├── CONTRIBUTING.md
├── CODE-OF-CONDUCT.md
├── LICENSE
└── README.md


/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contribution Guidelines
 2 | 
 3 | Please note that this project is released with a [Contributor Code of Conduct](CODE-OF-CONDUCT.md). By participating in this project you agree to abide by its terms.
 4 | 
 5 | ---
 6 | 
 7 | Ensure your pull request adheres to the following guidelines:
 8 | 
 9 | - One commit per suggestion is preferred
10 | - Commit message should follow this format: *Add [section]: [slugified name or description]* ; examples:
11 | 
12 |   - *Add literature: Creating Modern Blue Pills and Red Pills*
13 |   - *Add tool: al-khaser*
14 | 
15 | - Multiple commits can be included in a single pull request
16 | - Each section has its entries alphabetically sorted ; please keep the same order
17 | - Use the following format: *[Item Name](homepage link) <newline> [description]*.
18 | - No duplication of tools, put them where they make the most sense
19 | - By submitting a pull request, you agree to release your submission under the LICENSE
20 | 
21 | Thank you for your suggestions!
22 | 
23 | ## Updating your PR
24 | 
25 | Making a PR adhere to the standards above can sometimes be difficult. If the maintainers notice anything that we'd like changed, we'll ask you to edit your PR before we merge it. There's no need to open a new PR, just edit the existing one. If you're not sure how to do that, [here is a guide](https://github.com/RichardLitt/knowledge/blob/master/github/amending-a-commit-guide.md) on the different ways you can update your PR so that we can merge it.
26 | 


--------------------------------------------------------------------------------
/CODE-OF-CONDUCT.md:
--------------------------------------------------------------------------------
 1 | # Contributor Covenant Code of Conduct
 2 | 
 3 | ## Our Pledge
 4 | 
 5 | In the interest of fostering an open and welcoming environment, we as
 6 | contributors and maintainers pledge to making participation in our project and
 7 | our community a harassment-free experience for everyone, regardless of age, body
 8 | size, disability, ethnicity, gender identity and expression, level of experience,
 9 | nationality, personal appearance, race, religion, or sexual identity and
10 | orientation.
11 | 
12 | ## Our Standards
13 | 
14 | Examples of behavior that contributes to creating a positive environment
15 | include:
16 | 
17 | * Using welcoming and inclusive language
18 | * Being respectful of differing viewpoints and experiences
19 | * Gracefully accepting constructive criticism
20 | * Focusing on what is best for the community
21 | * Showing empathy towards other community members
22 | 
23 | Examples of unacceptable behavior by participants include:
24 | 
25 | * The use of sexualized language or imagery and unwelcome sexual attention or
26 | advances
27 | * Trolling, insulting/derogatory comments, and personal or political attacks
28 | * Public or private harassment
29 | * Publishing others' private information, such as a physical or electronic
30 |   address, without explicit permission
31 | * Other conduct which could reasonably be considered inappropriate in a
32 |   professional setting
33 | 
34 | ## Our Responsibilities
35 | 
36 | Project maintainers are responsible for clarifying the standards of acceptable
37 | behavior and are expected to take appropriate and fair corrective action in
38 | response to any instances of unacceptable behavior.
39 | 
40 | Project maintainers have the right and responsibility to remove, edit, or
41 | reject comments, commits, code, wiki edits, issues, and other contributions
42 | that are not aligned to this Code of Conduct, or to ban temporarily or
43 | permanently any contributor for other behaviors that they deem inappropriate,
44 | threatening, offensive, or harmful.
45 | 
46 | ## Scope
47 | 
48 | This Code of Conduct applies both within project spaces and in public spaces
49 | when an individual is representing the project or its community. Examples of
50 | representing a project or community include using an official project e-mail
51 | address, posting via an official social media account, or acting as an appointed
52 | representative at an online or offline event. Representation of a project may be
53 | further defined and clarified by project maintainers.
54 | 
55 | ## Enforcement
56 | 
57 | Instances of abusive, harassing, or otherwise unacceptable behavior may be
58 | reported by contacting the project team at <67806187+standard3@users.noreply.github.com>. All complaints will be reviewed and investigated and will result in a response that
59 | is deemed necessary and appropriate to the circumstances. The project team is
60 | obligated to maintain confidentiality with regard to the reporter of an incident.
61 | Further details of specific enforcement policies may be posted separately.
62 | 
63 | Project maintainers who do not follow or enforce the Code of Conduct in good
64 | faith may face temporary or permanent repercussions as determined by other
65 | members of the project's leadership.
66 | 
67 | ## Attribution
68 | 
69 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
70 | available at [http://contributor-covenant.org/version/1/4][version]
71 | 
72 | [homepage]: http://contributor-covenant.org
73 | [version]: http://contributor-covenant.org/version/1/4/
74 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | Creative Commons Legal Code
  2 | 
  3 | CC0 1.0 Universal
  4 | 
  5 |     CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
  6 |     LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
  7 |     ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
  8 |     INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
  9 |     REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
 10 |     PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
 11 |     THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
 12 |     HEREUNDER.
 13 | 
 14 | Statement of Purpose
 15 | 
 16 | The laws of most jurisdictions throughout the world automatically confer
 17 | exclusive Copyright and Related Rights (defined below) upon the creator
 18 | and subsequent owner(s) (each and all, an "owner") of an original work of
 19 | authorship and/or a database (each, a "Work").
 20 | 
 21 | Certain owners wish to permanently relinquish those rights to a Work for
 22 | the purpose of contributing to a commons of creative, cultural and
 23 | scientific works ("Commons") that the public can reliably and without fear
 24 | of later claims of infringement build upon, modify, incorporate in other
 25 | works, reuse and redistribute as freely as possible in any form whatsoever
 26 | and for any purposes, including without limitation commercial purposes.
