Releases: kernelwernel/VMAware
2.5.0 Release 🎉
2.5.0 Release
-
Added UTM (macOS VM) brand
-
Removed Hypervisor-Phantom brand (detected with generic checks)
-
Added:
VM::BOOT_LOGO(Check the boot logo for known VM images)VM::BOOT(Check to identify boot managers used in virtual machines)VM::NVRAM(Check to counter firmware passthrough, specifically SSDT and SMBIOS)VM::OBJECTS(Check to counterVM::TRAPbypasses by using KVM + Hyper-V)VM::MAC_SYS(Check for VM-strings in system profiler commands for MacOS)VM::ACPI_SIGNATURE(Check for exposed device location paths in the DSDT, for QEMU and Hyper-V)VM::SMBIOS_PASSTHROUGH(Check for malformed/corrupted SMBIOS)
-
Fixed:
- Fixed ARM compilation issues
- Fixed possible false flag when probing VMware's Virtual Machine Communication Interface
- Fixed possible false flag when attempting to detect Hyper-V's VMBUS
- Fixed detection for QEMU's Hyper-V enlightenments
-
Improved:
VM::INTEL_THREAD_MISMATCH- Updated CPU database and token matchingVM::XEON_THREAD_MISMATCH- Updated CPU database and token matchingVM::AMD_THREAD_MISMATCH- Updated CPU database and token matchingVM::TIMER:
New threshold ratios adjusted empirically with runs in more than 10,000 machines
New split-lock detection
New QPC algorithm that evicts hypervisors by avoiding a userland-triggered context switch
New checks for nested virtualization
New checks for detecting the current CPU speed
New check capable of beating most public RDTSC patchesVM::VBOX_DEFAULT- Updated to cover all VirtualBox defaults in all architecturesVM::SIDT- Code safety improvementsVM::HYPERV_HOSTNAME- Updated to detect latest Azure's Hyper-V changeVM::FIRMWARE:
Fixed DSDT, RSMB and FIRM fetching
Compile-time byte-swap computation
Faster raw binary search
Improved KVM ACPI Device() signature check and moved it toVM::ACPI_SIGNATURE
Removed power/adapter object checks due to false flags
Removed SSDT revision checks due to false flags
Removed _OSI parameter checks due to false flags on latest Surface Pro devices
Removed DSDT revision checks (pre-experimental) due to false flags on Lenovo and Acer devices like 82GN and SP111-34N and 100+ others
Removed thermal zones and PTS checks (pre-experimental) due to false flags on devices Toshiba Satellite Pro R40-C and 100+ others
Removed FACP revision checks
Added FACP integrity checks
Added HPET presence checks when not running under ARM devices with virtual CPUs
Added C2 and C3 latency checksVM::PCI_DEVICES- Improved performance, improved detections on Hyper-V, debug output will now be in hexadecimalVM::REGISTRY_KEYS- Improved performance, improved detections for VirtualBox and Hyper-V, fixed false flags on WineVM::POWER_CAPABILITIES- Better checks to detect commonly unsupported states on VMsVM::REGISTRY_VALUES- Improved performanceVM::SGDT- Code safety improvementsVM::SLDT- Code safety improvementsVM::DISPLAY- Added display path, BPP and DPI checksVM::DISK_SERIAL- Added generic checks for non physical drives, improved performanceVM::IVSHMEM- Dramatically improved performanceVM::VIRTUAL_PROCESSORS- Improved code simplicity and performanceVM::VIRTUAL_REGISTRYImproved performanceVM::TPM- Made it compatible with ARM devices with TPMs manufactured by MicrosoftVM::DBVM- Reduced memory fragmentation. Fixed an issue where an exception would be handled as aEXCEPTION_ACCESS_VIOLATION_READrather than aEXCEPTION_ILLEGAL_INSTRUCTIONVM::DMESG- Code safety improvementsVM::NSJAIL_PID- Improved error handling and made process id fetching saferVM::THREAD_COUNT- Cached thread count number to improve performanceVM::MAC_IOKIT- Additional keyboard checksVM::MAC_SIP- New generic checks for hypervisor presence, focused on detecting UTM and kern.hv_vmm_present
Other improvements:
- New checks to detect whether the environment is hardened against VM detection techniques or not
