VMAware (VM + Aware) is a cross-platform C++ library for virtual machine detection.
The library is:
- Very easy to use
- Cross-platform (Windows + MacOS + Linux)
- Features up to 120+ unique VM detection techniques [list]
- Features the most cutting-edge techniques
- Able to detect 50+ VM brands including VMware, VirtualBox, QEMU, Hyper-V, and much more [list]
- Able to beat VM hardeners
- Compatible with x86 and ARM, with backwards compatibility for 32-bit systems
- Very flexible, with total fine-grained control over which techniques get executed
- Able to detect various VM and semi-VM technologies like hypervisors, emulators, containers, sandboxes, and so on
- Available with C++11 and above
- Header-only
- Memoized, meaning past results are cached and retrieved if ran again for performance benefits
- Contains separate MIT and GPL-3.0 compliant library header files
#include "vmaware.hpp"
#include <iostream>
int main() {
if (VM::detect()) {
std::cout << "Virtual machine detected!" << "\n";
} else {
std::cout << "Running on baremetal" << "\n";
}
std::cout << "VM name: " << VM::brand() << "\n";
std::cout << "VM type: " << VM::type() << "\n";
std::cout << "VM certainty: " << (int)VM::percentage() << "%" << "\n";
}possible output:
Virtual machine detected!
VM name: VirtualBox
VM type: Hypervisor (type 2)
VM certainty: 100%
This project also provides a tiny, but handy CLI tool utilising the full potential of what the library can do. It'll give you all sorts of details about the environment it's running under.
To install the library, download the vmaware.hpp file in the latest release section to your project. The binaries are also located there. No CMake or shared object linkages are necessary, it's literally that simple.
However, if you want the full project (globally accessible headers with <vmaware.hpp> and the CLI tool), follow these commands:
git clone https://github.com/kernelwernel/VMAware
cd VMAwaresudo dnf/apt/yum update -y # change this to whatever your distro is
mkdir build
cd build
cmake ..
sudo make installmkdir build
cd build
cmake ..
sudo make installcmake -S . -B build/ -G "Visual Studio 16 2019"# edit this
set(DIRECTORY "/path/to/your/directory/")
# if you want the MIT version, toggle this to ON
option(MIT "MIT version" OFF)
if (MIT)
set(EXTENSION "_MIT")
else()
set(EXTENSION "")
endif()
set(DESTINATION "${DIRECTORY}vmaware${EXTENSION}.hpp")
if (NOT EXISTS ${DESTINATION})
message(STATUS "Downloading VMAware")
set(URL "https://github.com/kernelwernel/VMAware/releases/latest/download/vmaware${EXTENSION}.hpp")
file(DOWNLOAD ${URL} ${DESTINATION} SHOW_PROGRESS)
else()
message(STATUS "VMAware already downloaded, skipping")
endif()The module file and function version is located here
You can view the full docs here. All the details such as functions, techniques, settings and examples are provided. Trust me, it's not too intimidating ;)
How does it work?
It utilises a comprehensive list of low-level and high-level anti-VM techniques that gets accounted in a scoring system. The scores (0-100) for each technique are arbitrarily given, and every technique that has detected a VM will have their score added to a single accumulative point, where a threshold point number will decide whether it's actually running in a VM.
Who is this library for and what are the use cases?
It's designed for security researchers, VM engineers, anticheat developers, and pretty much anybody who needs a practical and rock-solid VM detection mechanism in their project. For example, the library is suitable if you're making a VM and you're testing the effectiveness of concealing itself. If you're a proprietary software developer, the library is useful to thwart against reverse engineers. If you're a malware analyst and you want to check the concealment capability of your VM, this would be the perfect tool to benchmark how well-concealed your VM is against malware.
Additionally, software could adjust the behaviour of their program base on the detected environment. It could be useful for debugging and testing purposes, system administrators could manage configurations differently, and some applications might want to restrict usage in VMs to prevent unauthorized distribution or testing.
Why another VM detection project?
There's already loads of projects that have the same goal such as InviZzzible, pafish and Al-Khaser. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. Pafish and InviZzzible have been abandoned for years, while Al-Khaser does receive updates and has a wide scope of detection that includes anti-debuggers, anti-injection, and so on, but the VM detections are not sophisticated enough to be practically applied to real-world scenarios.
I wanted the core detection techniques to be accessible programmatically in a cross-platform way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection library and tool on steroids with maximum flexibility.
How does it compare to paid VM detection libraries? Wouldn't it make it inferior for having it open source?
There are several paid software solutions available for protecting software licenses from reverse engineering or cracking, such as Thales' Sentinel RMS and VMProtect. These tools include VM detection as part of their feature set, though their primary focus is not VM detection unlike this project.
Speaking of which, the only downside to VMAware is that it's fully open source, which makes the job of bypassers easier compared to having it closed source. However, I'd argue that's a worthy tradeoff by having as many VM detection techniques in an open and interactive way, including having valuable community feedback to make the library more effective and accurate.
How effective are VM hardeners against the lib?
Publicly known hardeners are not effective and most of them on Windows have been beaten, but this doesn't mean that the lib is immune to them. We challenged the most famous ones we know, and that's why we created a bypass against them as our main focus. Custom hardeners that we may not be aware of might have a theoretical advantage, but they are substantially more difficult to produce.
Is it possible to spoof the result?
Yes. There are some techniques that are trivially spoofable, and there's nothing the library can do about it whether it's a deliberate false positive or even a false negative. This is a problem that every VM detection project is facing whether closed or open source, which is why the library is trying to test every technique possible to get the best result based on the environment it's running under. Remember, EVERYTHING is technically spoofable.
What about using this for malware?
This project is not soliciting the development of malware for obvious reasons. Even if you intend to use it for concealment purposes, it'll most likely be flagged by antiviruses anyway and nothing is obfuscated to begin with. Good fucking luck obfuscating 12k+ lines of C++ code lmao.
Why GPL-3.0 and MIT?
I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL 3.0 projects, and I have no choice but to use the same license for legal reasons.
This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open-source. It should be noted that the MIT version removes 9 techniques out of 128 (as of 2.0 version), and the lesser the number of techniques, the less accurate the overall result might be.
I have linker errors when compiling
If you're compiling with gcc or clang, add the
-lmand-lstdc++flags, or use g++/clang++ compilers instead. If you're receiving linker errors from a brand new VM environment on Linux, update your system withsudo apt/dnf/yum update -yto install the necessary C++ components.
If you have any suggestions, ideas, or any sort of contribution, feel free to ask! I'll be more than happy to discuss either in the issue or discussion sections, I usually reply fairly quickly. If you want to personally ask something in private, my discord is kr.nl
And if you found this project useful, a star would be appreciated :)
- Requiem (Co-maintainer)
- Check Point Research
- Unprotect Project
- Al-Khaser
- pafish
- Matteo Malvica
- N. Rin, EP_X0FF
- Peter Ferrie, Symantec
- Graham Sutherland, LRQA Nettitude
- Alex
- Marek KnΓ‘pek
- Vladyslav Miachkov
- (Offensive Security) Danny Quist
- (Offensive Security) Val Smith
- Tom Liston + Ed Skoudis
- Tobias Klein
- (S21sec) Alfredo Omella
- hfiref0x
- Waleedassar
- δΈεδΊΊη
- Thomas Roccia (fr0gger)
- systemd project
- mrjaxser
- iMonket
- Eric Parker's discord community
- ShellCode33
- Georgii Gennadev (D00Movenok)
- utoshu
I am not responsible nor liable for any damage you cause through any malicious usage of this project.
License: GPL-3.0/MIT