 27 | These owners may contribute to the Commons to promote the ideal of a free
 28 | culture and the further production of creative, cultural and scientific
 29 | works, or to gain reputation or greater distribution for their Work in
 30 | part through the use and efforts of others.
 31 | 
 32 | For these and/or other purposes and motivations, and without any
 33 | expectation of additional consideration or compensation, the person
 34 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she
 35 | is an owner of Copyright and Related Rights in the Work, voluntarily
 36 | elects to apply CC0 to the Work and publicly distribute the Work under its
 37 | terms, with knowledge of his or her Copyright and Related Rights in the
 38 | Work and the meaning and intended legal effect of CC0 on those rights.
 39 | 
 40 | 1. Copyright and Related Rights. A Work made available under CC0 may be
 41 | protected by copyright and related or neighboring rights ("Copyright and
 42 | Related Rights"). Copyright and Related Rights include, but are not
 43 | limited to, the following:
 44 | 
 45 |   i. the right to reproduce, adapt, distribute, perform, display,
 46 |      communicate, and translate a Work;
 47 |  ii. moral rights retained by the original author(s) and/or performer(s);
 48 | iii. publicity and privacy rights pertaining to a person's image or
 49 |      likeness depicted in a Work;
 50 |  iv. rights protecting against unfair competition in regards to a Work,
 51 |      subject to the limitations in paragraph 4(a), below;
 52 |   v. rights protecting the extraction, dissemination, use and reuse of data
 53 |      in a Work;
 54 |  vi. database rights (such as those arising under Directive 96/9/EC of the
 55 |      European Parliament and of the Council of 11 March 1996 on the legal
 56 |      protection of databases, and under any national implementation
 57 |      thereof, including any amended or successor version of such
 58 |      directive); and
 59 | vii. other similar, equivalent or corresponding rights throughout the
 60 |      world based on applicable law or treaty, and any national
 61 |      implementations thereof.
 62 | 
 63 | 2. Waiver. To the greatest extent permitted by, but not in contravention
 64 | of, applicable law, Affirmer hereby overtly, fully, permanently,
 65 | irrevocably and unconditionally waives, abandons, and surrenders all of
 66 | Affirmer's Copyright and Related Rights and associated claims and causes
 67 | of action, whether now known or unknown (including existing as well as
 68 | future claims and causes of action), in the Work (i) in all territories
 69 | worldwide, (ii) for the maximum duration provided by applicable law or
 70 | treaty (including future time extensions), (iii) in any current or future
 71 | medium and for any number of copies, and (iv) for any purpose whatsoever,
 72 | including without limitation commercial, advertising or promotional
 73 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
 74 | member of the public at large and to the detriment of Affirmer's heirs and
 75 | successors, fully intending that such Waiver shall not be subject to
 76 | revocation, rescission, cancellation, termination, or any other legal or
 77 | equitable action to disrupt the quiet enjoyment of the Work by the public
 78 | as contemplated by Affirmer's express Statement of Purpose.
 79 | 
 80 | 3. Public License Fallback. Should any part of the Waiver for any reason
 81 | be judged legally invalid or ineffective under applicable law, then the
 82 | Waiver shall be preserved to the maximum extent permitted taking into
 83 | account Affirmer's express Statement of Purpose. In addition, to the
 84 | extent the Waiver is so judged Affirmer hereby grants to each affected
 85 | person a royalty-free, non transferable, non sublicensable, non exclusive,
 86 | irrevocable and unconditional license to exercise Affirmer's Copyright and
 87 | Related Rights in the Work (i) in all territories worldwide, (ii) for the
 88 | maximum duration provided by applicable law or treaty (including future
 89 | time extensions), (iii) in any current or future medium and for any number
 90 | of copies, and (iv) for any purpose whatsoever, including without
 91 | limitation commercial, advertising or promotional purposes (the
 92 | "License"). The License shall be deemed effective as of the date CC0 was
 93 | applied by Affirmer to the Work. Should any part of the License for any
 94 | reason be judged legally invalid or ineffective under applicable law, such
 95 | partial invalidity or ineffectiveness shall not invalidate the remainder
 96 | of the License, and in such case Affirmer hereby affirms that he or she
 97 | will not (i) exercise any of his or her remaining Copyright and Related
 98 | Rights in the Work or (ii) assert any associated claims and causes of
 99 | action with respect to the Work, in either case contrary to Affirmer's
100 | express Statement of Purpose.
101 | 
102 | 4. Limitations and Disclaimers.
103 | 
104 |  a. No trademark or patent rights held by Affirmer are waived, abandoned,
105 |     surrendered, licensed or otherwise affected by this document.
106 |  b. Affirmer offers the Work as-is and makes no representations or
107 |     warranties of any kind concerning the Work, express, implied,
108 |     statutory or otherwise, including without limitation warranties of
109 |     title, merchantability, fitness for a particular purpose, non
110 |     infringement, or the absence of latent or other defects, accuracy, or
111 |     the present or absence of errors, whether or not discoverable, all to
112 |     the greatest extent permissible under applicable law.
113 |  c. Affirmer disclaims responsibility for clearing rights of other persons
114 |     that may apply to the Work or any use thereof, including without
115 |     limitation any person's Copyright and Related Rights in the Work.
116 |     Further, Affirmer disclaims responsibility for obtaining any necessary
117 |     consents, permissions or other rights required for any use of the
118 |     Work.
