2.4.1 Release 🎉

• added DBVM (Dark Byte's VM) brand
• added:
  • VM::DBVM
  • VM::UD
  • VM::BLOCKSTEP
• fixed:
  • VM::SGDT (0xD0 signature detected false flagging when Hyper-V was not running)
  • VM::SIDT (top-most byte signature false flagging when Hyper-V was not running)
  • VM::FIRMWARE (false flagging on Acer Aspire Notebooks while attempting to detect Xen virtual machines)
  • VM::TRAP (false flagging on AMD CPUs)
• improved:
  • VM::FIRMWARE (detections for ACPI KVM's signatures)

VirusTotal results

The Windows binaries were generated in the CI/CD purely from the source code here. Except for the vmaware_debug binary, which was generated using MSVC with the __VMAWARE_DEBUG__ macro

The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.

https://www.virustotal.com/gui/file/8a8db0d2bec2bfa899a79ecd44a92d45fdea008365d3dced9fbcacc2204a0eb9?nocache=1

2.4.0 Release 🎉

• removed:

  • VM::ACPI_TEMPERATURE
  • VM::BAD_POOLS
  • VM::COMPUTER_NAME
  • VM::DEVICE_TREE
  • VM::DRIVER_NAMES
  • VM::GPU_VM_STRINGS
  • VM::HKLM_REGISTRIES
  • VM::HOSTNAME
  • VM::KVM_BITMASK
  • VM::KVM_DIRS
  • VM::LSHW_QEMU
  • VM::MSSMBIOS
  • VM::NATIVE_VHD
  • VM::NETTITUDE_VM_MEMORY
  • VM::NUMBER_OF_CORES
  • VM::OSXSAVE
  • VM::PCI_VM
  • VM::PORT_CONNECTORS
  • VM::PROCESSOR_NUMBER
  • VM::QEMU_DIR
  • VM::REGISTRY
  • VM::SCREEN_RESOLUTION
  • VM::SETUPAPI_DISK
  • VM::THREADCOUNT
  • VM::UNKNOWN_MANUFACTURER
  • VM::VM_DEVICES
  • VM::VM_FILES
  • VM::VM_PROCESSES
  • VM::VM_PROCS
  • VM::VMWARE_PORT_MEM
  • VM::WINE_CHECK
  • VM::PROCESSES (Windows section)
  • VM::TEMPERATURE (Windows section)

• undisabled:

  • VM::TEMPERATURE

• added:

  • VM::DEVICE_HANDLES
  • VM::DISPLAY
  • VM::DRIVERS
  • VM::LOGICAL_PROCESSORS
  • VM::PCI_DEVICES
  • VM::PHYSICAL_PROCESSORS
  • VM::PROCESSES
  • VM::QEMU_PASSTHROUGH (world's first ever device passthrough detection)
  • VM::REGISTRY_KEYS
  • VM::REGISTRY_VALUES
  • VM::THREAD_COUNT
  • VM::TRAP

• added compile-time filters for unsupported techniques based on platforms

• added compatibility for Windows 7 and above

• made the library fully MIT

• improved every vm detection technique, focusing on:

  • Timing attacks
  • Firmware analysis
  • Device passthrough detection
  • PCIe scanning
  • GPU capabilities

VirusTotal results

The Windows binaries were generated in the CI/CD purely from the source code here.

The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.

https://www.virustotal.com/gui/file/47bb5c20629b8b4173eea2076e123777b80ceee25243c2c41e5b41e2068f3608?nocache=1

Credits

@NotRequiem
@kernelwernel

Extra

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

2.3.0 Release 🎉

RELEASE NOTES:

