Documentation
May 6, 2026 ยท View on GitHub
Contents
VM::detect()VM::percentage()VM::brand()VM::check()VM::add_custom()VM::type()VM::conclusion()VM::detected_count()VM::is_hardened()(Advanced) VM::flag_to_string()(Advanced) VM::detected_enums()- vmaware struct
- Notes and overall things to avoid
- Flag table
- Brand table
- Setting flags
- Variables
- CLI documentation
VM::detect()
This is basically the main function you're looking for, which returns a bool. If no parameter is provided, all the recommended checks will be performed. But you can optionally set which techniques are used.
#include "vmaware.hpp"
int main() {
/**
* The basic way to detect a VM where the default checks will
* be performed. This is the recommended usage of the lib.
*/
bool is_vm = VM::detect();
/**
* This does the exact same as above, but as an explicit alternative.
*/
bool is_vm2 = VM::detect(VM::DEFAULT);
/**
* All checks are performed including techniques that are
* disabled by default for a viariety of reasons. If you
* want all techniques for the sake of completeness, then
* you can use this flag but remember that there may be potential
* performance bottlenecks and an increase in false positives.
*/
bool is_vm3 = VM::detect(VM::ALL);
/**
* This will raise the detection threshold above the default level.
* Use this if you want to be extremely sure if it's a VM, but this
* increases the chance of a false negative. Use VM::percentage()
* for a more precise result if you want.
*/
bool is_vm4 = VM::detect(VM::HIGH_THRESHOLD);
/**
* Essentially means only the CPU brand, MAC, and hypervisor bit techniques
* should be performed. Note that the less technique flags you provide, the more
* likely the result will not be accurate. If you just want to check for
* a single technique, use VM::check() instead. Also, read the flag table
* at the end of this doc file for a full list of technique flags.
*/
bool is_vm5 = VM::detect(VM::CPU_BRAND, VM::MAC, VM::HYPERVISOR_BIT);
/**
* If you want to disable any technique for whatever reason, use VM::DISABLE(...).
* This code snippet essentially means "perform all the default flags, but only
* disable the VM::RDTSC technique".
*/
bool is_vm6 = VM::detect(VM::DISABLE(VM::RDTSC));
/**
* Same as above, but you can disable multiple techniques at the same time.
*/
bool is_vm7 = VM::detect(VM::DISABLE(VM::VMID, VM::RDTSC, VM::HYPERVISOR_BIT));
/**
* This is just an example to show that you can use a combination of
* different flags and non-technique flags with the above examples.
*/
bool is_vm8 = VM::detect(VM::DEFAULT, VM::HIGH_THRESHOLD, VM::DISABLE(VM::RDTSC, VM::VMID));
}
VM::percentage()
This will return a std::uint8_t between 0 and 100. It'll return the certainty of whether it has detected a VM based on all the techniques available as a percentage.
#include "vmaware.hpp"
#include <iostream>
#include <cstdint>
int main() {
// uint8_t and unsigned char works too
const std::uint8_t percent = VM::percentage();
if (percent == 100) {
std::cout << "Definitely a VM!\n";
} else if (percent == 0) {
std::cout << "Definitely NOT a VM\n";
} else {
std::cout << "Unsure if it's a VM\n";
}
// converted to int for console character encoding reasons
std::cout << "percentage: " << static_cast<int>(percent) << "%\n";
return 0;
}
Note
you can use the same flag system as shown with VM::detect() for this function.
VM::brand()
This will essentially return the VM brand as a std::string. All the brands and brand alias variables are listed here
If none were detected, it will return Unknown. It should be noted that this could be a common scenario even if you're running inside a VM due to technical difficulties with accomplishing this. This is especially true for VMware sub-versions (ESX, GSX, Fusion, etc...). It's not recommended to rely on this function for critical operations as if your whole program depends on it.
#include "vmaware.hpp"
#include <string>
int main() {
const std::string result = VM::brand();
if (result == "KVM") {
// do KVM specific stuff
} else if (result == "VirtualBox") {
// you get the idea
} else if (result == brands::VMWARE) {
// having manual string comparisons like the two
// previous ones can lead to typos which will
// make the whole check completely redundant.