119 |  d. Affirmer understands and acknowledges that Creative Commons is not a
120 |     party to this document and has no duty or obligation with respect to
121 |     this CC0 or use of the Work.
122 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Awesome Anti-Virtualization [![Awesome](https://awesome.re/badge.svg)](https://awesome.re) <a href="https://x.com/intent/post?text=Awesome Anti Virtualization - A curated list of awesome resources related to anti virtualization techniques.%0D%0Ahttps://github.com/standard3/awesome-anti-virtualization%0D%0A&hashtags=awesomelists%2Cantivm%2Cantivmdetection%2Cantivirtualization%2Ccybersecurity%2Cinfosec"><img src="https://img.shields.io/badge/Tweet--lightgrey?logo=x&style=social" alt="Tweet" height="20"/></a>
  2 | 
  3 | > A curated list of resources related to anti-virtualization techniques containing references to books, papers, blog posts, and other written resources.
  4 | 
  5 | Anti-virtualization techniques are used to detect and evade virtualized environments. These techniques are used by malware authors, anti-cheats and proprietary software among others to avoid detection by security researchers and analysts.
  6 | 
  7 | We generally divide anti-virtualization techniques (also called anti-VM or redpills) into 4 categories:
  8 | 
  9 | - **Timing-based**: These techniques rely on the fact that virtualized environments have different timing characteristics than physical machines.
 10 | - **Behavior-based**: These techniques rely on the fact that virtualized environments have different behaviors than physical machines.
 11 | - **Signature-based**: These techniques rely on the fact that virtualized environments have different signatures than physical machines.
 12 | - **Based on a trusted third party**: These techniques rely on the fact that virtualized environments have a trusted third party that can be used to detect them.
 13 | 
 14 | These techniques can be called redpills because they are used to detect the "red pill" of a virtualized environment. The term "red pill" comes from the movie "The Matrix" where the red pill is used to wake up the protagonist from the virtual world.
 15 | 
 16 | > The red pill is a special case of the related "trusted computing" and the attestation concept (Zaidenberg et al. 2015d), In Trusted computing attestation a remote 3rd party or even local software tries to ensure the integrity of the local machine in terms of software (mainly) and hardware (sometimes).
 17 | >
 18 | > - [Creating Modern Blue Pills and Red Pills, July 2019](https://www.researchgate.net/publication/334988761_Creating_Modern_Blue_Pills_and_Red_Pills)
 19 | 
 20 | ## Contents
 21 | 
 22 | - [:books: Literature](#books-literature) : everything written about anti-virtualization techniques
 23 |   - [Documentation](#documentation) (blogs, manuals, specifications, etc.)
 24 |   - [Scientific Research](#scientific-research)
 25 |   - [Media](#media) (videos, podcasts, etc.)
 26 | - [:wrench: Tools](#wrench-tools) : tools to detect and evade virtualized environments
 27 | - [:jigsaw: Techniques](#jigsaw-techniques) : a list of anti-virtualization techniques
 28 | 
 29 | ## :books: Literature
 30 | 
 31 | ### Documentation
 32 | 
 33 | - [About evasion techniques - Check Point Research](https://evasions.checkpoint.com/about/) : A collection of evasion techniques used by malware to avoid detection.
 34 | - [Detecting Hypervisor-assisted Hooking - Maurice Heumann](https://momo5502.com/posts/2022-05-02-detecting-hypervisor-assisted-hooking/), see also [Github Project EPT Hook Detection](https://github.com/momo5502/ept-hook-detection/tree/main)
 35 | - [Evading ACPI checks in commercial virtualization platforms - Nick Peterson](https://revers.engineering/evading-trivial-acpi-checks/)
 36 | - [How anti-cheats detect system emulation - secret.club](https://secret.club/2020/04/13/how-anti-cheats-detect-system-emulation.html)
 37 | - [Detecting Hypervisor Presence on Windows 10 - Nick Peterson](https://revers.engineering/detecting-hypervisor-presence-on-windows-10/)
 38 | - [7 Ways to Detect Virtualization from your VM \[Xen,VirtualBox,KVM,OpenStack with KVM\] - techglimpse.com](https://techglimpse.com/xen-kvm-virtualbox-vm-detection-command/)
 39 | - [Playing with GuLoader Anti-VM techniques - outpost24.com](https://outpost24.com/blog/playing-with-guloader-anti-vm-techniques-malware/)
 40 | - [Detecting VMware by reading an invalid MSR - drew](https://howtohypervise.blogspot.com/2018/09/detecting-vmware-by-reading-invalid-msr.html)
 41 | - [Defeating malware's Anti-VM techniques (CPUID-Based Instructions) - Sina Karvandi](https://rayanfam.com/topics/defeating-malware-anti-vm-techniques-cpuid-based-instructions/)
 42 | - [Deploy Hidden Virtual Machine For VMProtections Evasion And Dynamic Analysis - r0ttenbeef](https://r0ttenbeef.github.io/Deploy-Hidden-Virtual-Machine-For-VMProtections-Evasion-And-Dynamic-Analysis/)
 43 | 
 44 | <p align="center"><a href="#contents"><img src="https://img.shields.io/badge/Back%20to%20top--lightgrey?style=social" alt="Back to top" height="20"/></a></p>
 45 | 
 46 | ### Scientific Research
 47 | 
