Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

Sign up
Appearance settings

kernelwernel/VMAware

Repository files navigation


Ask DeepWiki CodeQL Analysis

VMAware (VM + Aware) is a cross-platform C++ library for virtual machine detection.


The library is:

  • Very easy to use
  • Cross-platform (Windows + MacOS + Linux)
  • Features around 100 unique VM detection techniques [list]
  • Features the most cutting-edge techniques
  • Able to detect over 70 VM brands including VMware, VirtualBox, QEMU, Hyper-V, and much more [list]
  • Able to beat VM hardeners
  • Compatible with x86 and ARM, with backwards compatibility for 32-bit systems
  • Very flexible, with total fine-grained control over which techniques get executed
  • Able to detect various VM and semi-VM technologies like hypervisors, emulators, containers, sandboxes, and so on
  • Available with C++11 and above
  • Header-only
  • Free of any external dependencies
  • Memoized, meaning past results are cached and retrieved if ran again for performance benefits
  • Fully MIT-licensed, allowing unrestricted use and distribution

Note

We are looking for Chinese translators. If you'd like to contribute with translating this README, feel free to give us a PR! Credit will be provided.


Example πŸ§ͺ

#include "vmaware.hpp"
#include <iostream>
int main() {
 if (VM::detect()) {
 std::cout << "Virtual machine detected!" << "\n";
 } else {
 std::cout << "Running on baremetal" << "\n";
 }
 std::cout << "VM name: " << VM::brand() << "\n";
 std::cout << "VM type: " << VM::type() << "\n";
 std::cout << "VM certainty: " << (int)VM::percentage() << "%" << "\n";
 std::cout << "VM hardening: " << (VM::is_hardened() ? "likely" : "not found") << "\n";
}

possible output:

Virtual machine detected!
VM name: VirtualBox
VM type: Hypervisor (type 2)
VM certainty: 100%
VM hardening: not found

Structure βš™οΈ



CLI tool πŸ”§

This project also provides a handy CLI tool utilising the full potential of what the library can do. It also has cross-platform support.

Below is an example of a basic qemu system with no hardening modifications.


Installation πŸ“₯

To install the library, download the vmaware.hpp file in the latest release section to your project. The binaries are also located there. No CMake or shared object linkages are necessary, it's literally that simple.

However, if you want the full project (globally accessible headers with <vmaware.hpp> and the CLI tool), follow these commands:

git clone https://github.com/kernelwernel/VMAware 
cd VMAware

FOR LINUX:

sudo dnf/apt/yum update -y # change this to whatever your distro is
mkdir build
cd build
cmake ..
sudo make install

FOR MACOS:

mkdir build
cd build
cmake ..
sudo make install

FOR WINDOWS:

cmake -S . -B build/ -G "Visual Studio 16 2019"

Optionally, you can create a debug build by appending -DCMAKE_BUILD_TYPE=Debug to the cmake arguments.


CMake installation

# edit this
set(DIRECTORY "/path/to/your/directory/")
set(DESTINATION "${DIRECTORY}vmaware.hpp")
if (NOT EXISTS ${DESTINATION})
 message(STATUS "Downloading VMAware")
 set(URL "https://github.com/kernelwernel/VMAware/releases/latest/download/vmaware.hpp")
 file(DOWNLOAD ${URL} ${DESTINATION} SHOW_PROGRESS)
else()
 message(STATUS "VMAware already downloaded, skipping")
endif()

The module file and function version is located here


Documentation and code overview πŸ“’

You can view the full docs here. All the details such as functions, techniques, settings, and examples are provided. Trust me, it's not too intimidating ;)

If you want to learn about the architecture and design of the library, head over to https://deepwiki.com/kernelwernel/VMAware


Q&A ❓

How does it work?

It utilises a comprehensive list of low-level and high-level anti-VM techniques that gets accounted in a scoring system. The scores (0-100) for each technique are arbitrarily given, and every technique that has detected a VM will have their score added to a single accumulative point, where a threshold point number will decide whether it's actually running in a VM.

Who is this library for and what are the use cases?

It's designed for security researchers, VM engineers, anticheat developers, and pretty much anybody who needs a practical and rock-solid VM detection mechanism in their project. For example, the library is suitable if you're making a VM and you're testing the effectiveness of concealing itself. If you're a proprietary software developer, the library is useful to thwart against reverse engineers. If you're a malware analyst and you want to check the concealment capability of your VM, this would be the perfect tool to benchmark how well-concealed your VM is against malware.