- New
--jsonand--outputcommands in the CLI - New custom GetProcAddress implementation for better performance and stealthiness
- New execution speed info when running with
--verbose - Now the CLI console will not be closed automatically upon program termination
- Improved binary translation checks on ARM
- Improved conclusion messages and CLI output
- Improved library core, overall performance and memory safety
- Improved Windows version detection
- Improved disk size and RAM size retrieval, using different APIs
- Improved CPU fetching for AMD A series
- Lowered detection scores of registry, GPU and power-capabilities techniques, increased
VM::TIMERscore - Deprecated
--no-memoargument in the CLI - Type changes to WSL and Intel HAXM
- Made hyper-x debug messages clearer
- Better checks and reporting when the program is not running with enough privileges to run some techniques
- On Windows, disk size checks will detect the drive where the OS is installed rather than fetching
C:
-
Removed:
VM::DISK_SIZE- Not a reliable proof of virtualizationVM::LOGICAL_PROCESSORS- Now handled by our thread databasesVM::PHYSICAL_PROCESSORS- Now handled by our thread databasesVM::ODD_THREADS- Now handled by our thread databasesVM::QEMU_PASSTHROUGH- Improved and renamed toVM::ACPI_SIGNATUREVM::VBOX_NETWORK- Merged intoVM::REGISTRY_KEYS
VirusTotal results and executables
https://www.virustotal.com/gui/file/48c30fd4dfd05b48512364e21104ccf34ab558a0838b956bc284690999b9d722
The Windows binaries were generated in the CI/CD purely from the source code here.
The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.
Extra
For any inquiries, contact us on Discord at shenzken or kr.nl, or email us at jeanruyv@gmail.com
2.4.1 Release 🎉
- added DBVM (Dark Byte's VM) brand
- added:
VM::DBVMVM::UDVM::BLOCKSTEP
- fixed:
VM::SGDT(0xD0 signature detected false flagging when Hyper-V was not running)VM::SIDT(top-most byte signature false flagging when Hyper-V was not running)VM::FIRMWARE(false flagging on Acer Aspire Notebooks while attempting to detect Xen virtual machines)VM::TRAP(false flagging on AMD CPUs)
- improved:
VM::FIRMWARE(detections for ACPI KVM's signatures)
VirusTotal results and executables
The Windows binaries were generated in the CI/CD purely from the source code here. Except for the vmaware_debug binary, which was generated using MSVC with the __VMAWARE_DEBUG__ macro
The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.
Extra
For any inquiries, contact us on discord at shenzken or kr.nl, or email us at jeanruyv@gmail.com
2.4.0 Release 🎉
-
removed:
VM::ACPI_TEMPERATUREVM::BAD_POOLSVM::COMPUTER_NAMEVM::DEVICE_TREEVM::DRIVER_NAMESVM::GPU_VM_STRINGSVM::HKLM_REGISTRIESVM::HOSTNAMEVM::KVM_BITMASKVM::KVM_DIRSVM::LSHW_QEMUVM::MSSMBIOSVM::NATIVE_VHDVM::NETTITUDE_VM_MEMORYVM::NUMBER_OF_CORESVM::OSXSAVEVM::PCI_VMVM::PORT_CONNECTORSVM::PROCESSOR_NUMBERVM::QEMU_DIRVM::REGISTRYVM::SCREEN_RESOLUTIONVM::SETUPAPI_DISKVM::THREADCOUNTVM::UNKNOWN_MANUFACTURERVM::VM_DEVICESVM::VM_FILESVM::VM_PROCESSESVM::VM_PROCSVM::VMWARE_PORT_MEMVM::WINE_CHECKVM::PROCESSES(Windows section)VM::TEMPERATURE(Windows section)
-
undisabled:
VM::TEMPERATURE
-
added:
VM::DEVICE_HANDLESVM::DISPLAYVM::DRIVERSVM::LOGICAL_PROCESSORSVM::PCI_DEVICESVM::PHYSICAL_PROCESSORSVM::PROCESSESVM::QEMU_PASSTHROUGH(world's first ever device passthrough detection)VM::REGISTRY_KEYSVM::REGISTRY_VALUESVM::THREAD_COUNTVM::TRAP
-
added compile-time filters for unsupported techniques based on platforms
-
added compatibility for Windows 7 and above
-
made the library fully MIT
-
improved every vm detection technique, focusing on:
- Timing attacks
- Firmware analysis
- Device passthrough detection
- PCIe scanning
- GPU capabilities
VirusTotal results
The Windows binaries were generated in the CI/CD purely from the source code here.