// So the lib provides hardcoded string variables
// as aliases to avoid these kinds of situations.
// They are located in the aforementioned brand table
}
return 0;
}
On rare occasions, there might be cases where there's multiple brands that have been detected, which might cause a conflicting output with an inaccurate result. To prevent this, you can use the VM::MULTIPLE flag that returns a message rather than a VM brand string. For example, if it found 2 conflicting brands, it will return VMware or VirtualBox. For 3 conflicts, it's VMware or VirtualBox or QEMU and so on.
#include "vmaware.hpp"
#include <string>
int main() {
// format: "vmbrand1 or vmbrand2 [or vmbrandx...]"
const std::string result = VM::brand(VM::MULTIPLE);
// example output: "VMware or Bochs"
std::cout << result << "\n";
// Keep in mind that there's no limit to how many conflicts there can be.
// And if there's no conflict, it'll revert back to giving the brand string
// normally as if the VM::MULTIPLE wasn't there
return 0;
}
Note
you can use the same flag system as shown with VM::detect() for VM::brand()
Important
VM::MULTIPLE has no effect for any other function other than VM::brand()
VM::check()
This takes a single technique argument and returns a bool. It essentially returns a technique's effective output. Nothing more, nothing less.
#include "vmaware.hpp"
#include <iostream>
int main() {
if (VM::check(VM::VMID)) {
std::cout << "VMID technique detected a VM!\n";
}
if (VM::check(VM::HYPERVISOR_BIT)) {
std::cout << "Hypervisor bit is set, most definitely a VM!\n";
}
return 0;
}
VM::add_custom()
This function allows you to add your own custom VM detection techniques to the scoring system. The first parameter is the percentage score (0 to 100) of how likely it's a VM if your custom code returns true, and the second parameter should either be a lambda, a function pointer, or a std::function<bool()>
// Example 1 with function pointers
bool new_technique() {
// add your VM detection code here
return true;
}
VM::add_custom(50, new_technique);
// Example 2 with lambdas
VM::add_custom(50, []() -> bool {
// add your VM detection code here
return true;
});
auto new_technique = []() -> bool {
// add your VM detection code here
return true;
}
VM::add_custom(50, new_technique);
// Example 3 with std::function
std::function<bool()> new_technique = []() -> bool {
// add your VM detection code here
return true;
};
VM::add_custom(50, new_technique);
VM::type()
This will return the VM type (or architecture) as a std::string based on the brand found. The possible return values are listed here in the type column.
#include "vmaware.hpp"
#include <iostream>
int main() {
// example output: VirtualBox is a Hypervisor (type 2) VM
std::cout << VM::brand() << " is a " << VM::type() << " VM\n";
return 0;
}
VM::conclusion()
This will return the "conclusion" message of what the overall result is as a std::string. By default, there are 2 possible outputs:
Running on baremetalRunning inside a [brand] VM
The [brand] part might contain a brand or may as well be empty, depending on whether a brand has been found. Additionally, you can extend this by adding the VM::DYNAMIC flag which will now allow much more variadic potential outputs:
Running on baremetalVery unlikely a [brand] VMUnlikely a [brand] VMPotentially a [brand] VMMight be a [brand] VMLikely a [brand] VMVery likely a [brand] VMRunning inside a [brand] VM
VM::detected_count()
This will fetch the number of techniques that have been detected as a std::uint8_t.
#include "vmaware.hpp"
#include <iostream>
int main() {
const std::uint8_t count = VM::detected_count();
// output: 7 techniques were detected
std::cout << count << " techniques were detected" << "\n";
// note that if it's baremetal, it should be 0.
// if it's a VM, it should have at least 4 to
// maybe around 15 max. The most I've seen was
// around 18 but that only occurs very rarely.
return 0;
}
VM::is_hardened()
This will detect whether the environment has any hardening indications as a bool.