 48 | The following papers are sorted by publication date (newest first):
 49 | 
 50 | - [ARAP: Demystifying Anti Runtime Analysis Code in Android Apps](https://arxiv.org/pdf/2408.11080) (August 2024)
 51 | - [Unraveling Shadows: Exploring the Realm of Elite Cyber Spies](https://www.semanticscholar.org/reader/2c82e90c5a66786b42721fefc9315625448dc90d) (July 2024)
 52 | - [The Reversing Machine: Reconstructing Memory Assumptions](https://www.semanticscholar.org/reader/e5ac22ec06391e95b234cb85b0f7006f09f51045) (May 2024)
 53 | - [CLOUDOSCOPE: Detecting Anti-Forensic Malware using Public Cloud Environments](https://dl.acm.org/doi/pdf/10.1145/3590777.3590793) (June 2023)
 54 | - [From Text to MITRE Techniques: Exploring the Malicious Use of Large Language Models for Generating Cyber Attack Payloads](https://www.semanticscholar.org/reader/1b49a819c01df5a4b7868335daab509b0fbdc5d1) (May 2023)
 55 | - [HyperDbg: Reinventing Hardware-Assisted Debugging](https://www.semanticscholar.org/reader/4a0c2fc36d08bea1f7bd8fe29b250dcd6190fae0) (May 2022)
 56 | - [On the Effectiveness of Binary Emulation in Malware Classification](https://www.semanticscholar.org/reader/39fa31b1caaa5d2813cffdbf8c6e0c0791da5e56) (April 2022)
 57 | - [An automated framework for runtime analysis of malicious executables on Linux](https://scindeks-clanci.ceon.rs/data/pdf/1821-3251/2021/1821-32512102087V.pdf) (2021)
 58 | - [Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools](https://ieeexplore.ieee.org/ielx7/6287639/9312710/09312198.pdf) (2021)
 59 | - [A Review on Android Malware: Attacks, Countermeasures and Challenges Ahead](https://journals.riverpublishers.com/index.php/JCSANDM/article/download/5237/5553) (2021)
 60 | - [Longitudinal Study of the Prevalence of Malware Evasive Techniques](https://www.semanticscholar.org/reader/f01419298066d6089942d2c4aca71fc2018b5d4a) (December 2021)
 61 | - [POW-HOW: An enduring timing side-channel to evadeonline malware sandboxes](https://www.semanticscholar.org/reader/310f96c9072e08709331400810ad27f303dae3c8) (September 2021)
 62 | - [Detection of Virtual Machines Based on Thread Scheduling](https://github.com/kernelwernel/VMAware/blob/d7fa59e1fa7e7a155c24c374a73a51889562e840/papers/Detection%20of%20Virtual%20Machines%20Based%20on%20Thread%20Scheduling.pdf) (July 2021)
 63 | - [Hypervisor-assisted dynamic malware analysis](https://cybersecurity.springeropen.com/articles/10.1186/s42400-021-00083-9#Sec11) (June 2021)
 64 | - [Sandbox Detection Using Hardware Side Channels](https://ieeexplore.ieee.org/document/9424260) (April 2021)
 65 | - [Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks](http://eprints.bournemouth.ac.uk/34823/1/Anti_forensics.pdf) (March 2021)
 66 | - [DBI, debuggers, VM: gotta catch them all: How to escape or fool debuggers with internal architecture CPU flaws?](https://www.researchgate.net/publication/349062549_DBI_debuggers_VM_gotta_catch_them_all_How_to_escape_or_fool_debuggers_with_internal_architecture_CPU_flaws) (June 2021)
 67 | - [Reducing Malware Analysis Overhead With Coverings](https://www.semanticscholar.org/reader/7f0c1afbd8dfc8e0036e23756485361b1e0e1716) (January 2021)
 68 | - [Creating Modern Blue Pills and Red Pills](https://www.researchgate.net/publication/334988761_Creating_Modern_Blue_Pills_and_Red_Pills) (July 2019)
 69 | - [Rethinking anti-emulation techniques for large-scale software deployment](https://daehee87.github.io/data/qemu.pdf) (June 2019)
 70 | - [Malware Dynamic Analysis Evasion Techniques](https://www.semanticscholar.org/reader/e0217797dcaf8f4c2548a2266324f0a3ac7342d6) (November 2018)
 71 | - [Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection](https://inria.hal.science/hal-02023739/file/472722_1_En_19_Chapter.pdf) (September 2018)
 72 | - [New attack technique based on Meltdown. Using speculative instructions to detect virtualization](https://sudonull.com/post/58475-New-attack-technique-based-on-Meltdown-Using-speculative-instructions-for-detecting-virtualization-B) (May 2018)
 73 | - [Handling Anti-Virtual Machine Techniques in Malicious Software](https://dl.acm.org/doi/10.1145/3139292) (December 2017)
 74 | - [A Study of I/O Performance of Virtual Machines](https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8429117) (June 2017)
 75 | - [Detecting Hardware -Assisted Virtualization](https://christian-rossow.de/publications/detectvt-dimva2016.pdf) (July 2016)
 76 | - [Advanced or Not? A Comparative Study of the Use of Anti-debugging and Anti-VM Techniques in Generic and Targeted Malware](https://web.archive.org/web/20190501075836/https://hal.inria.fr/hal-01369566/file/421518_1_En_22_Chapter.pdf) (May 2016)
 77 | - [A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions](https://www.semanticscholar.org/reader/9649482b7f4dfff3e30c7838b6070cfddf0e6668) (March 2016)
 78 | - [Virtual Machines Detection Methods Using IP Timestamps Pattern Characteristic](https://www.researchgate.net/publication/297726086_Virtual_Machines_Detection_Methods_Using_IP_Timestamps_Pattern_Characteristic) (February 2016)
 79 | - [Research on Utilizing Emulab for Malware Analysis](https://koreascience.or.kr/article/JAKO201609562997973.page) (February 2016)