The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.
Credits
Extra
For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com
Contributors
Assets 9
2.3.0 Release 🎉
RELEASE NOTES:
- added Hypervisor-Phantom brand
- added:
VM::TPMVM::QEMU_FW_CFGVM::IVSHMEM
- added better macro handling for Windows
- added clang compatibility fixes
- fixed memory leak in the CLI
- improved execution speed of Windows techniques
- improved debugs for:
VM::AMD_THREAD_MISMATCHVM::INTEL_THREAD_MISMATCHVM::XEON_THREAD_MISMATCHVM::VIRTUAL_PROCESSORS
- improved cpuid handling
- improved process utilities
- improved:
VM::REGISTRYVM::VBOX_NETWORKVM::VM_PROCESSESVM::SIDTVM::SGDTVM::SLDTVM::GPU_VM_STRINGSVM::GPU_CAPABILITIESVM::TIMERVM::FIRMWAREVM::AUDIOVM::OSXSAVEVM::SYS_QEMU_DIR
- merged:
VM::OFFSEC_SIDTandVM::VPC_SIDTintoVM::SIDTVM::OFFSEC_SGDTintoVM::SGDTVM::OFFSEC_SLDTintoVM::SLDTVM::QEMU_GAintoVM::VM_PROCESSES
- renamed
VM::HDD_SERIALtoVM::DISK_SERIAL - disabled by default:
VM::PORT_CONNECTORSVM::ACPI_TEMPERATUREVM::LSHW_QEMUVM::PCI_VM
- removed:
VM::SIDT5IDT_GDT_SCANPROCESSOR_ID
VirusTotal results
The Windows binaries were generated in the CI/CD purely from the source code here.
The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.
Credits
@NotRequiem
@pemessier
@dmfrpro
Extra
For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com
Contributors
Assets 10
2.2.0 Release 🎉
- improved
VM::TIMER - improved
VM::FIRMWARE - fixed false positives from 2.1.1
- fixed macro redefinitions
- fixed Hyper-X mechanism bug in 2.1.1
- fixed Hyper-V conflict with "Unknown" brand anomaly
- fixed some grammatical errors in VM descriptions
The Windows binaries were generated in the CI/CD purely from the source code here.
The Linux binaries on the other hand, were generated through the cmake file seen in the root directory of the repository.
Credits
@NotRequiem
@pemessier
@dmfrpro
Extra
For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com
Contributors
Assets 10
2.1.1 Release 🎉
- added improvements for QEMU detection (extra SCSI ports)
- added performance optimisations
- added compilation support for operating systems below Windows 8 on VM::NATIVE_VHD
- fixed --no-ansi problem
- fixed compilation warnings for MSVC
- fixed critical false positives for:
VM::VIRTUAL_PROCESSORSVM::POWER_CAPABILITIES(Removed WakeAlarm checks)VM::ACPI_TEMPERATUREVM::IDT_GDT_SCANVM::VM_SIDT
- replaced Hyper-V artifact brand type from "Hypervisor (type 1)" to "Unknown"
- renamed
VM::IDT_GDT_MISMATCHtoVM::IDT_GDT_SCAN - removed
VM::CPUID_BITSETtechnique
The Windows binaries were generated in the CI/CD purely from the source code here.