Internally, this function works by analysing which combination of techniques are expected to be detected together. If a certain combination rule is mismatched, it indicates some kind of tampering of the system which assumes some sort of VM hardening.
Similiary to VM::brand(), do not rely on this function for critical operations. This is meant to be a heuristic assumption rather than a concrete guarantee.
#include "vmaware.hpp"
#include <iostream>
int main() {
if (VM::is_hardened()) {
std::cout << "Potential hardening detected" << "\n";
} else {
std::cout << "Unsure if hardened" << "\n";
}
return 0;
}
(Advanced) VM::flag_to_string()
Show
This will take a technique flag enum as an argument and return the string version of it. For example:
#include "vmaware.hpp"
#include <iostream>
int main() {
const std::string name = VM::flag_to_string(VM::VMID);
// output: VM::VMID
std::cout << "VM::" << name << "\n";
return 0;
}
The reason why this exists is because it can be useful for debugging and infodumping purposes. It should be noted that the "VM::" part is not included in the string output, so that's based on the programmer's choice if it should remain in the string or not. The example given above is obviously useless since the whole code can be manually handwritten, but the function is especially convenient if it's being used with VM::technique_vector. For example:
#include "vmaware.hpp"
#include <iostream>
int main() {
// this will loop through all the enums in the technique_vector variable,
// and then checks each of them and outputs the enum that was detected
for (const auto technique_enum : VM::technique_vector) {
if (VM::check(technique_enum)) {
const std::string name = VM::flag_to_string(technique_enum);
std::cout << "VM::" << name << " was detected\n";
}
}
return 0;
}
(Advanced) VM::detected_enums()
Show
This is a function that will return a vector of all the technique flags that were detected as running in a VM. The return type is std::vector<VM::enum_flags>, and it's designed to give a more programmatic overview of the result.
#include "vmaware.hpp"
#include <iostream>
int main() {
std::vector<VM::enum_flags> flag_list = VM::detected_enums();
for (const auto flag : flag_list) {
std::cout << "VM::" << VM::flag_to_string(flag) << " was detected" << "\n";
}
return 0;
}
vmaware struct
If you prefer having an object to store all the relevant information about the program's environment instead of calling static member functions, you can use the VM::vmaware struct:
struct vmaware {
std::string brand;
std::string type;
std::string conclusion;
bool is_vm;
bool is_hardened;
std::uint8_t percentage;
std::uint8_t detected_count;
std::uint8_t technique_count;
std::vector<enum_flags> detected_techniques;
std::vector<std::string> detected_technique_strings;
std::vector<enum_flags> disabled_techniques;
};
example:
#include "vmaware.hpp"
#include <iostream>
int main() {
VM::vmaware vm;
std::cout << "Is this a VM? = " << vm.is_vm << "\n";
std::cout << "How many techniques detected a VM? = " << vm.detected_count << "%\n";
std::cout << "What's the VM's type? = " << vm.type << "%\n";
std::cout << "What's the overview in a human-readable message?" << vm.conclusion << "\n";
}
Note
the flag system is compatible for the struct constructor.
Notes and overall things to avoid
โ 1. Do NOT rely on the percentage to determine whether you're in a VM. The lib is not designed for this way, and you're potentially increasing false positives. Use VM::detect() instead for that job.
โ 2. Do NOT depend your whole program on whether a specific brand was found. VM::brand() will not guarantee it'll give you the result you're looking for even if the environment is in fact that specific VM brand.
Tip
It should also be mentioned that it's recommended for the end-user to create a wrapper around the header file. C++ compilation is notoriously slow compared to C or other systems programming languages, and recompiling the header over and over again is a time waste, especially considering there's around 10k lines of code in it. This is incredibly unreliable and cumbersome for large-scale projects utilising the lib. If you have a build configuration that supports header dependency handling or incremental compilation (which is present in most build systems such as CMake), you can fix the issue by doing something like this:
// wrapper.hpp
#include <string>
namespace wrapper {
bool is_this_a_vm();
std::string vm_brand_name();
}
// wrapper.cpp
#include "vmaware.hpp"
#include "wrapper.hpp"
bool wrapper::is_this_a_vm() {
return VM::detect();
}
std::string wrapper::vm_brand_name() {
return VM::brand();
}
// something.cpp
#include "wrapper.hpp"
void something() {
if (wrapper::is_this_a_vm()) {
std::cout << wrapper::vm_brand_name() << "\n";
}
}
This wrapper structure would prevent any avoidable recompilations as opposed to potentially recompiling the vmaware.hpp file for every build that modifies the source that #includes the lib, especially if there's a deep hierarchy of file dependencies within your project.