• added Hypervisor-Phantom brand
• added:
  • VM::TPM
  • VM::QEMU_FW_CFG
  • VM::IVSHMEM
• added better macro handling for Windows
• added clang compatibility fixes
• fixed memory leak in the CLI
• improved execution speed of Windows techniques
• improved debugs for:
  • VM::AMD_THREAD_MISMATCH
  • VM::INTEL_THREAD_MISMATCH
  • VM::XEON_THREAD_MISMATCH
  • VM::VIRTUAL_PROCESSORS
• improved cpuid handling
• improved process utilities
• improved:
  • VM::REGISTRY
  • VM::VBOX_NETWORK
  • VM::VM_PROCESSES
  • VM::SIDT
  • VM::SGDT
  • VM::SLDT
  • VM::GPU_VM_STRINGS
  • VM::GPU_CAPABILITIES
  • VM::TIMER
  • VM::FIRMWARE
  • VM::AUDIO
  • VM::OSXSAVE
  • VM::SYS_QEMU_DIR
• merged:
  • VM::OFFSEC_SIDT and VM::VPC_SIDT into VM::SIDT
  • VM::OFFSEC_SGDT into VM::SGDT
  • VM::OFFSEC_SLDT into VM::SLDT
  • VM::QEMU_GA into VM::VM_PROCESSES
• renamed VM::HDD_SERIAL to VM::DISK_SERIAL
• disabled by default:
  • VM::PORT_CONNECTORS
  • VM::ACPI_TEMPERATURE
  • VM::LSHW_QEMU
  • VM::PCI_VM
• removed:
  • VM::SIDT5
  • IDT_GDT_SCAN
  • PROCESSOR_ID

VirusTotal results

The Windows binaries were generated in the CI/CD purely from the source code here.

The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.

https://www.virustotal.com/gui/file/47bb5c20629b8b4173eea2076e123777b80ceee25243c2c41e5b41e2068f3608?nocache=1

Credits

@NotRequiem
@pemessier
@dmfrpro

Extra

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

2.2.0 Release 🎉

• improved VM::TIMER
• improved VM::FIRMWARE
• fixed false positives from 2.1.1
• fixed macro redefinitions
• fixed Hyper-X mechanism bug in 2.1.1
• fixed Hyper-V conflict with "Unknown" brand anomaly
• fixed some grammatical errors in VM descriptions

The Windows binaries were generated in the CI/CD purely from the source code here.

The Linux binaries on the other hand, were generated through the cmake file seen in the root directory of the repository.

https://www.virustotal.com/gui/file/d5c72c618a276731134e205bc274298f7be29ea9e207f1abab7425674751b2ca?nocache=1

https://any.run/report/d5c72c618a276731134e205bc274298f7be29ea9e207f1abab7425674751b2ca/bb535daa-7b93-4b8e-bab4-84935be1c731

Credits

@NotRequiem
@pemessier
@dmfrpro

Extra

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

2.1.1 Release 🎉

• added improvements for QEMU detection (extra SCSI ports)
• added performance optimisations
• added compilation support for operating systems below Windows 8 on VM::NATIVE_VHD
• fixed --no-ansi problem
• fixed compilation warnings for MSVC
• fixed critical false positives for:
  • VM::VIRTUAL_PROCESSORS
  • VM::POWER_CAPABILITIES (Removed WakeAlarm checks)
  • VM::ACPI_TEMPERATURE
  • VM::IDT_GDT_SCAN
  • VM::VM_SIDT
• replaced Hyper-V artifact brand type from "Hypervisor (type 1)" to "Unknown"
• renamed VM::IDT_GDT_MISMATCH to VM::IDT_GDT_SCAN
• removed VM::CPUID_BITSET technique

The Windows binaries were generated in the CI/CD purely from the source code here.

The Linux binaries on the other hand, were generated through the cmake file seen in the root directory of the repository.

https://www.virustotal.com/gui/file/198e529e9423feda3b1718a33feaea88dc2f4bd5bcebb944e643cf44da23a9e1?nocache=1

