fetching mechanism.
• Renamed macros to prevent conflicts with other user-defined preprocessor directives.
• Updated VMAware performance benchmarks.
• Direct retrieval of Windows pseudo-handles without calling APIs.
• Support for all Intel Core Ultra processors in our DB

Next Plans under consideration

• Removal of the dev branch.
• Instruction test in compatibility mode (jmp similar to Heaven's Gate technique). As an example, look for instructions intercepted by hypervisors like popf that have the exact same encoding in compat mode and 64 bit, but have a difference depending on which mode the CPU is running under, which are the most probable to have been overlooked by kernel developers.
• Abusing faulty RFLAGS/DR6/DR7 injections when forcing an exception to detect hypervisors like DBVM.
• Addition of side-channel cache attacks and TLB flushes to our timing set.
• VM::STEALTH mode (disabled by default), which will detect IAT, EAT, VMT, VEH and other kind of basic inline hooks via in-memory vs on-disk module comparisons and digital signature checks to detect if VMAware routines are being intercepted, by minimizing as much as possible conflicts with other anti-debugging/anti-cheating projects running our library.
• Addition of vmexit latency detection patterns made by BiLSTM RNN models.
• Open-source kernel-level checks without exposing a digitally signed driver.
• Other surprises.

VirusTotal Results and Executables

https://www.virustotal.com/gui/file/fdcb107e4831679f6d97e212fef7041040b018670b25f929a5c3efdc58e3ab96?nocache=1

The Windows binaries were generated in the CI/CD purely from the source code here, excluding the debug binary, which was compiled manually to avoid people having runtime issues with the binary.

The Linux binaries, on the other hand, were generated through the cmake file present in the root directory of the repository.

Note

This update is focused on detecting both private and public hardened setups, primarily via CPU instruction abuse, non-volatile RAM checks and timing attacks. Our strongest and most documented technique (VM::TIMER) has now a score of 100% and will now conclude a VM if triggered. We're ready to release a patch version (2.6.1) if this decision happens to be too risky. Report any possible issues you may find to fine-tune our algorithms.

Contact

For any inquiries, contact us on Discord at shenzken or kr.nl, or email us at jeanruyv@gmail.com.

2.5.0 Release 🎉

2.5.0 Release

• Added UTM (macOS VM) brand

• Removed Hypervisor-Phantom brand (detected with generic checks)

• Added:

  • VM::BOOT_LOGO (Check the boot logo for known VM images)
  • VM::BOOT (Check to identify boot managers used in virtual machines)
  • VM::NVRAM (Check to counter firmware passthrough, specifically SSDT and SMBIOS)
  • VM::OBJECTS (Check to counter VM::TRAP bypasses by using KVM + Hyper-V)
  • VM::MAC_SYS (Check for VM-strings in system profiler commands for MacOS)
  • VM::ACPI_SIGNATURE (Check for exposed device location paths in the DSDT, for QEMU and Hyper-V)
  • VM::SMBIOS_PASSTHROUGH (Check for malformed/corrupted SMBIOS)

• Fixed:

  • Fixed ARM compilation issues
  • Fixed possible false flag when probing VMware's Virtual Machine Communication Interface
  • Fixed possible false flag when attempting to detect Hyper-V's VMBUS
  • Fixed detection for QEMU's Hyper-V enlightenments

• Improved:

  • VM::INTEL_THREAD_MISMATCH - Updated CPU database and token matching
  • VM::XEON_THREAD_MISMATCH - Updated CPU database and token matching
  • VM::AMD_THREAD_MISMATCH - Updated CPU database and token matching
  • VM::TIMER:
    New threshold ratios adjusted empirically with runs in more than 10,000 machines
    New split-lock detection
    New QPC algorithm that evicts hypervisors by avoiding a userland-triggered context switch
    New checks for nested virtualization
    New checks for detecting the current CPU speed
    New check capable of beating most public RDTSC patches
  • VM::VBOX_DEFAULT - Updated to cover all VirtualBox defaults in all architectures
  • VM::SIDT - Code safety improvements
  • VM::HYPERV_HOSTNAME - Updated to detect latest Azure's Hyper-V change
  • VM::FIRMWARE:
    Fixed DSDT, RSMB and FIRM fetching
    Compile-time byte-swap computation
    Faster raw binary search
    Improved KVM ACPI Device() signature check and moved it to VM::ACPI_SIGNATURE
    Removed power/adapter object checks due to false flags
    Removed SSDT revision checks due to false flags
    Removed _OSI parameter checks due to false flags on latest Surface Pro devices
    Removed DSDT revision checks (pre-experimental) due to false flags on Lenovo and Acer devices like 82GN and SP111-34N and 100+ others
    Removed thermal zones and PTS checks (pre-experimental) due to false flags on devices Toshiba Satellite Pro R40-C and 100+ others
    Removed FACP revision checks
    Added FACP integrity checks
    Added HPET presence checks when not running under ARM devices with virtual CPUs
    Added C2 and C3 latency checks
  • VM::PCI_DEVICES - Improved performance, improved detections on Hyper-V, debug output will now be in hexadecimal
  • VM::REGISTRY_KEYS - Improved performance, improved detections for VirtualBox and Hyper-V, fixed false flags on Wine
  • VM::POWER_CAPABILITIES - Better checks to detect commonly unsupported states on VMs
  • VM::REGISTRY_VALUES - Improved performance
  • VM::SGDT - Code safety improvements
  • VM::SLDT - Code safety improvements
  • VM::DISPLAY - Added display path, BPP and DPI checks
  • VM::DISK_SERIAL - Added generic checks for non physical drives, improved performance
  • VM::IVSHMEM - Dramatically improved performance
  • VM::VIRTUAL_PROCESSORS - Improved code simplicity and performance
  • VM::VIRTUAL_REGISTRY Improved performance
  • VM::TPM - Made it compatible with ARM devices with TPMs manufactured by Microsoft
  • VM::DBVM - Reduced memory fragmentation. Fixed an issue where an exception would be handled as a EXCEPTION_ACCESS_VIOLATION_READ rather than a EXCEPTION_ILLEGAL_INSTRUCTION
  • VM::DMESG - Code safety improvements
  • VM::NSJAIL_PID - Improved error handling and made process id fetching safer
  • VM::THREAD_COUNT - Cached thread count number to improve performance
  • VM::MAC_IOKIT - Additional keyboard checks
  • VM::MAC_SIP - New generic checks for hypervisor presence, focused on detecting UTM and kern.hv_vmm_present

  Other improvements:

  • New checks to detect whether the environment is hardened against VM detection techniques or not
  • New --json and --output commands in the CLI
  • New custom GetProcAddress implementation for better performance and stealthiness
  • New execution speed info when running with --verbose
  • Now the CLI console will not be closed automatically upon program termination
  • Improved binary translation checks on ARM
  • Improved conclusion messages and CLI output
  • Improved library core, overall performance and memory safety
  • Improved Windows version detection
  • Improved disk size and RAM size retrieval, using different APIs
  • Improved CPU fetching for AMD A series
  • Lowered detection scores of registry, GPU and power-capabilities techniques, increased VM::TIMER score
  • Deprecated --no-memo argument in the CLI
  • Type changes to WSL and Intel HAXM
  • Made hyper-x debug messages clearer
  • Better checks and reporting when the program is not running with enough privileges to run some techniques
  • On Windows, disk size checks will detect the drive where the OS is installed rather than fetching C:

• Removed:

  • VM::DISK_SIZE - Not a reliable proof of virtualization
  • VM::LOGICAL_PROCESSORS - Now handled by our thread databases
  • VM::PHYSICAL_PROCESSORS - Now handled by our thread databases
  • VM::ODD_THREADS - Now handled by our thread databases
  • VM::QEMU_PASSTHROUGH - Improved and renamed to VM::ACPI_SIGNATURE
  • VM::VBOX_NETWORK - Merged into VM::REGISTRY_KEYS

VirusTotal results and executables

https://www.virustotal.com/gui/file/48c30fd4dfd05b48512364e21104ccf34ab558a0838b956bc284690999b9d722

The Windows binaries were generated in the CI/CD purely from the source code here.