Flag table
VMAware provides a convenient way to not only check for VMs, but also have the flexibility and freedom for the end-user to choose what techniques are used with complete control over what gets executed or not. This is handled with a flag system.
| Icon | Platform |
|---|---|
| ๐ง | Linux |
| ๐ช | Windows |
| ๐ | macOS |
| Flag alias | Description | Supported platforms | Certainty | Admin? | 32-bit only? | Notes | Code implementation |
|---|---|---|---|---|---|---|---|
VM::VMID | Check CPUID output of manufacturer ID for known VMs/hypervisors at leaf 0 and 0x40000000-0x40000100 | ๐ง๐ช๐ | 100% | link | |||
VM::CPU_BRAND | Check if CPU brand model contains any VM-specific string snippets | ๐ง๐ช๐ | 95% | link | |||
VM::HYPERVISOR_BIT | Check if hypervisor feature bit in CPUID ECX bit 31 is enabled (always false for physical CPUs) | ๐ง๐ช๐ | 100% | link | |||
VM::HYPERVISOR_STR | Check for hypervisor brand string length (would be around 2 characters in a host machine) | ๐ง๐ช๐ | 100% | link | |||
VM::TIMER | Check for timing anomalies in the system | ๐ช | 95% | link | |||
VM::THREAD_COUNT | Check if there are only 1 or 2 threads, which is a common pattern in VMs with default settings, nowadays physical CPUs should have at least 4 threads for modern CPUs | ๐ง๐ช๐ | 35% | link | |||
VM::MAC | Check if mac address starts with certain VM designated values | ๐ง | 20% | link | |||
VM::TEMPERATURE | Check for device's temperature | ๐ง | 20% | link | |||
VM::SYSTEMD | Check result from systemd-detect-virt tool | ๐ง | 35% | link | |||
VM::CVENDOR | Check if the chassis vendor is a VM vendor | ๐ง | 65% | link | |||
VM::CTYPE | Check if the chassis type is valid (it's very often invalid in VMs) | ๐ง | 20% | link | |||
VM::DOCKERENV | Check if /.dockerenv or /.dockerinit file is present | ๐ง | 30% | link | |||
VM::DMIDECODE | Check if dmidecode output matches a VM brand | ๐ง | 55% | Admin | link | ||
VM::DMESG | Check if dmesg output matches a VM brand | ๐ง | 55% | Admin | link | ||
VM::HWMON | Check if /sys/class/hwmon/ directory is present. If not, likely a VM | ๐ง | 35% | link | |||
VM::DLL | Check for VM-specific DLLs | ๐ช | 50% | link | |||
VM::HWMODEL | Check if the sysctl for the hwmodel does not contain the "Mac" string | ๐ | 100% | link | |||
VM::WINE | Check if the function "wine_get_unix_file_name" is present and if the OS booted from a VHD container | ๐ช | 100% | link | |||
VM::POWER_CAPABILITIES | Check what power states are enabled | ๐ช | 25% | link | |||
VM::PROCESSES | Check for any VM processes that are active | ๐ง | 40% | link | |||
VM::LINUX_USER_HOST | Check for default VM username and hostname for linux | ๐ง | 10% | link | |||
VM::GAMARUE | Check for Gamarue ransomware technique which compares VM-specific Window product IDs | ๐ช | 10% | link | |||
VM::BOCHS_CPU | Check for various Bochs-related emulation oversights through CPU checks | ๐ง๐ช๐ | 100% | link | |||
VM::MAC_MEMSIZE | Check if memory is too low for MacOS system | ๐ | 15% | link | |||
VM::MAC_IOKIT | Check MacOS' IO kit registry for VM-specific strings | ๐ | 100% | link | |||