The Linux binaries on the other hand, were generated through the cmake file seen in the root directory of the repository.
Credits
Extra
For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com
Contributors
Assets 10
2.1 Release 🎉
- added new function
VM::detected_enums() - added new brands:
- Intel TDX
- LKVM
- AMD SEV
- AMD SEV-ES
- AMD SEV-SNP
- Neko Project II
- NoirVisor
- Qihoo 360 Sandbox
- nsjail
- added new techniques:
- VM::TIMER
- VM::GPU
- VM::VM_DEVICES
- VM::ACPI_TEMPERATURE
- VM::VIRTUAL_PROCESSORS
- VM::HYPERV_QUERY
- VM::BAD_POOLS
- VM::AMD_SEV
- VM::AMD_THREAD_MISMATCH
- VM::NATIVE_VHD
- VM::VIRTUAL_REGISTRY
- VM::FIRMWARE
- VM::FILE_ACCESS_HISTORY
- VM::AUDIO
- VM::UNKNOWN_MANUFACTURER
- VM::OSXSAVE
- VM::NSJAIL_PID
- VM::PCI_VM
- added new features to the CLI:
- added brand descriptions
- added --mit and --enums oprions
- renamed --no-color option with --no-ansi
- fixed MacOS techniques
- fixed Hyper-X mechanism
- fixed C++ standards compatibility issues
- fixed argument handler issues
- improved cpu module
- improved Windows stuff
- various fixes, improvements, and optimisations to many techniques
- merged tons of techniques into one
- modified the scores for many techniques
- removed WMI module with a more efficient replacement
- removed brands:
- Micorosft x86-to-ARM
- Apple Rosetta 2
- removed techniques:
- VM::RDTSC
- VM::VMWARE_REG
- VM::VBOX_REG
- VM::USER
- VM::VBOX_WINDOW_CLASS
- VM::LOADED_DLLS
- VM::KVM_REG
- VM::KVM_DRIVERS
- VM::AUDIO
- VM::VMID_0X4
- VM::PARALLELS_VM
- VM::QEMU_BRAND
- VM::VPC_BOARD
- VM::HYPERV_WMI
- VM::HYPERV_REG
- VM::BIOS_SERIAL
- VM::VALID_MSR
- VM::QEMU_PROC
- VM::VPC_PROC
- VM::HYPERV_BOARD
- VM::VM_FILES_EXTRA
- VM::UPTIME
- VM::HYPERV_BITMASK
- VM::VMWARE_DMI
- VM::HYPERV_EVENT_LOGS
- VM::VMWARE_EVENT_LOGS
- VM::GPU_CHIPTYPE
- VM::VM_HDD
- VM::ACPI_DETECT
- VM::GPU_NAME
- VM::VMWARE_DEVICES
- VM::VMWARE_MEMORY
- VM::WMI_MODEL
- VM::WMI_MANUFACTURER
- VM::WMI_TEMPERATURE
- VM::CPU_FANS
- VM::VMWARE_HARDENER
- VM::WMI_QUERIES
VirusTotal (3/73, as of 21 March 2025)
The windows binaries were generated here purely from the source code.