The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.

Extra

For any inquiries, contact us on Discord at shenzken or kr.nl, or email us at jeanruyv@gmail.com

2.4.1 Release 🎉

• added DBVM (Dark Byte's VM) brand
• added:
  • VM::DBVM
  • VM::UD
  • VM::BLOCKSTEP
• fixed:
  • VM::SGDT (0xD0 signature detected false flagging when Hyper-V was not running)
  • VM::SIDT (top-most byte signature false flagging when Hyper-V was not running)
  • VM::FIRMWARE (false flagging on Acer Aspire Notebooks while attempting to detect Xen virtual machines)
  • VM::TRAP (false flagging on AMD CPUs)
• improved:
  • VM::FIRMWARE (detections for ACPI KVM's signatures)

VirusTotal results and executables

https://www.virustotal.com/gui/file/8a8db0d2bec2bfa899a79ecd44a92d45fdea008365d3dced9fbcacc2204a0eb9?nocache=1

The Windows binaries were generated in the CI/CD purely from the source code here. Except for the vmaware_debug binary, which was generated using MSVC with the __VMAWARE_DEBUG__ macro

The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.

Extra

For any inquiries, contact us on discord at shenzken or kr.nl, or email us at jeanruyv@gmail.com

2.4.0 Release 🎉

• removed:

  • VM::ACPI_TEMPERATURE
  • VM::BAD_POOLS
  • VM::COMPUTER_NAME
  • VM::DEVICE_TREE
  • VM::DRIVER_NAMES
  • VM::GPU_VM_STRINGS
  • VM::HKLM_REGISTRIES
  • VM::HOSTNAME
  • VM::KVM_BITMASK
  • VM::KVM_DIRS
  • VM::LSHW_QEMU
  • VM::MSSMBIOS
  • VM::NATIVE_VHD
  • VM::NETTITUDE_VM_MEMORY
  • VM::NUMBER_OF_CORES
  • VM::OSXSAVE
  • VM::PCI_VM
  • VM::PORT_CONNECTORS
  • VM::PROCESSOR_NUMBER
  • VM::QEMU_DIR
  • VM::REGISTRY
  • VM::SCREEN_RESOLUTION
  • VM::SETUPAPI_DISK
  • VM::THREADCOUNT
  • VM::UNKNOWN_MANUFACTURER
  • VM::VM_DEVICES
  • VM::VM_FILES
  • VM::VM_PROCESSES
  • VM::VM_PROCS
  • VM::VMWARE_PORT_MEM
  • VM::WINE_CHECK
  • VM::PROCESSES (Windows section)
  • VM::TEMPERATURE (Windows section)

• undisabled:

  • VM::TEMPERATURE

• added:

  • VM::DEVICE_HANDLES
  • VM::DISPLAY
  • VM::DRIVERS
  • VM::LOGICAL_PROCESSORS
  • VM::PCI_DEVICES
  • VM::PHYSICAL_PROCESSORS
  • VM::PROCESSES
  • VM::QEMU_PASSTHROUGH (world's first ever device passthrough detection)
  • VM::REGISTRY_KEYS
  • VM::REGISTRY_VALUES
  • VM::THREAD_COUNT
  • VM::TRAP

• added compile-time filters for unsupported techniques based on platforms

• added compatibility for Windows 7 and above

• made the library fully MIT

• improved every vm detection technique, focusing on:

  • Timing attacks
  • Firmware analysis
  • Device passthrough detection
  • PCIe scanning
  • GPU capabilities

VirusTotal results

The Windows binaries were generated in the CI/CD purely from the source code here.

