You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -480,7 +480,6 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
480
480
|`VM::INTEL_THREAD_MISMATCH`| Check for Intel CPU thread count database if it matches the system's thread count || 95% |||||
481
481
|`VM::XEON_THREAD_MISMATCH`| Same as above, but for Xeon Intel CPUs || 95% |||||
482
482
|`VM::NETTITUDE_VM_MEMORY`| Check for memory regions to detect VM-specific brands | Windows | 100% |||||
483
-
|`VM::CPUID_BITSET`| Check for CPUID technique by checking whether all the bits equate to more than 4000 || 25% |||||
484
483
|`VM::CUCKOO_DIR`| Check for cuckoo directory using crt and WIN API directory functions | Windows | 30% |||||
485
484
|`VM::CUCKOO_PIPE`| Check for Cuckoo specific piping mechanism | Windows | 30% |||||
486
485
|`VM::HYPERV_HOSTNAME`| Check for default Azure hostname format regex (Azure uses Hyper-V as their base VM brand) | Windows, Linux | 30% |||||
@@ -510,17 +509,17 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
510
509
|`VM::VM_SIDT`| Check for unknown IDT base address | Windows | 100% |||||
511
510
|`VM::HDD_SERIAL`| Check for serial numbers of virtual disks | Windows | 100% |||||
512
511
|`VM::PORT_CONNECTORS`| Check for physical connection ports | Windows | 25% |||| This technique is known to false flag on devices like Surface Pro |
513
-
|`VM::GPU`| Check for GPU capabilities and specific GPU signatures related to VMs | Windows | 100% | Admin ||| Admin only needed for some heuristics |
512
+
|`VM::GPU_CAPABILITIES`| Check for GPU capabilities related to VMs | Windows | 100% | Admin ||| Admin only needed for some heuristics |
513
+
|`VM::GPU_VM_STRINGS`| Check for specific GPU string signatures related to VMs | Windows | 100% |||||
514
514
|`VM::VM_DEVICES`| Check for VM-specific devices | Windows | 45% |||||
515
-
|`VM::VM_MEMORY`| Check for specific VM memory traces in certain processes | Windows | 65% |||||
516
-
|`VM::IDT_GDT_MISMATCH`| Check if the IDT and GDT base virtual addresses mismatch between different CPU cores when called from usermode under a root partition | Windows | 50% |||||
515
+
|`VM::IDT_GDT_SCAN`| Check if the IDT and GDT virtual base addresses are equal across different CPU cores when not running under Hyper-V | Windows | 50% |||||
517
516
|`VM::PROCESSOR_NUMBER`| Check for number of processors | Windows | 50% |||||
518
517
|`VM::NUMBER_OF_CORES`| Check for number of cores | Windows | 50% |||||
519
518
|`VM::ACPI_TEMPERATURE`| Check for device's temperature | Windows | 25% |||||
520
519
|`VM::PROCESSOR_ID`| Check if any processor has an empty Processor ID using SMBIOS data | Windows | 25% |||||
521
520
|`VM::SYS_QEMU`| Check for existence of "qemu_fw_cfg" directories within /sys/module and /sys/firmware | Linux | 70% |||||
522
521
|`VM::LSHW_QEMU`| Check for QEMU string instances with lshw command | Linux | 80% |||||
523
-
|`VM::VIRTUAL_PROCESSORS`| Check if the number of maximum virtual processors matches the maximum number of logical processors| Windows | 50% |||||
522
+
|`VM::VIRTUAL_PROCESSORS`| Check if the number of virtual and logical processors are reported correctly by the system| Windows | 50% |||||
524
523
|`VM::HYPERV_QUERY`| Check if a call to NtQuerySystemInformation with the 0x9f leaf fills a _SYSTEM_HYPERVISOR_DETAIL_INFORMATION structure | Windows | 100% |||||
525
524
|`VM::BAD_POOLS`| Check for system pools allocated by hypervisors | Windows | 80% |||||
526
525
|`VM::AMD_SEV`| Check for AMD-SEV MSR running on the system | Linux and MacOS | 50% | Admin ||||
@@ -581,7 +580,7 @@ This is the table of all the brands the lib supports.
