Skip to content

Latest commit

 

History

History
45 lines (44 loc) · 1.5 KB

README.md

File metadata and controls

45 lines (44 loc) · 1.5 KB

VM Detector build

A small set of functions for RE detection on x86_64 Linux

Functions:

  • vmd_vmdetect() detects virtual machines via descriptor table values, cpuid, and rdtscp
  • vmd_hvdetect() detects hypervisors via cpuid
  • vmd_dbgpresent() detects debuggers via address layout and ptrace
  • vmd_inchroot() detects chroots via inode
  • vmd_hardwaresus() detects virtual machines via uncommonly low-end hardware
  • vmd_incontainer() detects containerization via getpid

To use:

Run make or simply include vmd.h in your project. Define VMD_IMPLEMENTATION somewhere in your program if you aren't using vmd from a library.

Expected output from example:

make test

strace: Debugger detected
ltrace: Debugger detected
qemu: VM detected
Hypervisor detected
Debugger detected
docker: Chroot detected
Container detected
gdb: Debugger detected
valgrind: VM detected
firejail: Debugger detected
Container detected
standalone: Nothing detected

More results:

command result
lldb ./vmd Debugger detected
ddd ./vmd Debugger detected
./x64determiniser ./vmd VM detected Debugger detected
edb --run ./vmd Debugger detected
nemiver ./vmd Debugger detected
radare2 -d ./vmd Debugger detected
rr record -n ./vmd VM detected Hardware has suspicious configuration
wine ./vmd.exe VM detected Debugger detected