The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.

https://www.virustotal.com/gui/file/47bb5c20629b8b4173eea2076e123777b80ceee25243c2c41e5b41e2068f3608?nocache=1

Credits

@NotRequiem
@kernelwernel

Extra

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

2.3.0 Release 🎉

RELEASE NOTES:

• added Hypervisor-Phantom brand
• added:
  • VM::TPM
  • VM::QEMU_FW_CFG
  • VM::IVSHMEM
• added better macro handling for Windows
• added clang compatibility fixes
• fixed memory leak in the CLI
• improved execution speed of Windows techniques
• improved debugs for:
  • VM::AMD_THREAD_MISMATCH
  • VM::INTEL_THREAD_MISMATCH
  • VM::XEON_THREAD_MISMATCH
  • VM::VIRTUAL_PROCESSORS
• improved cpuid handling
• improved process utilities
• improved:
  • VM::REGISTRY
  • VM::VBOX_NETWORK
  • VM::VM_PROCESSES
  • VM::SIDT
  • VM::SGDT
  • VM::SLDT
  • VM::GPU_VM_STRINGS
  • VM::GPU_CAPABILITIES
  • VM::TIMER
  • VM::FIRMWARE
  • VM::AUDIO
  • VM::OSXSAVE
  • VM::SYS_QEMU_DIR
• merged:
  • VM::OFFSEC_SIDT and VM::VPC_SIDT into VM::SIDT
  • VM::OFFSEC_SGDT into VM::SGDT
  • VM::OFFSEC_SLDT into VM::SLDT
  • VM::QEMU_GA into VM::VM_PROCESSES
• renamed VM::HDD_SERIAL to VM::DISK_SERIAL
• disabled by default:
  • VM::PORT_CONNECTORS
  • VM::ACPI_TEMPERATURE
  • VM::LSHW_QEMU
  • VM::PCI_VM
• removed:
  • VM::SIDT5
  • IDT_GDT_SCAN
  • PROCESSOR_ID

VirusTotal results

The Windows binaries were generated in the CI/CD purely from the source code here.

The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.

https://www.virustotal.com/gui/file/47bb5c20629b8b4173eea2076e123777b80ceee25243c2c41e5b41e2068f3608?nocache=1

Credits

@NotRequiem
@pemessier
@dmfrpro

Extra

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

2.2.0 Release 🎉

• improved VM::TIMER
• improved VM::FIRMWARE
• fixed false positives from 2.1.1
• fixed macro redefinitions
• fixed Hyper-X mechanism bug in 2.1.1
• fixed Hyper-V conflict with "Unknown" brand anomaly
• fixed some grammatical errors in VM descriptions

The Windows binaries were generated in the CI/CD purely from the source code here.

The Linux binaries on the other hand, were generated through the cmake file seen in the root directory of the repository.

https://www.virustotal.com/gui/file/d5c72c618a276731134e205bc274298f7be29ea9e207f1abab7425674751b2ca?nocache=1

https://any.run/report/d5c72c618a276731134e205bc274298f7be29ea9e207f1abab7425674751b2ca/bb535daa-7b93-4b8e-bab4-84935be1c731

Credits

@NotRequiem
@pemessier
@dmfrpro

Extra

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

2.1.1 Release 🎉

• added improvements for QEMU detection (extra SCSI ports)
• added performance optimisations
• added compilation support for operating systems below Windows 8 on VM::NATIVE_VHD
• fixed --no-ansi problem
• fixed compilation warnings for MSVC
• fixed critical false positives for:
  • VM::VIRTUAL_PROCESSORS
  • VM::POWER_CAPABILITIES (Removed WakeAlarm checks)
  • VM::ACPI_TEMPERATURE
  • VM::IDT_GDT_SCAN
  • VM::VM_SIDT
• replaced Hyper-V artifact brand type from "Hypervisor (type 1)" to "Unknown"
• renamed VM::IDT_GDT_MISMATCH to VM::IDT_GDT_SCAN
• removed VM::CPUID_BITSET technique

The Windows binaries were generated in the CI/CD purely from the source code here.

