sync dev

Requiem · Requiem · commit 7016d681bb4b · 2025-04-23T00:34:04.000+02:00
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,4 +1,6 @@
-#  MAKE SURE TO READ THE CONTRIBUTION GUIDELINES BEFORE CONTINUING!
+##  MAKE SURE TO READ THE CONTRIBUTION GUIDELINES BEFORE CONTINUING!
+
+<br>
 
 ## What does this PR do?
 - [ ] Add a new technique
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -1,12 +1,21 @@
 # Contribution Guidelines
 
-# I want to add a new technique, how would I do that?
-There used to be a complicated process in adding techniques, but that's now been replaced with a tool that prompts you on the new technique details and updates the library code automagically. You can check out the python script at auxiliary/add_technique.py 
+## I want to add a new technique, how would I do that?
+There used to be a complicated process in adding techniques, but that's now been replaced with a tool that prompts you on the new technique details and updates the library code automagically. You can check out the python script at `auxiliary/add_technique.py` 
 
 
-# I want to make a major change to the library
-Depending on how big the change is, if the change is fairly small then just a simple PR is fine. But if it has hundreds of lines of code changes then it's best to create an issue prior to even starting to write the code, or we can discuss on discord (`kr.nl`). I don't bite ;)
+## I want to make a major change to the library
+Depending on how big the change is, if the change is fairly small then just a simple PR is fine. But if it has hundreds of lines of code changes then it's best to create an issue prior to even starting to write the code, or you can discuss it with us discord (`kr.nl` or `shenzken`). 
 
 
-# I want to contribute but there's something that I don't understand about the library code
-You can create an issue, and I will reply within 24 hours. We have too much free time on our hands in reality.
+## I want to contribute but there's something that I don't understand about the library code
+You can create an issue, and I will reply within 24 hours. We have too much free time on our hands in reality.
+
+
+## Extra 
+We have a tool that can update the MIT file and other details of the library with a python script for maintenance purposes. The script at `auxiliary/updater.py` will update:
+- the section line numbers in the header banner
+- the date of the update
+- the MIT file by copying the GPL file and removing every GPL code (so that you don't have to make the same changes on 2 different files separately, just focus on vmaware.hpp and let the script manage the vmaware_MIT.hpp file)
+
+It's highly recommended to use this script before sending the PR so that all the above don't have to be manually updated, which can be time consuming and can potentially creep in some human errors. 
diff --git a/README.md b/README.md
@@ -14,9 +14,9 @@
 The library is:
 - Very easy to use
 - Cross-platform (Windows + MacOS + Linux)
-- Features up to 110 unique VM detection techniques [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#flag-table)]
+- Features up to 100+ unique VM detection techniques [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#flag-table)]
 - Features the most cutting-edge techniques
-- Able to detect 65+ VM brands including VMware, VirtualBox, QEMU, Hyper-V, and much more [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#brand-table)]
+- Able to detect over 60 VM brands including VMware, VirtualBox, QEMU, Hyper-V, and much more [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#brand-table)]
 - Able to beat VM hardeners
 - Compatible with x86 and ARM, with backwards compatibility for 32-bit systems
 - Very flexible, with total fine-grained control over which techniques get executed
@@ -169,7 +169,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 
 > It's designed for security researchers, VM engineers, anticheat developers, and pretty much anybody who needs a practical and rock-solid VM detection mechanism in their project. For example, the library is suitable if you're making a VM and you're testing the effectiveness of concealing itself. If you're a proprietary software developer, the library is useful to thwart against reverse engineers. If you're a malware analyst and you want to check the concealment capability of your VM, this would be the perfect tool to benchmark how well-concealed your VM is against malware. 
 > 
-> Additionally, software could adjust the behaviour of their program based on the detected environment. It could be useful for debugging and testing purposes, while system administrators could manage configurations differently. Additionally, some applications might want to legally restrict usage in VMs as a license clause to prevent unauthorized distribution or testing.
+> Additionally, software could adjust the behaviour of their program based on the detected environment. It could be useful for debugging and testing purposes, while system administrators could manage configurations differently. Finally, some applications might want to legally restrict usage in VMs as a license clause to prevent unauthorized distribution or testing.
 >
 > There are also projects that utilise our tool such as [Hypervisor-Phantom](https://github.com/Scrut1ny/Hypervisor-Phantom?tab=readme-ov-file), which is an advanced malware analysis project that we helped strengthen their hypervisor environment and undetectability.
 
