2.0 Release 🎉

• added optional VM::vmaware structure
• added new functions:
  • VM::type()
  • VM::conclusion()
  • VM::detected_count()
• added improvements to Hyper-X (version 5)
  
• added argument support of VM::NO_MEMO to VM::check()
• added 24 new techniques:
  • VM::GPU_CHIPTYPE by @koughing
  • VM::DRIVER_NAMES
  • VM::VBOX_IDT
  • VM::HDD_SERIAL
  • VM::PORT_CONNECTORS
  • VM::VM_HDD
  • VM::ACPI_HYPERV
  • VM::GPU_NAME
  • VM::VMWARE_DEVICES
  • VM::VMWARE_MEMORY
  • VM::IDT_GDT_MISMATCH
  • VM::PROCESSOR_NUMBER
  • VM::NUMBER_OF_CORES
  • VM::WMI_MODEL
  • VM::WMI_MANUFACTURER
  • VM::WMI_TEMPERATURE
  • VM::PROCESSOR_ID
  • VM::CPU_FANS
  • VM::POWER_CAPABILITIES
  • VM::SETUPAPI_DISK
  • VM::VMWARE_HARDENER
  • VM::WMI_QUERIES
  • VM::SYS_QEMU
  • VM::LSHW_QEMU
• added 5 option flags to the CLI:
  • --no-color
  • --high-threshold
  • --dynamic
  • --verbose
  • --compact
• added improvements and fixes to VM::add_custom()
• added 3 new brands:
  • Barevisor
  • HyperPlatform
  • Minivisor
    note: all of these brands were made by @tandasat
• added new WMI structure module and overall WMI improvements
• updated the scores of most techniques (see the scoring system)
• updated:
  • VM::HKLM_REGISTRIES
  • VM::DRIVER_NAMES
  • VM::REGISTRY
• optimized VM::INTEL_THREAD_MISMATCH
• fixed MacOS bugs [link]
• disabled VM::VMWARE_DMESG by default
• removed VM::SPOOFABLE and --spoofable
• removed:
  • VM::MOUSE_DEVICE
  • VM::VBOX_FOLDERS
  • VM::CURSOR
  • VM::HYPERV_WMI
  • VM::HYPERV_REG
  • VM::ANYRUN_DRIVER (still present in the CLI)
  • VM::ANYRUN_DIRECTORY (same)
  • VM::CWSANDBOX_VM
  • VM::MEMORY
    (these were removed either due to unreliability, unpredictability, overall low quality, ethical reasons, or a combination of them)

Credits to

• @koughing
• MeGaMax

VirusTotal results (38/71)

https://www.virustotal.com/gui/file/1069805c97737f4b2dfe75151ec444f246bf8421d818d96176a0568479d70bcf

I'm fully aware this looks really suspicious, but the binaries were generated through the CI/CD here purely from the source code. The score might fluctuate as it did previously, so if it doesn't match, please notify me with an issue.

Extra

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

1.9 Release

• renamed Virtual Apple to Apple Rosetta 2
• fixed oversight for AMD CPU detection
• fixed bug for VM::BOCHS_CPU
• fixed VM::ALL thanks to @D00Movenok
• fixed MSVC compiler warnings thanks to @NotRequiem
• disabled VM::CURSOR, VM::RDTSC, and VM::RDTSC_EXIT by default
• added --all to the CLI, which will enable all techniques including the above ones
• added ANY.RUN VM brand
• added VM::ANYRUN_DRIVER and VM::ANYRUN_DIRECTORY techniques

NOTE: It's been exactly a year since I've started and continuously maintained this project since September 2023, and I'm taking a break for a while. Not sure when the next release will be, but I'll try to come back to this project after I've recharged my energy while I'm focusing on some side projects I've been working on occasionally :)

For any inquiries, contact me on discord at kr.nl or email me at jeanruyv@gmail.com

1.8 Release

• Fixed false positives due to Hyper-V artifacts with new "Hyper-X" mechanism designed by @NotRequiem

• added 10 new VM brands:

  • Hyper-V artifact (not an actual VM)
  • User-mode Linux
  • IBM PowerVM
  • Google Compute Engine (KVM)
  • OpenStack (KVM)
  • KubeVirt (KVM)
  • AWS Nitro System EC2 (KVM-based)
  • Podman
  • WSL
  • OpenVZ

• added 14 new techniques:

  • VM::EVENT_LOGS
  • VM::QEMU_VIRTUAL_DMI
  • VM::QEMU_USB
  • VM::HYPERVISOR_DIR
  • VM::UML_CPU
  • VM::KMSG
  • VM::VM_PROCS
  • VM::VBOX_MODULE
  • VM::SYSINFO_PROC
  • VM::DEVICE_TREE
  • VM::DMI_SCAN
  • VM::SMBIOS_VM_BIT
  • VM::PODMAN_FILE
  • VM::WSL_PROC

1.7.1 Release

• added VM::SPOOFABLE flag to enable easily spoofable techniques
• added VM types as summary output
• added CLI options for VM type details (-t or --type)
• added QEMU+KVM Hyper-V Enlightenment VM brand
• added better CLI indications such as techniques that require permissions
• changed so that spoofable techniques are no longer run by default, unless VM::SPOOFABLE is inputted.