The Linux binaries on the other hand, were generated through the cmake file seen in the root directory of the repository.

https://www.virustotal.com/gui/file/198e529e9423feda3b1718a33feaea88dc2f4bd5bcebb944e643cf44da23a9e1?nocache=1

Credits

@NotRequiem

Extra

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

2.1 Release 🎉

• added new function VM::detected_enums()
• added new brands:
  • Intel TDX
  • LKVM
  • AMD SEV
  • AMD SEV-ES
  • AMD SEV-SNP
  • Neko Project II
  • NoirVisor
  • Qihoo 360 Sandbox
  • nsjail
• added new techniques:
  • VM::TIMER
  • VM::GPU
  • VM::VM_DEVICES
  • VM::ACPI_TEMPERATURE
  • VM::VIRTUAL_PROCESSORS
  • VM::HYPERV_QUERY
  • VM::BAD_POOLS
  • VM::AMD_SEV
  • VM::AMD_THREAD_MISMATCH
  • VM::NATIVE_VHD
  • VM::VIRTUAL_REGISTRY
  • VM::FIRMWARE
  • VM::FILE_ACCESS_HISTORY
  • VM::AUDIO
  • VM::UNKNOWN_MANUFACTURER
  • VM::OSXSAVE
  • VM::NSJAIL_PID
  • VM::PCI_VM
• added new features to the CLI:
  • added brand descriptions
  • added --mit and --enums oprions
  • renamed --no-color option with --no-ansi
• fixed MacOS techniques
• fixed Hyper-X mechanism
• fixed C++ standards compatibility issues
• fixed argument handler issues
• improved cpu module
• improved Windows stuff
• various fixes, improvements, and optimisations to many techniques
• merged tons of techniques into one
• modified the scores for many techniques
• removed WMI module with a more efficient replacement
• removed brands:
  • Micorosft x86-to-ARM
  • Apple Rosetta 2
• removed techniques:
  • VM::RDTSC
  • VM::VMWARE_REG
  • VM::VBOX_REG
  • VM::USER
  • VM::VBOX_WINDOW_CLASS
  • VM::LOADED_DLLS
  • VM::KVM_REG
  • VM::KVM_DRIVERS
  • VM::AUDIO
  • VM::VMID_0X4
  • VM::PARALLELS_VM
  • VM::QEMU_BRAND
  • VM::VPC_BOARD
  • VM::HYPERV_WMI
  • VM::HYPERV_REG
  • VM::BIOS_SERIAL
  • VM::VALID_MSR
  • VM::QEMU_PROC
  • VM::VPC_PROC
  • VM::HYPERV_BOARD
  • VM::VM_FILES_EXTRA
  • VM::UPTIME
  • VM::HYPERV_BITMASK
  • VM::VMWARE_DMI
  • VM::HYPERV_EVENT_LOGS
  • VM::VMWARE_EVENT_LOGS
  • VM::GPU_CHIPTYPE
  • VM::VM_HDD
  • VM::ACPI_DETECT
  • VM::GPU_NAME
  • VM::VMWARE_DEVICES
  • VM::VMWARE_MEMORY
  • VM::WMI_MODEL
  • VM::WMI_MANUFACTURER
  • VM::WMI_TEMPERATURE
  • VM::CPU_FANS
  • VM::VMWARE_HARDENER
  • VM::WMI_QUERIES

VirusTotal (3/73, as of 21 March 2025)

https://www.virustotal.com/gui/file/2c0ca8096eb59851738f793427326b64961d56f75e5b3f41ce78360020374a2d?nocache=1

The windows binaries were generated here purely from the source code.