Credits

@NotRequiem

Extra

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

2.1 Release 🎉

• added new function VM::detected_enums()
• added new brands:
  • Intel TDX
  • LKVM
  • AMD SEV
  • AMD SEV-ES
  • AMD SEV-SNP
  • Neko Project II
  • NoirVisor
  • Qihoo 360 Sandbox
  • nsjail
• added new techniques:
  • VM::TIMER
  • VM::GPU
  • VM::VM_DEVICES
  • VM::ACPI_TEMPERATURE
  • VM::VIRTUAL_PROCESSORS
  • VM::HYPERV_QUERY
  • VM::BAD_POOLS
  • VM::AMD_SEV
  • VM::AMD_THREAD_MISMATCH
  • VM::NATIVE_VHD
  • VM::VIRTUAL_REGISTRY
  • VM::FIRMWARE
  • VM::FILE_ACCESS_HISTORY
  • VM::AUDIO
  • VM::UNKNOWN_MANUFACTURER
  • VM::OSXSAVE
  • VM::NSJAIL_PID
  • VM::PCI_VM
• added new features to the CLI:
  • added brand descriptions
  • added --mit and --enums oprions
  • renamed --no-color option with --no-ansi
• fixed MacOS techniques
• fixed Hyper-X mechanism
• fixed C++ standards compatibility issues
• fixed argument handler issues
• improved cpu module
• improved Windows stuff
• various fixes, improvements, and optimisations to many techniques
• merged tons of techniques into one
• modified the scores for many techniques
• removed WMI module with a more efficient replacement
• removed brands:
  • Micorosft x86-to-ARM
  • Apple Rosetta 2
• removed techniques:
  • VM::RDTSC
  • VM::VMWARE_REG
  • VM::VBOX_REG
  • VM::USER
  • VM::VBOX_WINDOW_CLASS
  • VM::LOADED_DLLS
  • VM::KVM_REG
  • VM::KVM_DRIVERS
  • VM::AUDIO
  • VM::VMID_0X4
  • VM::PARALLELS_VM
  • VM::QEMU_BRAND
  • VM::VPC_BOARD
  • VM::HYPERV_WMI
  • VM::HYPERV_REG
  • VM::BIOS_SERIAL
  • VM::VALID_MSR
  • VM::QEMU_PROC
  • VM::VPC_PROC
  • VM::HYPERV_BOARD
  • VM::VM_FILES_EXTRA
  • VM::UPTIME
  • VM::HYPERV_BITMASK
  • VM::VMWARE_DMI
  • VM::HYPERV_EVENT_LOGS
  • VM::VMWARE_EVENT_LOGS
  • VM::GPU_CHIPTYPE
  • VM::VM_HDD
  • VM::ACPI_DETECT
  • VM::GPU_NAME
  • VM::VMWARE_DEVICES
  • VM::VMWARE_MEMORY
  • VM::WMI_MODEL
  • VM::WMI_MANUFACTURER
  • VM::WMI_TEMPERATURE
  • VM::CPU_FANS
  • VM::VMWARE_HARDENER
  • VM::WMI_QUERIES

VirusTotal (3/73, as of 21 March 2025)

https://www.virustotal.com/gui/file/2c0ca8096eb59851738f793427326b64961d56f75e5b3f41ce78360020374a2d?nocache=1

The windows binaries were generated here purely from the source code.

Credits

@NotRequiem, this release wouldn't had been possible without him
@Scrut1ny, for useful feedback

2.0 Release 🎉

• added optional VM::vmaware structure
• added new functions:
  • VM::type()
  • VM::conclusion()
  • VM::detected_count()
• added improvements to Hyper-X (version 5)
  
