11# VM Detection
22
3- This project is a Go implementation of well-known techniques trying to detect if the program is being run in a virtual machine.
3+ * What ? * This project is a Go implementation of well-known techniques trying to detect if the program is being run in a virtual machine.
44
5- Why doing this in Go ? Because there are many C programs already doing this, but none written in pure Go.
5+ * Why ? * Because there are many C programs already doing this, but none written in pure Go.
66
7- See the [ paper] ( https://github.com/ShellCode33/VM-Detection/blob/master/paper/paper.pdf ) for more details.
7+ * How ?* See this [ paper] ( https://github.com/ShellCode33/VM-Detection/blob/master/paper/paper.pdf ) for more details.
8+
9+ Please feel free to contribute !
810
911## Usage
1012
@@ -15,18 +17,33 @@ $ go get github.com/ShellCode33/VM-Detection/vmdetect
1517
1618Then see [ main.go] ( https://github.com/ShellCode33/VM-Detection/blob/master/main.go ) to use it in your own project.
1719
20+ This project is compatible for both Linux and Windows, you can use the following command to cross-compile it :
21+ ``` bash
22+ $ GOOS=windows go build main.go
23+ $ file main.exe
24+ ```
25+
26+ ## Common techniques
27+
28+ - Look for known mac address prefix
29+ - Look for known interface names
30+ - Look at CPU features using cpuid instruction ([ cpuid] ( https://github.com/klauspost/cpuid/ ) )
31+
1832## GNU/Linux techniques
1933
20- - Look for CPU vendor by trying out different assembly instructions ([ cpuid] ( https://github.com/klauspost/cpuid/ ) )
21- - Look for known strings in the DMI table (` /sys/class/dmi/id/* ` )
22- - Look for hints in the kernel ring buffer (` /dev/kmsg ` )
34+ - Look for known strings in the DMI table ` /sys/class/dmi/id/* `
35+ - Look for hints in the kernel ring buffer ` /dev/kmsg `
36+ - Look for known LKM - Loadable Kernel Modules - ` /proc/modules `
37+ - Check existence of known files
2338
2439## Windows techniques
2540
26- Coming soon...
27-
28- ## Resources
41+ - Check existence of known registry keys
42+ - Look for known strings in some registry key's content
43+ - Check existence of known files
2944
30- [ systemd-detect-virt source code ] ( https://github.com/systemd/systemd/blob/master/src/basic/virt.c )
45+ ## Credits
3146
32- [ Malware evasion techniques] ( https://www.deepinstinct.com/2019/10/29/malware-evasion-techniques-part-2-anti-vm-blog/ )
47+ Thanks to [ @hippwn ] ( https://twitter.com/hippwn ) for its contribution
48+ Thanks systemd for being [ that awesome] ( https://github.com/systemd/systemd/blob/master/src/basic/virt.c ) .
49+ Thanks to CheckPoint's researchers for their [ wonderful website] ( https://evasions.checkpoint.com/ )
0 commit comments