VM::IOREG_GREP | Check for VM-strings in ioreg commands for MacOS | ๐ | 100% | link | |||
VM::MAC_SIP | Check for the status of System Integrity Protection and hv_mm_present | ๐ | 100% | link | |||
VM::VPC_INVALID | Check for official VPC method | ๐ช | 75% | 32-bit | link | ||
VM::SYSTEM_REGISTERS | 50% | link | |||||
VM::VMWARE_IOMEM | Check for VMware string in /proc/iomem | ๐ง | 65% | link | |||
VM::VMWARE_IOPORTS | Check for VMware string in /proc/ioports | ๐ง | 70% | link | |||
VM::VMWARE_SCSI | Check for VMware string in /proc/scsi/scsi | ๐ง | 40% | link | |||
VM::VMWARE_DMESG | Check for VMware-specific device name in dmesg output | ๐ง | 65% | Admin | Disabled by default | link | |
VM::VMWARE_STR | Check str assembly instruction method for VMware | ๐ช | 35% | 32-bit | link | ||
VM::VMWARE_BACKDOOR | Check for official VMware io port backdoor technique | ๐ช | 100% | 32-bit | link | ||
VM::MUTEX | Check for mutex strings of VM brands | ๐ช | 100% | link | |||
VM::THREAD_MISMATCH | Check if the system's thread count matches the expected thread count for the detected CPU model | ๐ง๐ช๐ | 50% | link | |||
VM::CUCKOO_DIR | Check for cuckoo directory using crt and WIN API directory functions | ๐ช | 30% | link | |||
VM::CUCKOO_PIPE | Check for Cuckoo specific piping mechanism | ๐ช | 30% | link | |||
VM::AZURE | Check for default Azure hostname format (Azure uses Hyper-V as their base VM brand) | ๐ง๐ช | 30% | link | |||
VM::DISPLAY | Check for display configurations commonly found in VMs | ๐ช | 25% | link | |||
VM::DEVICE_STRING | Check if bogus device string would be accepted | ๐ช | 25% | link | |||
VM::BLUESTACKS_FOLDERS | Check for the presence of BlueStacks-specific folders | ๐ง | 5% | link | |||
VM::CPUID_SIGNATURE | Check for CPUID signatures that reveal the presence of a hypervisor | ๐ง๐ช๐ | 95% | link | |||
VM::KGT_SIGNATURE | Check for Intel KGT (Trusty branch) hypervisor signature in CPUID | ๐ง๐ช๐ | 80% | link | |||
VM::QEMU_VIRTUAL_DMI | Check for presence of QEMU in the /sys/devices/virtual/dmi/id directory | ๐ง | 40% | link | |||
VM::QEMU_USB | Check for presence of QEMU in the /sys/kernel/debug/usb/devices directory | ๐ง | 20% | Admin | link | ||
VM::HYPERVISOR_DIR | Check for presence of any files in /sys/hypervisor directory | ๐ง | 20% | link | |||
VM::UML_CPU | Check for the "UML" string in the CPU brand | ๐ง | 80% | link | |||
VM::KMSG | Check for any indications of hypervisors in the kernel message logs | ๐ง | 5% | Admin | link | ||
VM::VBOX_MODULE | Check for a VBox kernel module | ๐ง | 15% | link | |||
VM::SYSINFO_PROC | Check for potential VM info in /proc/sysinfo | ๐ง | 15% | link | |||
VM::DMI_SCAN | Check for string matches of VM brands in the linux DMI | ๐ง | 50% | link | |||
VM::SMBIOS_VM_BIT | Check for the VM bit in the SMBIOS data | ๐ง | 50% | Admin | link | ||
VM::PODMAN_FILE | Check for podman file in /run/ | ๐ง | 5% | link | |||
VM::WSL_PROC | Check for WSL or microsoft indications in /proc/ subdirectories | ๐ง | 30% | link | |||
VM::DRIVERS | Check for VM-specific names for drivers | ๐ช | 100% | link | |||
VM::DISK_SERIAL | Check for serial numbers of virtual disks | ๐ช | 100% | link | |||