Additionally, software could adjust the behaviour of their program based on the detected environment. It could be useful for debugging and testing purposes, while system administrators could manage configurations differently. Finally, some applications might want to legally restrict usage in VMs as a license clause to prevent unauthorized distribution or testing.

There are also projects that utilise our tool such as Hypervisor-Phantom, which is an advanced malware analysis project that we helped strengthen their hypervisor environment and undetectability.

Why another VM detection project?

There's already loads of projects that have the same goal such as InviZzzible, pafish and Al-Khaser. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. Additionally, the VM detections in all those projects are often not sophisticated enough to be practically applied to real-world scenarios while not providing enough VM detection techniques. An additional hurdle is that they are all GPL projects, so using them for proprietary projects (which would be the main audience for such a functionality), is out of the question.

Pafish and InviZzzible have been abandoned for years. Although Al-Khaser does receive occasional updates and has a wide scope of detections that VMAware doesn't provide (anti-debugging, anti-injection, and so on), it still falls short due to the previously mentioned problems above.

While those projects have been useful to VMAware to some extent, we wanted to make them far better. My goal was to make the detection techniques to be accessible programmatically in a cross-platform and flexible way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection framework on steroids that focuses on practical and realistic usability for any scenario.

Wouldn't it make it inferior for having the project open source?

The only downside to VMAware is that it's fully open source, which makes the job of bypassers easier compared to having it closed source. However, I'd argue that's a worthy tradeoff by having as many VM detection techniques in an open and interactive manner rather than trying to obfuscate. Having it open source means we can have valuable community feedback to strengthen the library more effectively and accurately through discussions, collaborations, and competition against anti-anti-vm projects and malware analysis tools which try to hide it's a VM.

All of this combined has further advanced the forefront innovations in the field of VM detections much more productively, compared to having it closed source. This is what made the project the best VM detection framework out there, and bypassing it has shown to be an immense challenge due to the sheer number of sophisticated and never-before-seen techniques we employ that other VM detectors don't use whether open or closed source (to our knowledge).

In other words, it's about better quality AND quantity, better feedback, and better openness over security through obfuscation. It's the same reason why OpenSSH, OpenSSL, the Linux kernel, and other security-based software projects are relatively secure because of how there's more people helping to make it better compared to people trying to probe the source code with malicious intent. VMAware has this philosophy, and if you know anything about security, you should be familiar with the phrase: "Security through obfuscation is NOT security".

How effective are VM hardeners against the lib?

Publicly known hardeners are not effective and most of them on Windows have been beaten, but this doesn't mean that the lib is immune to them. We challenged the most famous ones we know, and that's why we created a bypass against them as our main focus. Custom hardeners that we may not be aware of might have a theoretical advantage, but they are substantially more difficult to produce.

Is it possible to spoof the result?

Yes. There are some techniques that are trivially spoofable, and there's nothing the library can do about it whether it's a deliberate false positive or even a false negative. This is a problem that every VM detection project is facing whether closed or open source, which is why the library is trying to test every technique possible to get the best result based on the environment it's running under. Remember, EVERYTHING is technically spoofable.

How is it developed?

We first try to come up with ideas and make prototype techniques in the dev branch. We merge the dev branch to main around once a week because we want to make sure the techniques work as intended in a real-world system before it's utilised. The new techniques would be left on the main branch for people to test, and then we add them to the release for everybody to try it out.

What about using this for malware?

This project is not soliciting the development of malware for obvious reasons. Even if you intend to use it for concealment purposes, it'll most likely be flagged by antiviruses anyway and nothing is obfuscated to begin with.

I have linker errors when compiling

If you're compiling with gcc or clang, add the -lm and -lstdc++ flags, or use g++/clang++ compilers instead. If you're receiving linker errors from a brand new VM environment on Linux, update your system with sudo apt/dnf/yum update -y to install the necessary C++ components.


Issues, discussions, pull requests, and inquiries πŸ“¬

If you have any suggestions, ideas, or any sort of contribution, feel free to ask! I'll be more than happy to discuss either in the issue or discussion sections. We usually reply fairly quickly. If you want to personally ask something in private, our discords are kr.nl and shenzken

For email inquiries: jeanruyv@gmail.com

And if you found this project useful, a star would be appreciated :)


Credits, contributors, and acknowledgements βœ’οΈ


Legal πŸ“œ

I am not responsible nor liable for any damage you cause through any malicious usage of this project.

License: MIT

AltStyle γ«γ‚ˆγ£γ¦ε€‰ζ›γ•γ‚ŒγŸγƒšγƒΌγ‚Έ (->γ‚ͺγƒͺγ‚ΈγƒŠγƒ«) /