1.7 Release

• added better heuristic checks for Hyper-V host virtualisation

• added argument handler improvements to the CLI

• added VM type information to the CLI

• added 4 new techniques:

  • VM::CPUID_SIGNATURE
  • VM::HYPERV_BITMASK
  • VM::KVM_BITMASK
  • VM::KGT_SIGNATURE

• added 7 new VM brands:

  • Jailhouse
  • Apple VZ
  • Intel KGT (Trusty)
  • VMware Fusion
  • Microsoft Azure Hyper-V
  • Xbox NanoVisor (Hyper-V)
  • SimpleVisor

• renamed VM brand "Thread Expert" to "ThreatExpert" (i fucked up)

• renamed VM::HYPERV_CPUID technique to VM::CPUID_BITSET

• removed VM::EXTREME settings flag

• removed 2 techniques (both due to potential false positives):

  • VM::CPUID_SPACING
  • VM::CPUID_0X4

1.6 Release

• added 2 new variables:
  • VM::technique_count
  • VM::technique_vector variables
• added 9 new techniques:
  • VM::NETTITUDE_VM_REGIONS
  • VM::HYPERV_CPUID
  • VM::CUCKOO_DIR
  • VM::CUCKOO_PIPE
  • VM::USB_DRIVE
  • VM::HYPERV_HOSTNAME
  • VM::GENERAL_HOSTNAME
  • VM::SCREEN_RESOLUTION
  • VM::DEVICE_STRING
• added VM::HIGH_THRESHOLD non-technique flag to set a higher threshold score
• added optimisations to VM::detect() and VM::percentage()
• added Cuckoo and BlueStacks VM brands
• added heuristic checks for Hyper-V host virtualisation (thanks to @NotRequiem for the suggestion)
• improved memoization system
• renamed VM::BRAND technique to VM::CPU_BRAND to avoid confusion with VM::brand()
• fixed wcstomb() deprecation warning

1.5 Release

• added 6 different brands:
  • KVM Hyper-V Enlightenment
  • NVMM
  • OpenBSD VMM
  • Intel HAXM
  • Unisys s-Par
  • Lockheed Martin LMHS
• added better checks for flag handling
• added C++23 support
• added VM::DISABLE() function for manually disabling flags
• major CLI changes
  • added --brand-list option which outputs the list of possible VM brands
  • added --disable-hyperv-host options which will disregard the possibility of Hyper-V default virtualisation
  • added number of techniques and number of detected techniques as output
• improved and renewed flag system
• improved discarding mechanism if Hyper-V is detected in case of default virtualisation
• removed VM::WMIC technique
• deprecated VM::WIN_HYPERV_DEFAULT, use VM::ENABLE_HYPERV_HOST instead

Full Changelog: v1.4...v1.5

1.4 Release

• Added 3 new techniques:
  VM::ODD_CPU_THREADS
VM::INTEL_THREAD_MISMATCH
VM::XEON_THREAD_MISMATCH
• Added better x86 compatibility for description table techniques (idt)
• Added better caching that's much more efficient now
• Fixed warnings, thanks Requiem :)
• Removed Hyper-V virtualisation (by default unless specified with VM::WIN_HYPERV_DEFAULT due to false positives associated with default virtualisation for every program when Hyper-V is enabled)

Full Changelog: v1.3...v1.4

1.3 Release

• added specific VMware products (ESX, GSX, etc...) as potential brands
• added --conclusion flag to cli to return just the conclusion message
• added 12 new techniques
• added "Microsoft Virtual PC/Hyper-V" as possible brand string
• added 32-bit support
• added VM::MULTIPLE flag for multiple brand outputs
• fixed VM::ALL and VM::DEFAULT flags being private
• improved cpuid hypervisor leaf detections

1.2 Release

• added 11 new techniques
• added VM::WIN_HYPERV_DEFAULT flag to tackle Hyper-V default virtualisation on windows
• added ARM support
• fixed false positives for VM::VM_FILES, VM::CPUID_0X4, and other techniques
• fixed memory leaks
• merged the "Sunbelt" and "CWSandbox" VMs as just "CWSandbox"