You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@
14
14
The library is:
15
15
- Very easy to use
16
16
- Cross-platform (Windows + MacOS + Linux)
17
-
- Features up to 115 unique VM detection techniques [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#flag-table)]
17
+
- Features up to 100+ unique VM detection techniques [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#flag-table)]
18
18
- Features the most cutting-edge techniques
19
19
- Able to detect 65+ VM brands including VMware, VirtualBox, QEMU, Hyper-V, and much more [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#brand-table)]
20
20
- Able to beat VM hardeners
@@ -239,7 +239,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
239
239
240
240
> I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL projects, and I have no choice but to use the same license for legal reasons.
241
241
>
242
-
> This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open source. It should be noted that the MIT version removes <b>7</b> techniques out of 115 (as of 2.0 version), and the lesser the number of techniques, the less accurate the overall result might be.
242
+
> This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open source. It should be noted that the MIT version removes <b>7</b> techniques out of 109 (as of 2.0 version), and the lesser the number of techniques, the less accurate the overall result might be.
Copy file name to clipboardExpand all lines: docs/documentation.md
+6-12Lines changed: 6 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -440,7 +440,6 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
440
440
|`VM::DMIDECODE`| Check if dmidecode output matches a VM brand | Linux | 55% | Admin ||||
441
441
|`VM::DMESG`| Check if dmesg output matches a VM brand | Linux | 55% | Admin ||||
442
442
|`VM::HWMON`| Check if /sys/class/hwmon/ directory is present. If not, likely a VM | Linux | 35% |||||
443
-
|`VM::SIDT5`| Check if the 5th byte after sidt is null | Linux | 45% |||||
444
443
|`VM::DLL`| Check for VM-specific DLLs | Windows | 25% |||||
445
444
|`VM::REGISTRY`| Check for VM-specific registry values | Windows | 50% |||||
446
445
|`VM::VM_FILES`| Find for VM-specific specific files | Windows | 25% |||||
@@ -466,13 +465,9 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
466
465
|`VM::MAC_SIP`| Check if System Integrity Protection is disabled (likely a VM if it is) | MacOS | 40% |||||
467
466
|`VM::HKLM_REGISTRIES`| Check HKLM registries for specific VM strings | Windows | 25% |||||
468
467
|`VM::VPC_INVALID`| Check for official VPC method | Windows | 75% ||| 32-bit ||
469
-
|`VM::SIDT`| Check for sidt instruction method | Windows | 25% |||||
470
-
|`VM::SGDT`| Check for sgdt instruction method | Windows | 30% ||| 32-bit ||
471
-
|`VM::SLDT`| Check for sldt instruction method | Windows | 15% ||| 32-bit ||
472
-
|`VM::OFFSEC_SIDT`| Check for Offensive Security SIDT method | Windows | 60% ||| 32-bit ||
473
-
|`VM::OFFSEC_SGDT`| Check for Offensive Security SGDT method | Windows | 60% ||| 32-bit ||
474
-
|`VM::OFFSEC_SLDT`| Check for Offensive Security SLDT method | Windows | 20% ||| 32-bit ||
475
-
|`VM::VPC_SIDT`| Check for sidt method with VPC's 0xE8XXXXXX range | Windows | 15% ||| 32-bit ||
468
+
|`VM::SIDT`| Check for uncommon IDT virtual addresses | Linux and Windows | 25% |||||
469
+
|`VM::SGDT`| Check for uncommon GDT virtual addresses | Windows | 30% |||||
470
+
|`VM::SLDT`| Check for uncommon LDT virtual addresses | Windows | 15% ||| 32-bit ||
476
471
|`VM::VMWARE_IOMEM`| Check for VMware string in /proc/iomem | Linux | 65% |||||