 80 | - [Two challenges of stealthy hypervisors detection : time cheating and data fluctuations](https://arxiv.org/pdf/1506.04131) (2015)
 81 | - [New Methods for Detecting Malware Infections and New Attacks against Hardware Virtualization](https://repozitorium.omikk.bme.hu/items/4c76e047-9d2e-4196-a6c5-e7837c350bc6) (2015)
 82 | - [Hyperprobe: Towards Virtual Machine Extrospection](https://www.usenix.org/system/files/conference/lisa15/lisa15-paper-xiao.pdf) (2015), see also [Presentation Video](https://www.usenix.org/conference/lisa15/conference-program/presentation/xiao)
 83 | - [Mal-EVE: Static detection model for evasive malware](https://ieeexplore.ieee.org/document/7497952) (August 2015)
 84 | - [An assessment of virtual machine assails](https://www.ijates.com/images/short_pdf/1421766783_P315-320.pdf) (January 2015)
 85 | - [Cardinal Pill Testing of System Virtual Machines](https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/shi) (August 2014)
 86 | - [An analysis of hardware-assisted virtual machine based rootkits](https://calhoun.nps.edu/server/api/core/bitstreams/9b32dd11-5ad8-4e1b-b085-f7fe27b13fc7/content) (June 2014)
 87 | - [VMDE: Virtual Machines Detection Enhanced](https://www.heise.de/downloads/18/1/1/8/3/5/5/9/vmde.pdf) (November 2013)
 88 | - [Anti-virtual machines and emulations](http://staff.ustc.edu.cn/~bjhua/courses/security/2014/readings/anti-vm2.pdf) (June 2012)
 89 | - [Virtualization Security: Virtual Machine Monitoring and Introspection](https://cdn.ttgtmedia.com/rms/pdf/RHUL_Tsifountidis_Final.pdf) (2011)
 90 | - [Malware Virtualization-Resistant Behavior Detection](https://ieeexplore.ieee.org/document/6121379) (December 2011)
 91 | - [Detecting Environment-Sensitive Malware](https://link.springer.com/chapter/10.1007/978-3-642-23644-0_18) (September 2011)
 92 | - [On the Impossibility of Detecting Virtual Machine Monitors](https://link.springer.com/content/pdf/10.1007/978-3-642-01244-0_13.pdf) (2009)
 93 | - [Detecting the Presence of Virtual Machines Using the Local Data Table](https://www.ccoderun.ca/programming/2009-12-30_Virtualization/www.offensivecomputing.net_vm.pdf) (2009)
 94 | - [Stealth sandbox analysis of malware](https://repository.bilkent.edu.tr/server/api/core/bitstreams/b40cd415-b27e-4f79-acfd-f8b06d99d439/content) (August 2009)
 95 | - [Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware](http://faculty.cs.nku.edu/~waldenj/classes/2008/fall/csc682/presentations/AntiTechniques.pdf) (June 2008)
 96 | - [Attacks on More Virtual Machine Emulators](https://pferrie.tripod.com/papers/attacks2.pdf) (2007), see [associated slides](http://pferrie.epizy.com/papers/attacks2.ppt)
 97 | - [Attacks on Virtual Machine Emulators](https://www.cityu.edu.hk/its/sites/g/files/asqsls6511/files/media/inline-image/Virtual_Machine_Threats.pdf) (2007), see [associated slides](http://pferrie.epizy.com/papers/attacks.ppt)
 98 | - [Detecting System Emulators](https://link.springer.com/chapter/10.1007/978-3-540-75496-1_1) (October 2007)
 99 | - [Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction](https://www.cerias.purdue.edu/assets/pdf/bibtex_archive/2007-80.pdf) (October 2007)
100 | - [Hiding Virtualization from Attackers and Malware](https://www.computer.org/csdl/magazine/sp/2007/03/j3062/13rRUIM2VA7) (May 2007)
101 | - [On the Cutting Edge: Thwarting Virtual Machine Detection](https://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf) (2006)
102 | - [Methods for Virtual Machine Detection](http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/www.s21sec.com_vmware-eng.pdf) (June 2006)
103 | 
104 | <p align="center"><a href="#contents"><img src="https://img.shields.io/badge/Back%20to%20top--lightgrey?style=social" alt="Back to top" height="20"/></a></p>
105 | 
106 | ### Media
107 | 
108 | - [Countering Anti-Debugging Techniques: Enhancing Transparency in Nested Virtualization using HyperDbg](https://github.com/HyperDbg/slides/blob/main/2025/DEBT2025/hyperevade-ecoop2025-debt.pdf) (slides only) (July 2025)
109 | - [LISA15 - Hyperprobe: Towards Virtual Machine Extrospection](https://www.youtube.com/watch?v=dmSQ1R5WCJs) (December 2021)
110 | - [Don't Tell Joanna, The Virtualized Rootkit Is Dead](https://archive.org/details/2007_BlackHat_Vegas-V18-Ptacek-Ferrie-Lawson-Dont_Tell_Joanna), see [associated slides](http://pferrie.epizy.com/papers/vtrootkits.pdf) (2007)
111 | 
112 | <p align="center"><a href="#contents"><img src="https://img.shields.io/badge/Back%20to%20top--lightgrey?style=social" alt="Back to top" height="20"/></a></p>
113 | 
114 | ## :wrench: Tools
115 | 
116 | Tools are divided into their respective categories (by default, all tools are in user-mode):
117 | 
118 | | Icon | Description |
119 | | --- | --- |
120 | | 🐧 | Linux |
121 | | 🪟 | Windows |
122 | | 🍏 | macOS |
123 | | 💽 | raw / no OS / UEFI |
124 | | 🚀 | kernel-mode |
125 | 
126 | Start of the list:
127 | 
128 | - 🐧🪟🍏 | [VMAware](https://github.com/kernelwernel/VMAware) : Easy-to-use cross-platform C++ VM detection library and tool
129 | - 🐧 | [Hypervisor-Phantom](https://github.com/Scrut1ny/Hypervisor-Phantom) : Advanced malware analysis tool for evading detection from advanced malware.