@@ -182,9 +182,9 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 > There's already loads of projects that have the same goal such as 
 <a href="https://github.com/CheckPointSW/InviZzzible">InviZzzible</a>, <a href="https://github.com/a0rtega/pafish">pafish</a> and <a href="https://github.com/LordNoteworthy/al-khaser">Al-Khaser</a>. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. Additionally, the VM detections in all those projects are often not sophisticated enough to be practically applied to real-world scenarios while not providing enough VM detection techniques. An additional issue is that they are all GPL projects. 
 >
-> Pafish and InviZzzible have been abandoned for years. Although Al-Khaser **DOES** receive occasional updates and has a wide scope of detection that VMAware doesn't provide (anti-debugging, anti-injection, and so on), it still falls short due to the previously mentioned problems above.
+> Pafish and InviZzzible have been abandoned for years. Although Al-Khaser does receive occasional updates and has a wide scope of detections that VMAware doesn't provide (anti-debugging, anti-injection, and so on), it still falls short due to the previously mentioned problems above.
 > 
-> While those projects have been useful to VMAware, we wanted to make them far better. My goal was to make the detection techniques to be accessible programmatically in a cross-platform and flexible way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection framework on steroids that focuses on practical and realistic real-world usability.
+> While those projects have been useful to VMAware as a baseline, we wanted to make them far better. My goal was to make the detection techniques to be accessible programmatically in a cross-platform and flexible way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection framework on steroids that focuses on practical and realistic usability for any scenario.
 
 </details>
 
@@ -193,17 +193,19 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 <summary>How does it compare to paid VM detection libraries?</summary>
 <br>
 
-> There are several paid software solutions available for protecting software licenses from reverse engineering or cracking, such as <a href="https://docs.sentinel.thalesgroup.com/home.htm">Thales' Sentinel RMS</a> and <a href="https://vmpsoft.com/">VMProtect</a>. These tools include VM detection as part of their feature set, though their primary focus is not VM detection unlike this project. VMProtect is very effective especially in their recent updates, and has shown in one instance that they've outperformed the lib, which we're trying to catch up.
+> There are several paid software solutions available for protecting software licenses from reverse engineering or cracking, such as <a href="https://docs.sentinel.thalesgroup.com/home.htm">Thales' Sentinel RMS</a> and <a href="https://vmpsoft.com/">VMProtect</a>. These tools include VM detection as part of their feature set, though their primary focus is not necessarily VM detection unlike this project. VMProtect is very effective especially in their recent updates, and has shown in one instance that they've outperformed VMAware, which we're trying to catch up.
 
 </details>
 
 <details>
-<summary>Wouldn't it make it inferior for having it open source?</summary>
+<summary>Wouldn't it make it inferior for having the project open source?</summary>
 <br>
 
-> The only downside to VMAware is that it's fully open source, which makes the job of bypassers easier compared to having it closed source. However, I'd argue that's a worthy tradeoff by having as many VM detection techniques in an open and interactive way rather than trying to obfuscate it. Having it open source means we can have valuable community feedback to strengthen the library more effectively and accurately through discussions, collaborations, and competition against anti-anti-vm projects and malware analysis tools which try to hide it's a VM. All of this combined has further advanced the forefront innovations in the field of VM detections much more productively, compared to having it closed source.
+> The only downside to VMAware is that it's fully open source, which makes the job of bypassers easier compared to having it closed source. However, I'd argue that's a worthy tradeoff by having as many VM detection techniques in an open and interactive manner rather than trying to obfuscate. Having it open source means we can have valuable community feedback to strengthen the library more effectively and accurately through discussions, collaborations, and competition against anti-anti-vm projects and malware analysis tools which try to hide it's a VM. 
+> 
+> All of this combined has further advanced the forefront innovations in the field of VM detections much more productively, compared to having it closed source. This is what made the project the best VM detection framework out there, and bypassing it has shown to be an immense challenge due to the sheer number of sophisticated and never-before-seen techniques we employ that other VM detectors don't use whether open or closed source (to our knowledge).
 >
-> In other words, it's about quality, feedback, and openness over security through obfuscation.
+> In other words, it's about better quality AND quantity, better feedback, and better openness over security through obfuscation.
 