477
472
|`VM::VMWARE_IOPORTS`| Check for VMware string in /proc/ioports | Linux | 70% |||||
478
473
|`VM::VMWARE_SCSI`| Check for VMware string in /proc/scsi/scsi | Linux | 40% |||||
@@ -488,8 +483,8 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
488
483
|`VM::NETTITUDE_VM_MEMORY`| Check for memory regions to detect VM-specific brands | Windows | 100% |||||
489
484
|`VM::CUCKOO_DIR`| Check for cuckoo directory using crt and WIN API directory functions | Windows | 30% |||||
490
485
|`VM::CUCKOO_PIPE`| Check for Cuckoo specific piping mechanism | Windows | 30% |||||
491
-
|`VM::HYPERV_HOSTNAME`| Check for default Azure hostname format regex (Azure uses Hyper-V as their base VM brand) |Windows, Linux | 30% |||||
492
-
|`VM::GENERAL_HOSTNAME`| Check for commonly set hostnames by certain VM brands |Windows, Linux | 10% |||||
486
+
|`VM::HYPERV_HOSTNAME`| Check for default Azure hostname format regex (Azure uses Hyper-V as their base VM brand) | Linux and Windows| 30% |||||
487
+
|`VM::GENERAL_HOSTNAME`| Check for commonly set hostnames by certain VM brands | Linux and Windows| 10% |||||
493
488
|`VM::SCREEN_RESOLUTION`| Check for pre-set screen resolutions commonly found in VMs | Windows | 20% |||||
494
489
|`VM::DEVICE_STRING`| Check if bogus device string would be accepted | Windows | 25% |||||
495
490
|`VM::BLUESTACKS_FOLDERS`| Check for the presence of BlueStacks-specific folders | Linux | 5% |||||
@@ -512,7 +507,6 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
512
507
|`VM::ANYRUN_DRIVER`| Check for any.run driver presence | Windows | 65% ||||| Removed from the lib, only available in the CLI |
513
508
|`VM::ANYRUN_DIRECTORY`| Check for any.run directory and handle the status code | Windows | 35% ||||| Removed from the lib, only available in the CLI |
514
509
|`VM::DRIVER_NAMES`| Check for VM-specific names for drivers | Windows | 100% |||||
515
-
|`VM::VM_SIDT`| Check for unknown IDT base address | Windows | 100% |||||
516
510
|`VM::DISK_SERIAL`| Check for serial numbers of virtual disks | Windows | 100% |||||
517
511
|`VM::PORT_CONNECTORS`| Check for physical connection ports | Windows | 25% |||| This technique is known to false flag on devices like Surface Pro |
518
512
|`VM::GPU_CAPABILITIES`| Check for GPU capabilities related to VMs | Windows | 100% | Admin ||| Admin only needed for some heuristics |
@@ -530,7 +524,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
530
524
|`VM::AMD_THREAD_MISMATCH`| Check for AMD CPU thread count database if it matches the system's thread count || 95% |||||
531
525
|`VM::NATIVE_VHD`| Check for OS being booted from a VHD container | Windows | 100% |||||
532
526
|`VM::VIRTUAL_REGISTRY`| Check for particular object directory which is present in Sandboxie virtual environment but not in usual host systems | Windows | 65% |||| Admin only needed for Linux |
533
-
|`VM::FIRMWARE`| Check for VM signatures and patched strings by hardeners in firmware, while ensuring the BIOS serial is valid |Windows and Linux| 100% |||||
527
+
|`VM::FIRMWARE`| Check for VM signatures and patched strings by hardeners in firmware, while ensuring the BIOS serial is valid |Linux and Windows| 100% |||||
534
528
|`VM::FILE_ACCESS_HISTORY`| Check if the number of accessed files are too low for a human-managed environment | Linux | 15% |||||
535
529
|`VM::AUDIO`| Check if any waveform-audio output devices are present in the system | Windows | 25% |||||
536
530
|`VM::UNKNOWN_MANUFACTURER`| Check if the CPU manufacturer is not known || 50% |||||
0 commit comments