130 | - 🪟 | [Pafish](https://github.com/a0rtega/pafish) : testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do.
131 | - 🪟 | [VMDE](https://github.com/hfiref0x/VMDE) : Virtual Machines Detection Enhanced, source from VMDE paper, adapted to 2015.
132 | - 🪟 | [Hypervision-Detection](https://github.com/void-stack/Hypervisor-Detection) : Detects virtual machines and malware analysis environments
133 | - 🪟 | [Al-khaser](https://github.com/ayoubfaouzi/al-khaser) : al-khaser is a PoC "malware" application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.
134 | - 💽🪟 | [illusion-rs](https://github.com/memN0ps/illusion-rs) : Rusty Hypervisor - Windows UEFI Blue Pill Type-1 Hypervisor in Rust (Codename: Illusion)
135 |   - specifically see [Hypervisor detection](https://github.com/memN0ps/illusion-rs?tab=readme-ov-file#hypervisor-detection) section
136 | - 🚀🪟 | [hyperdetect.cc](https://gist.github.com/drew-gpf/d31840bebbbb1ff1d112a6f46e162c05): C++ code snippet that checks for a “lazy” hypervisor running in kernel-mode
137 | - 🪟 | [antivmdetection](https://github.com/nsmfoo/antivmdetection) : Script to create templates to use with VirtualBox to make vm detection harder
138 | - 🪟 | [InviZzzible](https://github.com/CheckPointSW/InviZzzible) : InviZzzible is a tool for assessment of your virtual environments in an easy and reliable way. It contains the most recent and up to date detection and evasion techniques as well as fixes for them.
139 | - 🪟 | [Anti-VM](https://github.com/Print3M/Anti-VM) : C++ Windows-based implementation of several anti-vm techniques used in malware development.
140 | - 🐧 | [apate](https://github.com/vim951/apate) : Apate performs anti-debugging, anti-VM and anti-sandbox tests, to see if your linux system is able to stay under the radar.
141 | - 🐧 | [inside-vm](https://github.com/PicoJr/inside-vm) : Detect if code is running inside a virtual machine (x86 and x86-64 only).
142 | - 🪟 | [EPT Hook Detection](https://github.com/momo5502/ept-hook-detection)
143 | - 🪟 | [PyDefender](https://github.com/EvilBytecode/PyDefender/tree/main) : Anti Virtulization, Anti Debugging, AntiVM, Anti Virtual Machine, Anti Debug, Anti Sandboxie, Anti Sandbox, VM Detect package for Python.
144 | - 🪟 | [GoDefender](https://github.com/EvilBytecode/GoDefender/) : Anti Virtulization, Anti Debugging, AntiVM, Anti Virtual Machine, Anti Debug, Anti Sandboxie, Anti Sandbox, VM Detect package for Go. Windows ONLY.
145 | - 🐧🪟 | [Metasploit](https://www.metasploit.com/) : Open-source penetration testing framework that includes virtual machine detection modules
146 |   - [metasploit-framework/modules/post/linux/gather/checkvm.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/linux/gather/checkvm.rb)
147 |   - [metasploit-framework/modules/post/windows/gather/checkvm.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/checkvm.rb)
148 |   - [metasploit-framework/scripts/meterpreter/winenum.rb](https://github.com/rapid7/metasploit-framework/blob/master/scripts/meterpreter/winenum.rb#L182)
149 |   - [metasploit-framework/modules/auxiliary/scanner/netbios/nbname.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/netbios/nbname.rb#L92)
150 | - 🐧 | [systemd-detect-virt (man page)](https://www.freedesktop.org/software/systemd/man/latest/systemd-detect-virt.html) : `systemd-detect-virt` detects execution in a virtualized environment. It identifies the virtualization technology and can distinguish full machine virtualization from container virtualization. `systemd-detect-virt` exits with a return value of 0 (success) if a virtualization technology is detected, and non-zero (error) otherwise.