• added argument support of VM::NO_MEMO to VM::check()
• added 24 new techniques:
  • VM::GPU_CHIPTYPE by @koughing
  • VM::DRIVER_NAMES
  • VM::VBOX_IDT
  • VM::HDD_SERIAL
  • VM::PORT_CONNECTORS
  • VM::VM_HDD
  • VM::ACPI_HYPERV
  • VM::GPU_NAME
  • VM::VMWARE_DEVICES
  • VM::VMWARE_MEMORY
  • VM::IDT_GDT_MISMATCH
  • VM::PROCESSOR_NUMBER
  • VM::NUMBER_OF_CORES
  • VM::WMI_MODEL
  • VM::WMI_MANUFACTURER
  • VM::WMI_TEMPERATURE
  • VM::PROCESSOR_ID
  • VM::CPU_FANS
  • VM::POWER_CAPABILITIES
  • VM::SETUPAPI_DISK
  • VM::VMWARE_HARDENER
  • VM::WMI_QUERIES
  • VM::SYS_QEMU
  • VM::LSHW_QEMU
• added 5 option flags to the CLI:
  • --no-color
  • --high-threshold
  • --dynamic
  • --verbose
  • --compact
• added improvements and fixes to VM::add_custom()
• added 3 new brands:
  • Barevisor
  • HyperPlatform
  • Minivisor
    note: all of these brands were made by @tandasat
• added new WMI structure module and overall WMI improvements
• updated the scores of most techniques (see the scoring system)
• updated:
  • VM::HKLM_REGISTRIES
  • VM::DRIVER_NAMES
  • VM::REGISTRY
• optimized VM::INTEL_THREAD_MISMATCH
• fixed MacOS bugs [link]
• disabled VM::VMWARE_DMESG by default
• removed VM::SPOOFABLE and --spoofable
• removed:
  • VM::MOUSE_DEVICE
  • VM::VBOX_FOLDERS
  • VM::CURSOR
  • VM::HYPERV_WMI
  • VM::HYPERV_REG
  • VM::ANYRUN_DRIVER (still present in the CLI)
  • VM::ANYRUN_DIRECTORY (same)
  • VM::CWSANDBOX_VM
  • VM::MEMORY
    (these were removed either due to unreliability, unpredictability, overall low quality, ethical reasons, or a combination of them)

Credits to

• @NotRequiem
• @koughing
• MeGaMax

VirusTotal results (17/72)

https://www.virustotal.com/gui/file/57d5b8047f183825409fcb7ce7807be138720f83561becfb028ee7462cb002ea/summary

I'm fully aware this looks really suspicious, but the binaries were generated through the CI/CD here purely from the source code. The score might fluctuate as it did previously, so if it doesn't match, please notify me with an issue.

Extra

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

1.9 Release

• renamed Virtual Apple to Apple Rosetta 2
• fixed oversight for AMD CPU detection
• fixed bug for VM::BOCHS_CPU
• fixed VM::ALL thanks to @D00Movenok
• fixed MSVC compiler warnings thanks to @NotRequiem
• disabled VM::CURSOR, VM::RDTSC, and VM::RDTSC_EXIT by default
• added --all to the CLI, which will enable all techniques including the above ones
• added ANY.RUN VM brand
• added VM::ANYRUN_DRIVER and VM::ANYRUN_DIRECTORY techniques

NOTE: It's been exactly a year since I've started and continuously maintained this project since September 2023, and I'm taking a break for a while. Not sure when the next release will be, but I'll try to come back to this project after I've recharged my energy while I'm focusing on some side projects I've been working on occasionally :)

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

1.8 Release

• Fixed false positives due to Hyper-V artifacts with new "Hyper-X" mechanism designed by @NotRequiem

• added 10 new VM brands:

  • Hyper-V artifact (not an actual VM)
  • User-mode Linux
  • IBM PowerVM
  • Google Compute Engine (KVM)
  • OpenStack (KVM)
  • KubeVirt (KVM)
  • AWS Nitro System EC2 (KVM-based)
  • Podman
  • WSL
  • OpenVZ

• added 14 new techniques:

  • VM::EVENT_LOGS
  • VM::QEMU_VIRTUAL_DMI
  • VM::QEMU_USB
  • VM::HYPERVISOR_DIR
  • VM::UML_CPU
  • VM::KMSG
  • VM::VM_PROCS
  • VM::VBOX_MODULE
  • VM::SYSINFO_PROC
  • VM::DEVICE_TREE
  • VM::DMI_SCAN
  • VM::SMBIOS_VM_BIT
  • VM::PODMAN_FILE
  • VM::WSL_PROC

1.7.1 Release

• added VM::SPOOFABLE flag to enable easily spoofable techniques
• added VM types as summary output
• added CLI options for VM type details (-t or --type)
• added QEMU+KVM Hyper-V Enlightenment VM brand
• added better CLI indications such as techniques that require permissions
• changed so that spoofable techniques are no longer run by default, unless VM::SPOOFABLE is inputted.