| Lockheed Martin LMHS |`brands::LMHS`| Hypervisor (unknown type) | Yes, you read that right. The lib can detect VMs running on US military fighter jets, apparently |
583
+
| Lockheed Martin LMHS |`brands::LMHS`| Hypervisor (unknown type) | Yes, you read that right. The lib can detect VMs running on US military fighter jets, apparently.|
| Hyper-V artifact (not an actual VM) |`brands::HYPERV_ARTIFACT`| Unknown ||
592
+
| Hyper-V artifact (not an actual VM) |`brands::HYPERV_ARTIFACT`| Unknown |Windows Hyper-V has a tendency to modify host hardware values with VM values. In other words, this brand signifies that you're running on a host system, but the Hyper-V that's installed (either by default or manually by the user) is misleadingly making the whole system look like it's in a VM when in reality it's not. <br><br> For more information, refer to [this graph](https://github.com/kernelwernel/VMAware/blob/main/assets/hyper-x/v5/Hyper-X_version_5.drawio.png).|
594
593
| User-mode Linux |`brands::UML`| Paravirtualised/Hypervisor (type 2) ||
595
594
| IBM PowerVM |`brands::POWERVM`| Hypervisor (type 1) ||
{ brands::AZURE_HYPERV, "Azure Hyper-V is Microsoft's cloud-optimized hypervisor variant powering Azure VMs. Implements Azure-specific virtual devices like NVMe Accelerated Networking and vTPMs. Supports nested virtualization for running Hyper-V/containers within Azure VMs, enabling cloud-based CI/CD pipelines and dev/test environments." },
636
634
{ brands::NANOVISOR, "NanoVisor is a Hyper-V modification serving as the host OS of Xbox's devices: the Xbox System Software. It contains 2 partitions: the \"Exclusive\" partition is a custom VM for games, while the other partition, called the \"Shared\" partition is a custom VM for running multiple apps including the OS itself. The OS was based on Windows 8 Core at the Xbox One launch in 2013." },
637
635
{ brands::SIMPLEVISOR, "SimpleVisor is a minimalist Intel VT-x hypervisor by Alex Ionescu for Windows/Linux research. Demonstrates EPT-based memory isolation and hypercall handling. Used to study VM escapes and hypervisor rootkits, with hooks for intercepting CR3 changes and MSR accesses." },
638
-
{ brands::HYPERV_ARTIFACT, "The CLI detected Hyper-V operating as a Type 1 hypervisor, not as a guest virtual machine. Althought your hardware/firmware signatures match Microsoft's Hyper-V architecture, we determined that you're running on baremetal, with the help of our \"Hyper-X\" mechanism that differentiates between the root partition (host OS) and guest VM environments. This prevents false positives, as Windows sometimes runs under Hyper-V (type 1) hypervisor." },
636
+
{ brands::HYPERV_ARTIFACT, "The CLI detected Hyper-V operating as a Type 1 hypervisor, not as a guest virtual machine. Althought your hardware/firmware signatures match Microsoft's Hyper-V architecture, we determined that you're running on baremetal, with the help of our \"Hyper-X\" mechanism that differentiates between the root partition (host OS) and guest VM environments. This prevents false positives, as Windows sometimes runs under Hyper-V (type 1) hypervisor." },
639
637
{ brands::UML, "User-Mode Linux (UML) allows running Linux kernels as user-space processes using ptrace-based virtualization. Primarily used for kernel debugging and network namespace testing. Offers lightweight isolation without hardware acceleration, but requires host/guest kernel version matching for stable operation." },
640
638
{ brands::POWERVM, "IBM PowerVM is a type 1 hypervisor for POWER9/10 systems, supporting Live Partition Mobility and Shared Processor Pools. Implements VIOS (Virtual I/O Server) for storage/networking virtualization, enabling concurrent AIX, IBM i, and Linux workloads with RAS features like predictive failure analysis." },
641
639
{ brands::GCE, "Google Compute Engine (GCE) utilizes KVM-based virtualization with custom Titanium security chips for hardware root of trust. Features live migration during host maintenance and shielded VMs with UEFI secure boot. Underpins Google Cloud's Confidential Computing offering using AMD SEV-SNP memory encryption." },
0 commit comments