151 |   - See also `systemd` code [systemd/src/basic/virt.c](https://github.com/systemd/systemd/blob/main/src/basic/virt.c#L24)
152 | 
153 | <p align="center"><a href="#contents"><img src="https://img.shields.io/badge/Back%20to%20top--lightgrey?style=social" alt="Back to top" height="20"/></a></p>
154 | 
155 | ## :jigsaw: Techniques
156 | 
157 | | Technique | Description | Certainty | Platform | Code reference |
158 | | --------- | ----------- | --------- | -------- | -------------- |
159 | | VMID | Check CPUID output of manufacturer ID for known VMs/hypervisors at leaf 0 and 0x40000000-0x40000100 | 100% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2525) |
160 | | CPU brand | Check if CPU brand model contains any VM-specific string snippets | 50% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2545) |
161 | | Hypervisor bit | Check if hypervisor feature bit in CPUID eax bit 31 is enabled (always false for physical CPUs) | 100% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2601) |
162 | | Hypervisor string | Check for hypervisor brand string length (would be around 2 characters in a host machine) | 75% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2622) |
163 | | Timer | Check for timing anomalies in the system | 45% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8169 ) |
164 | | Thread count | Check if there are only 1 or 2 threads, which is a common pattern in VMs with default settings (nowadays physical CPUs should have at least 4 threads for modern CPUs) | 35% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2649) |
165 | | MAC address | Check if mac address starts with certain VM designated values | 20% | 🐧🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2671) |
166 | | Temperature | Check if thermal directory in linux is present, might not be present in VMs | 15% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2804) |
167 | | Chassis vendor | Check if the chassis vendor is a VM vendor | 65% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2671) |
168 | | Chassis type | Check if the chassis type is valid (it's very often invalid in VMs) | 20% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2875) |
169 | | /.dockerenv | Check if /.dockerenv or /.dockerinit file is present | 30% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2897) |
170 | | dmidecode output | Check if dmidecode output matches a VM brand | 55% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2915) |
171 | | dmesg output | Check if dmesg output matches a VM brand | 55% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2956) |
172 | | /sys/class/hwmon | Check if /sys/class/hwmon/ directory is present. If not, likely a VM | 35% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2993) |
173 | | 5th sidt byte | Check if the 5th byte after sidt is null | 45% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3009) |
174 | | DLL | Check for VM-specific DLLs | 25% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3057) |
175 | | Registry |  Check for VM-specific registry values | 50% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3092) |
176 | | VM files | Find for VM-specific specific files | 25% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3286) |
177 | | hwmodel | Check if the sysctl for the hwmodel does not contain the "Mac" string | 100% | 🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3429) |
178 | | Disk size | Check if disk size is under or equal to 50GB | 60% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3465) |
179 | | RAM and disk size VBox | Check for default RAM and DISK sizes set by VirtualBox | 25% | 🐧🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3491) |
180 | | VBox network | Check for VirtualBox network provider string | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3576) |
181 | | Computer name | Check if the computer name (not username to be clear) is VM-specific | 10% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3599) |
182 | | Wine file | Check wine_get_unix_file_name file for Wine | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3633) |
183 | | Hostname | Check if hostname is specific | 10% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3655) |
184 | | KVM directories | Check for KVM directory "Virtio-Win" | 30% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3676) |
185 | | QEMU directories | Check for QEMU-specific blacklisted directories | 30% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3702) |
186 | | Power capabilities | Check what power states are enabled | 50% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3738) |
187 | | Disk drive ID | Checks for virtual machine signatures in disk drive device identifiers | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3762) |
188 | | VM processes | Check for any VM processes that are active | 15% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3831) |
189 | | User and hostname | Check for default VM username and hostname for linux | 10% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3884) |
190 | | Gamarue | Check for Gamarue ransomware technique which compares VM-specific Window product IDs | 10% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3911) |
191 | | Bochs faulty CPU | Check for various Bochs-related emulation oversights through CPU checks | 100% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L3968) |
192 | | MSSMBIOS | Check MSSMBIOS registry for VM-specific signatures | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4055) |
193 | | Low memory | Check if memory is too low for MacOS system | 15% | 🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4194) |
194 | | IO kit | Check MacOS' IO kit registry for VM-specific strings | 100% | 🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4231) |
195 | | ioreg command | Check for VM-strings in ioreg commands for MacOS | 100% | 🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4317) |
196 | | System Integrity Protection | Check if System Integrity Protection is disabled (likely a VM if it is) | 40% | 🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4378) |
197 | | HKLM | Check HKLM registries for specific VM strings | 25% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4397) |
198 | | QEMU process | Check for "qemu-ga" process | 10% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4512) |
199 | | VirtualPC backdoor | Check for official VPC method | 75% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4532) |
200 | | sidt instruction | Check for sidt instruction method | 25% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4587) |
201 | | sgdt instruction | Check for sgdt instruction method | 30% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4640) |
202 | | sldt instruction | Check for sldt instruction method | 15% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4668) |
203 | | Offensive Security sidt | Check for Offensive Security SIDT method | 60% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4699) |
204 | | Offensive Security sgdt | Check for Offensive Security SGDT method | 60% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4724) |
205 | | Offensive Security sldt | Check for Offensive Security SLDT method | 20% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4750) |
206 | | VirtualPC sidt | Check for sidt method with VPC's 0xE8XXXXXX range | 15% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4776) |
207 | | VMware iomem | Check for VMware string in /proc/iomem | 65% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4807) |
208 | | VMware ioports | Check for VMware string in /proc/ioports | 70% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4828) |
209 | | VMware scsi | Check for VMware string in /proc/scsi/scsi | 40% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4849) |
210 | | VMware dmesg | Check for VMware-specific device name in dmesg output | 65% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4870) |
211 | | VMware str instruction | Check str assembly instruction method for VMware | 35% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4909) |
212 | | VMware IO port backdoor | Check for official VMware io port backdoor technique | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4932) |
213 | | VMware memory IO port | Check for VMware memory using IO port backdoor | 85% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L4996) |
214 | | smsw instruction| Check for SMSW assembly instruction technique | 30% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L5040) |
215 | | Mutex strings | Check for mutex strings of VM brands | 85% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L5070) |
216 | | Odd CPU threads | Check for odd CPU threads, usually a sign of modification through VM setting because 99% of CPUs have even numbers of threads | 80% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L5115) |