 </details>
 
@@ -239,7 +241,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 
 > I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL projects, and I have no choice but to use the same license for legal reasons. 
 > 
-> This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open source. It should be noted that the MIT version removes <b>7</b> techniques out of 110 (as of 2.0 version), and the lesser the number of techniques, the less accurate the overall result might be.
+> This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open source. It should be noted that the MIT version removes 6% of total techniques, and the lesser the number of techniques, the less accurate the overall result might be, but this has rarely any effective difference.
 
 </details>
 
diff --git a/auxiliary/add_technique.py b/auxiliary/add_technique.py
@@ -499,16 +499,16 @@ def write_docs(options):
             query_list.append(options.description)
             
             if options.cross_platform:
-                query_list.append("")
+                query_list.append("🐧🪟🍏")
             else:
                 category_list = []
                 if options.is_linux:
-                    category_list.append("Linux")
+                    category_list.append("🐧")
                 if options.is_win:
-                    category_list.append("Windows")
+                    category_list.append("🪟")
                 if options.is_mac:
-                    category_list.append("MacOS")
-                category_str = " and ".join(category_list)
+                    category_list.append("🍏")
+                category_str = "".join(category_list)
                 query_list.append(category_str)
             
             query_list.append(str(options.score) + "%")
@@ -533,11 +533,10 @@ def write_docs(options):
             else:
                 query_list.append("")
 
-            query = "| " + " | ".join(query_list) + " |"
+            query = "| " + " | ".join(query_list) + " |  |" # last part is meant to be the link, todo
 
             new_docs.append(query + "\n")
             updated = True
-
         
         # add the line in the buffer array
         new_docs.append(line)
diff --git a/docs/documentation.md b/docs/documentation.md
@@ -515,7 +515,8 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::ANYRUN_DIRECTORY` | Check for any.run directory and handle the status code | 🪟 | 35% |  |  |  | Removed from the lib, only available in the CLI | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/cli.cpp#L713) |
 | `VM::DRIVER_NAMES` | Check for VM-specific names for drivers | 🪟 | 100% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7426) |
 | `VM::DISK_SERIAL` | Check for serial numbers of virtual disks | 🪟 | 100% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7581) |
-| `VM::PORT_CONNECTORS` | Check for physical connection ports | 🪟 | 25% |  |  |  | This technique is known to false flag on devices like Surface Pro, disabled by default | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7700) |
+| `VM::PORT_CONNECTORS` | Check for physical connection ports | 🪟 | 25% |  |  |  | This technique is known to false flag on devices like Surface Pro | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7700) |
+| `VM::IVSHMEM` | Check for IVSHMEM device absense | 🪟 | 100% |  |  |  |  |
 | `VM::GPU_CAPABILITIES` | Check for GPU capabilities related to VMs | 🪟 | 100% | Admin |  |  | Admin only needed for some heuristics | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7785) |
 | `VM::GPU_VM_STRINGS` | Check for specific GPU string signatures related to VMs | 🪟 | 100% |  |  |  | If GPU_CAPABILITIES also flags, the score will have 50 added instead of 100 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7730) |
 | `VM::VM_DEVICES` | Check for VM-specific devices | 🪟 | 50% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7848) |
@@ -617,6 +618,7 @@ This is the table of all the brands the lib supports.
 | NoirVisor | `brands::NOIRVISOR` | Hypervisor (type 1) |  |
 | Qihoo 360 Sandbox | `brands::QIHOO` | Sandbox |  |
 | nsjail | `brands::NSJAIL` | Process isolator |  |
+| Hypervisor-Phantom | `brands::HYPERVISOR_PHANTOM` | Sandbox | See the [repository](https://github.com/Scrut1ny/Hypervisor-Phantom) |
 