Credits

@NotRequiem, this release wouldn't had been possible without him
@Scrut1ny, for useful feedback

2.0 Release 🎉

• added optional VM::vmaware structure
• added new functions:
  • VM::type()
  • VM::conclusion()
  • VM::detected_count()
• added improvements to Hyper-X (version 5)
  
• added argument support of VM::NO_MEMO to VM::check()
• added 24 new techniques:
  • VM::GPU_CHIPTYPE by @koughing
  • VM::DRIVER_NAMES
  • VM::VBOX_IDT
  • VM::HDD_SERIAL
  • VM::PORT_CONNECTORS
  • VM::VM_HDD
  • VM::ACPI_HYPERV
  • VM::GPU_NAME
  • VM::VMWARE_DEVICES
  • VM::VMWARE_MEMORY
  • VM::IDT_GDT_MISMATCH
  • VM::PROCESSOR_NUMBER
  • VM::NUMBER_OF_CORES
  • VM::WMI_MODEL
  • VM::WMI_MANUFACTURER
  • VM::WMI_TEMPERATURE
  • VM::PROCESSOR_ID
  • VM::CPU_FANS
  • VM::POWER_CAPABILITIES
  • VM::SETUPAPI_DISK
  • VM::VMWARE_HARDENER
  • VM::WMI_QUERIES
  • VM::SYS_QEMU
  • VM::LSHW_QEMU
• added 5 option flags to the CLI:
  • --no-color
  • --high-threshold
  • --dynamic
  • --verbose
  • --compact
• added improvements and fixes to VM::add_custom()
• added 3 new brands:
  • Barevisor
  • HyperPlatform
  • Minivisor
    note: all of these brands were made by @tandasat
• added new WMI structure module and overall WMI improvements
• updated the scores of most techniques (see the scoring system)
• updated:
  • VM::HKLM_REGISTRIES
  • VM::DRIVER_NAMES
  • VM::REGISTRY
• optimized VM::INTEL_THREAD_MISMATCH
• fixed MacOS bugs [link]
• disabled VM::VMWARE_DMESG by default
• removed VM::SPOOFABLE and --spoofable
• removed:
  • VM::MOUSE_DEVICE
  • VM::VBOX_FOLDERS
  • VM::CURSOR
  • VM::HYPERV_WMI
  • VM::HYPERV_REG
  • VM::ANYRUN_DRIVER (still present in the CLI)
  • VM::ANYRUN_DIRECTORY (same)
  • VM::CWSANDBOX_VM
  • VM::MEMORY
    (these were removed either due to unreliability, unpredictability, overall low quality, ethical reasons, or a combination of them)

Credits to

• @NotRequiem
• @koughing
• MeGaMax

VirusTotal results (17/72)

https://www.virustotal.com/gui/file/57d5b8047f183825409fcb7ce7807be138720f83561becfb028ee7462cb002ea/summary

I'm fully aware this looks really suspicious, but the binaries were generated through the CI/CD here purely from the source code. The score might fluctuate as it did previously, so if it doesn't match, please notify me with an issue.

Extra

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

1.9 Release

• renamed Virtual Apple to Apple Rosetta 2
• fixed oversight for AMD CPU detection
• fixed bug for VM::BOCHS_CPU
• fixed VM::ALL thanks to @D00Movenok
• fixed MSVC compiler warnings thanks to @NotRequiem
• disabled VM::CURSOR, VM::RDTSC, and VM::RDTSC_EXIT by default
• added --all to the CLI, which will enable all techniques including the above ones
• added ANY.RUN VM brand
• added VM::ANYRUN_DRIVER and VM::ANYRUN_DIRECTORY techniques

NOTE: It's been exactly a year since I've started and continuously maintained this project since September 2023, and I'm taking a break for a while. Not sure when the next release will be, but I'll try to come back to this project after I've recharged my energy while I'm focusing on some side projects I've been working on occasionally :)

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com