217 | | Intel thread mismatch | Check for Intel CPU thread count database if it matches the system's thread count | 95% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L5215) |
218 | | Xeon thread mismatch | Same as above, but for Xeon Intel CPUs | 95% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6217) |
219 | | Nettitude VM memory | Check for memory regions to detect VM-specific brands | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6375) |
220 | | Cuckoo directory | Check for cuckoo directory using crt and WIN API directory functions | 30% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6655) |
221 | | Cuckoo pipe | Check for Cuckoo specific piping mechanism | 30% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6679) |
222 | | Hyper-V hostname | Check for default Azure hostname format regex (Azure uses Hyper-V as their base VM brand) | 30% | 🐧🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6706) |
223 | | General hostname | Check for commonly set hostnames by certain VM brands | 10% | 🐧🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6753) |
224 | | Screen resolution | Check for pre-set screen resolutions commonly found in VMs | 20% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6789) |
225 | | Device string | Check if bogus device string would be accepted | 25% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6821) |
226 | | BlueStacks folders |  Check for the presence of BlueStacks-specific folders | 5% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6842) |
227 | | CPUID signature | Check for signatures in leaf 0x40000001 in CPUID | 95% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6865) |
228 | | KVM bitmask | Check for KVM CPUID bitmask range for reserved values | 40% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6893) |
229 | | Intel KGT signature | Check for Intel KGT (Trusty branch) hypervisor signature in CPUID | 80% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6931) |
230 | | QEMU DMI | Check for presence of QEMU in the /sys/devices/virtual/dmi/id directory | 40% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6956) |
231 | | QEMU USB | Check for presence of QEMU in the /sys/kernel/debug/usb/devices directory | 20% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6986) |
232 | | Hypervisor directory | Check for presence of any files in /sys/hypervisor directory | 20% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7018) |
233 | | User Mode Linux CPU | Check for the "UML" string in the CPU brand | 80% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7070) |
234 | | kmsg logs | Check for any indications of hypervisors in the kernel message logs | 5% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7103) |
235 | | Xen VM processes | Check for a Xen VM process | 10% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7161) |
236 | | VBox kernel module | Check for a VBox kernel module | 15% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7184) |
237 | | sysinfo process | Check for potential VM info in /proc/sysinfo | 15% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7211) |
238 | | Device tree | Check for specific files in /proc/device-tree directory | 20% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7238) |
239 | | DMI scan | Check for string matches of VM brands in the linux DMI | 50% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7256) |
240 | | SMBIOS VM bit | Check for the VM bit in the SMBIOS data | 50% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7340) |
241 | | Podman file | Check for podman file in /run/ | 5% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7374) |
242 | | WSL process | Check for WSL or microsoft indications in /proc/ subdirectories | 30% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7393) |
243 | | ANY.RUN driver | Check for any.run driver presence | 65% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/cli.cpp#L679) |
244 | | ANY.RUN directory | Check for any.run directory and handle the status code | 35% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/cli.cpp#L713) |
245 | | Driver names | Check for VM-specific names for drivers | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7426) |
246 | | sidt base | Check for unknown IDT base address | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7539) |
247 | | HDD serial | Check for serial numbers of virtual disks | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7581) |
248 | | Port connections | Check for physical connection ports | 25% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7700) |
249 | | GPU capabilities | Check for GPU capabilities related to VMs | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7785) |
250 | | GPU VM strings | Check for specific GPU string signatures related to VMs | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7730) |
251 | | VM devices | Check for VM-specific devices | 45% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7848) |
252 | | idt and GDT scan | Check if the IDT and GDT virtual base addresses are equal across different CPU cores when not running under Hyper-V | 50% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7908) |
253 | | Processor count | Check for number of processors | 50% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7999) |
254 | | Core count | Check for number of cores | 50% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8024) |
255 | | ACPI temperature | Check for device's temperature | 25% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8057) |
256 | | Processor ID | Check if any processor has an empty Processor ID using SMBIOS data | 25% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8084) |
257 | | QEMU /sys/ | Check for existence of "qemu_fw_cfg" directories within /sys/module and /sys/firmware | 70% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8330) |
258 | | lshw QEMU | Check for QEMU string instances with lshw command | 80% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8364) |
259 | | Virtual processors | Check if the number of virtual and logical processors are reported correctly by the system | 50% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8411) |
260 | | Hyper-V query | Check if a call to NtQuerySystemInformation with the 0x9f leaf fills a _SYSTEM_HYPERVISOR_DETAIL_INFORMATION structure | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8451) |
261 | | VM memory pools | Check for system pools allocated by hypervisors | 80% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8513) |
262 | | AMD SEV | Check for AMD-SEV MSR running on the system | 50% | 🐧🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8812) |
263 | | AMD thread count mismatch | Check for AMD CPU thread count database if it matches the system's thread count | 95% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8871) |
264 | | Native VHD | Check for OS being booted from a VHD container | 100% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L9482) |
265 | | Virtual registry | Check for particular object directory which is present in Sandboxie virtual environment but not in usual host systems | 65% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L9505) |
266 | | Firmware signatures | Check for VM signatures and patched strings by hardeners in firmware, while ensuring the BIOS serial is valid | 75% | 🪟🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L9601) |
267 | | File access history | Check if the number of accessed files are too low for a human-managed environment | 15% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L9950) |
268 | | Audio device | Check if audio device is present | 25% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L9980) |
269 | | Unrecognised physical x86 CPU manufacturer | Check if the CPU manufacturer is not known | 50% | 🐧🪟🍏 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L10016) |
270 | | OSXSAVE | Check if running xgetbv in the XCR0 extended feature register triggers an exception | 50% | 🪟 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L10044) |
271 | | nsjail PID | Check if process status matches with nsjail patterns with PID anomalies | 75% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L10083) |
272 | | PCIe bridge name | Check for PCIe bridge names for known VM keywords and brands | 100% | 🐧 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L10142) |
273 | 
274 | <p align="center"><a href="#contents"><img src="https://img.shields.io/badge/Back%20to%20top--lightgrey?style=social" alt="Back to top" height="20"/></a></p>
275 | 
276 | ## Contributing
277 | 
278 | Contributions are welcome! Please read the [contribution guidelines](CONTRIBUTING.md) first.
279 | 


--------------------------------------------------------------------------------