 <br>
 
diff --git a/src/README.md b/src/README.md
@@ -2,7 +2,7 @@
 |------|---------|
 | `cli.cpp`  | Entire CLI tool code |
 | `vmaware.hpp` | Official and original library header in GPL-3.0, most likely what you're looking for. |
-| `vmaware_MIT.hpp` | Same as above but in MIT. But this removes 7 techniques out of 110 |
+| `vmaware_MIT.hpp` | Same as above but in MIT. This removes around 6% of techniques but there shouldn't be any effective difference compared to the GPL version. |
 
 <br>
 
diff --git a/src/cli.cpp b/src/cli.cpp
@@ -276,6 +276,7 @@ Neko Project II
 NoirVisor
 Qihoo 360 Sandbox
 nsjail
+Hypervisor-Phantom
 )";
 
     std::exit(0);
@@ -449,6 +450,7 @@ bool is_unsupported(VM::enum_flags flag) {
             case VM::DRIVER_NAMES:
             case VM::DISK_SERIAL:
             case VM::PORT_CONNECTORS:
+            case VM::IVSHMEM:
             case VM::GPU_VM_STRINGS:
             case VM::GPU_CAPABILITIES:
             case VM::PROCESSOR_NUMBER:
@@ -652,6 +654,7 @@ std::string vm_description(const std::string& vm_brand) {
         { brands::NOIRVISOR, "NoirVisor is a hardware-accelerated hypervisor with support to complex functions and purposes. It is designed to support processors based on x86 architecture with hardware-accelerated virtualization feature. For example, Intel processors supporting Intel VT-x or AMD processors supporting AMD-V meet the requirement. It was made by Zero-Tang." },
         { brands::QIHOO, "360 sandbox is a part of 360 Total Security. Similar to other sandbox software, it provides a virtualized environment where potentially malicious or untrusted programs can run without affecting the actual system. Qihoo 360 Sandbox is commonly used for testing unknown applications, analyzing malware behavior, and protecting users from zero-day threats." },
         { brands::NSJAIL, "nsjail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel. It can be used for isolating networking services, CTF challenges, and containing invasive syscall-level OS fuzzers." },
+        { brands::HYPERVISOR_PHANTOM, "Hypervisor-Phantom is an automated setup solution designed to evade detection from advanced malware, enabling thorough analysis. It employs a highly customized version of QEMU/KVM, EDK2, and the Linux Kernel. This also spoofs many unique hypervisor identifiers, effectively disguising the environment. This setup enhances the accuracy and reliability of malware analysis by minimizing the risk of detection." },
         { brands::NULL_BRAND, "Indicates no detectable virtualization brand. This result may occur on bare-metal systems, unsupported/obscure hypervisors, or when anti-detection techniques (e.g., VM escaping) are employed by the guest environment." }
     };
 
@@ -949,6 +952,7 @@ void general() {
     checker(VM::DRIVER_NAMES, "driver names");
     checker(VM::DISK_SERIAL, "disk serial number");
     checker(VM::PORT_CONNECTORS, "physical connection ports");
+    checker(VM::IVSHMEM, "IVSHMEM device");
     checker(VM::GPU_CAPABILITIES, "GPU capabilities");
     checker(VM::GPU_VM_STRINGS, "GPU strings");
     checker(VM::PROCESSOR_NUMBER, "processor count");
diff --git a/src/vmaware.hpp b/src/vmaware.hpp
diff --git a/src/vmaware_MIT.hpp b/src/vmaware_MIT.hpp
