chore: renamed VM::OBJECTS to VM::KERNEL_OBJECTS

kernelwernel · kernelwernel · commit 9da062cbd29b · 2026-01-31T12:18:44.000Z
diff --git a/docs/documentation.md b/docs/documentation.md
@@ -591,7 +591,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::DBVM` | Check if Dark Byte's VM is present | 🪟 | 150% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L9518) |
 | `VM::BOOT_LOGO` | Check boot logo for known VM images | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L9637) |
 | `VM::MAC_SYS` | Check for VM-strings in system profiler commands for MacOS | 🍏 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L7363) |
-| `VM::OBJECTS` | Check for any signs of VMs in Windows kernel object entities | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L9740) |
+| `VM::KERNEL_OBJECTS` | Check for any signs of VMs in Windows kernel object entities | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L9740) |
 | `VM::NVRAM` | Check for known NVRAM signatures that are present on virtual firmware | 🪟 | 100% | Admin |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L9926) |
 | `VM::SMBIOS_INTEGRITY` | Check if SMBIOS is malformed/corrupted in a way that is typical for VMs | 🪟 | 50% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L10357) |
 | `VM::EDID` | Check for non-standard EDID configurations | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L10368) |
diff --git a/src/cli.cpp b/src/cli.cpp
@@ -805,7 +805,7 @@ static void general(
     checker(VM::DBVM, "Dark Byte's hypervisor");
     checker(VM::BOOT_LOGO, "boot logo");
     checker(VM::MAC_SYS, "system profiler");
-    checker(VM::OBJECTS, "kernel objects");
+    checker(VM::KERNEL_OBJECTS, "kernel objects");
     checker(VM::NVRAM, "NVRAM");
     checker(VM::SMBIOS_INTEGRITY, "SMBIOS integrity");
     checker(VM::EDID, "EDID");
diff --git a/src/vmaware.hpp b/src/vmaware.hpp
@@ -60,7 +60,7 @@
  * - struct for internal core components       => line 11205
  * - start of VM detection technique list      => line 4251
  * - start of public VM detection functions    => line 11551
- * - start of externally defined variables     => line 12534
+ * - start of externally defined variables     => line 12544
  *
  *
  * ============================== EXAMPLE ===================================
@@ -576,7 +576,7 @@ struct VM {
         UD,
         BLOCKSTEP,
         DBVM,
-        OBJECTS,
+        KERNEL_OBJECTS,
         NVRAM,
         SMBIOS_INTEGRITY,
         EDID,
@@ -9737,9 +9737,9 @@ struct VM {
     /**
      * @brief Check for any signs of VMs in Windows kernel object entities 
      * @category Windows
-     * @implements VM::OBJECTS
+     * @implements VM::KERNEL_OBJECTS
      */
-    [[nodiscard]] static bool objects() {
+    [[nodiscard]] static bool kernel_objects() {
         struct OBJECT_DIRECTORY_INFORMATION {
             UNICODE_STRING Name;
             UNICODE_STRING TypeName;
@@ -9904,12 +9904,12 @@ struct VM {
             // "VmGenerationCounter" and "VmGid" are created by the Hyper-V VM Bus provider
             if (objectName == L"VmGenerationCounter") {
                 pNtClose(hDir);
-                debug("OBJECTS: Detected VmGenerationCounter");
+                debug("KERNEL_OBJECTS: Detected VmGenerationCounter");
                 return core::add(brands::HYPERV);
             }
             if (objectName == L"VmGid") {
                 pNtClose(hDir);
-                debug("OBJECTS: Detected VmGid");
+                debug("KERNEL_OBJECTS: Detected VmGid");
                 return core::add(brands::HYPERV);
             }
         }
@@ -11891,13 +11891,21 @@ struct VM {
 
         u16 threshold = 150;
 
-        // if high threshold is set, the points 
+        // if high threshold is set, the bar
         // will be 300. If not, leave it as 150
         if (core::is_enabled(flags, HIGH_THRESHOLD)) {
             threshold = high_threshold_score;
         }
 
-        return (points >= threshold);
+        if (points >= threshold) {
+            return true;
+        }
+
+        // this is added as a last ditch attempt to detect a VM, 
+        // because if there are indications of hardening then logically 
+        // it should in fact be a VM. It's doubtful if this can actually 
+        // return true, but it's better than nothing
+        return (is_hardened());
     }
 
 
@@ -12095,7 +12103,7 @@ struct VM {
             case DBVM: return "DBVM";
             case BOOT_LOGO: return "BOOT_LOGO";
             case MAC_SYS: return "MAC_SYS";
-            case OBJECTS: return "OBJECTS";
+            case KERNEL_OBJECTS: return "KERNEL_OBJECTS";
             case NVRAM: return "NVRAM";
             case SMBIOS_INTEGRITY: return "SMBIOS_INTEGRITY";
             case EDID: return "EDID";
@@ -12707,7 +12715,7 @@ std::array<VM::core::technique, VM::enum_size + 1> VM::core::technique_table = [
             {VM::DRIVERS, {100, VM::drivers}},
             {VM::DEVICE_HANDLES, {100, VM::device_handles}},
             {VM::VIRTUAL_PROCESSORS, {100, VM::virtual_processors}},
-            {VM::OBJECTS, {100, VM::objects}},
+            {VM::KERNEL_OBJECTS, {100, VM::kernel_objects}},
             {VM::HYPERVISOR_QUERY, {100, VM::hypervisor_query}},
             {VM::AUDIO, {25, VM::audio}},
             {VM::DISPLAY, {25, VM::display}},