Credits
@NotRequiem, this release wouldn't had been possible without him
@Scrut1ny, for useful feedback
Contributors
Assets 10
2.0 Release 🎉
- added optional
VM::vmawarestructure - added new functions:
VM::type()VM::conclusion()VM::detected_count()
- added improvements to Hyper-X (version 5)
- added argument support of
VM::NO_MEMOtoVM::check() - added 24 new techniques:
VM::GPU_CHIPTYPEby @koughingVM::DRIVER_NAMESVM::VBOX_IDTVM::HDD_SERIALVM::PORT_CONNECTORSVM::VM_HDDVM::ACPI_HYPERVVM::GPU_NAMEVM::VMWARE_DEVICESVM::VMWARE_MEMORYVM::IDT_GDT_MISMATCHVM::PROCESSOR_NUMBERVM::NUMBER_OF_CORESVM::WMI_MODELVM::WMI_MANUFACTURERVM::WMI_TEMPERATUREVM::PROCESSOR_IDVM::CPU_FANSVM::POWER_CAPABILITIESVM::SETUPAPI_DISKVM::VMWARE_HARDENERVM::WMI_QUERIESVM::SYS_QEMUVM::LSHW_QEMU
- added 5 option flags to the CLI:
--no-color--high-threshold--dynamic--verbose--compact
- added improvements and fixes to
VM::add_custom() - added 3 new brands:
- Barevisor
- HyperPlatform
- Minivisor
note: all of these brands were made by @tandasat
- added new WMI structure module and overall WMI improvements
- updated the scores of most techniques (see the scoring system)
- updated:
VM::HKLM_REGISTRIESVM::DRIVER_NAMESVM::REGISTRY
- optimized
VM::INTEL_THREAD_MISMATCH - fixed MacOS bugs [link]
- disabled
VM::VMWARE_DMESGby default - removed
VM::SPOOFABLEand--spoofable - removed:
VM::MOUSE_DEVICEVM::VBOX_FOLDERSVM::CURSORVM::HYPERV_WMIVM::HYPERV_REGVM::ANYRUN_DRIVER(still present in the CLI)VM::ANYRUN_DIRECTORY(same)VM::CWSANDBOX_VMVM::MEMORY
(these were removed either due to unreliability, unpredictability, overall low quality, ethical reasons, or a combination of them)
Credits to
- @NotRequiem
- @koughing
- MeGaMax
VirusTotal results (17/72)
I'm fully aware this looks really suspicious, but the binaries were generated through the CI/CD here purely from the source code. The score might fluctuate as it did previously, so if it doesn't match, please notify me with an issue.
Extra
For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com
Contributors
Assets 10
1.9 Release
- renamed Virtual Apple to Apple Rosetta 2
- fixed oversight for AMD CPU detection
- fixed bug for
VM::BOCHS_CPU - fixed
VM::ALLthanks to @D00Movenok - fixed MSVC compiler warnings thanks to @NotRequiem
- disabled
VM::CURSOR,VM::RDTSC, andVM::RDTSC_EXITby default - added
--allto the CLI, which will enable all techniques including the above ones - added
ANY.RUNVM brand - added
VM::ANYRUN_DRIVERandVM::ANYRUN_DIRECTORYtechniques
NOTE: It's been exactly a year since I've started and continuously maintained this project since September 2023, and I'm taking a break for a while. Not sure when the next release will be, but I'll try to come back to this project after I've recharged my energy while I'm focusing on some side projects I've been working on occasionally :)
For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com
Contributors
Assets 8
1.8 Release
- Fixed false positives due to Hyper-V artifacts with new "Hyper-X" mechanism designed by @NotRequiem
-
added 10 new VM brands:
Hyper-V artifact (not an actual VM)User-mode LinuxIBM PowerVMGoogle Compute Engine (KVM)OpenStack (KVM)KubeVirt (KVM)AWS Nitro System EC2 (KVM-based)PodmanWSLOpenVZ
-
added 14 new techniques:
VM::EVENT_LOGSVM::QEMU_VIRTUAL_DMIVM::QEMU_USBVM::HYPERVISOR_DIRVM::UML_CPUVM::KMSGVM::VM_PROCSVM::VBOX_MODULEVM::SYSINFO_PROCVM::DEVICE_TREEVM::DMI_SCANVM::SMBIOS_VM_BITVM::PODMAN_FILEVM::WSL_PROC