VM::IVSHMEM | Check for IVSHMEM device presence | ๐ช | 100% | link | |||
VM::GPU_CAPABILITIES | Check for GPU capabilities related to VMs | ๐ช | 25% | link | |||
VM::HANDLES | Check for vm-specific devices | ๐ช | 100% | link | |||
VM::QEMU_FW_CFG | Detect QEMU fw_cfg interface. This first checks the Device Tree for a fw-cfg node or hypervisor tag, then verifies the presence of the qemu_fw_cfg module and firmware directories in sysfs. | ๐ง | 70% | link | |||
VM::VIRTUAL_PROCESSORS | Check if the number of virtual and logical processors are reported correctly by the system | ๐ช | 100% | link | |||
VM::HYPERVISOR_QUERY | Check if a call to NtQuerySystemInformation with the 0x9f leaf fills a _SYSTEM_HYPERVISOR_DETAIL_INFORMATION structure | ๐ช | 100% | link | |||
VM::AMD_SEV_MSR | Check for AMD-SEV MSR running on the system | ๐ง๐ | 50% | Admin | link | ||
VM::VIRTUAL_REGISTRY | Check for particular object directory which is present in Sandboxie virtual environment but not in usual host systems | ๐ช | 90% | link | |||
VM::FIRMWARE | Check for VM signatures on all firmware tables | ๐ง๐ช | 100% | Admin | link | ||
VM::FILE_ACCESS_HISTORY | Check if the number of accessed files are too low for a human-managed environment | ๐ง | 15% | link | |||
VM::AUDIO | Check if no waveform-audio output devices are present in the system | ๐ช | 25% | link | |||
VM::NSJAIL_PID | Check if process status matches with nsjail patterns with PID anomalies | ๐ง | 75% | link | |||
VM::DEVICES | Check for PCI vendor and device IDs that are VM-specific | ๐ง๐ช | 95% | link | |||
VM::ACPI_SIGNATURE | Check for VM-specific ACPI device signatures | ๐ช | 100% | link | |||
VM::TRAP | Check if after raising two traps at the same RIP, a hypervisor interferes with the instruction pointer delivery | ๐ช | 100% | link | |||
VM::UD | Check if no waveform-audio output devices are present in the system | ๐ช | 25% | link | |||
VM::BLOCKSTEP | Check if a hypervisor does not properly restore the interruptibility state after a VM-exit | ๐ช | 100% | link | |||
VM::DBVM | Check if Dark Byte's VM is present | ๐ช | 150% | link | |||
VM::BOOT_LOGO | Check boot logo for known VM images | ๐ง๐ช | 100% | link | |||
VM::MAC_SYS | Check for VM-strings in system profiler commands for MacOS | ๐ | 100% | link | |||
VM::KERNEL_OBJECTS | Check for any signs of VMs in Windows kernel object entities | ๐ช | 100% | link | |||
VM::NVRAM | Check for known NVRAM signatures that are present on virtual firmware | ๐ช | 100% | Admin | link | ||
VM::EDID | Check for non-standard EDID configurations | ๐ช | 100% | link | |||
VM::CPU_HEURISTIC | Check whether the CPU is genuine and its reported instruction capabilities are not masked | ๐ช | 90% | link | |||
VM::CLOCK | Check the presence of system timers | ๐ช | 45% | link | |||
VM::MSR | Check for AMD-SEV MSR running on the system | ๐ง๐ | 100% | Admin | link | ||
VM::KVM_INTERCEPTION | Check whether KVM attempts to patch a mismatched hypercall instruction | ๐ช | 100% | link | |||
VM::HYPERVISOR_HOOK | Check whether a hypervisor uses EPT/NPT hooking to intercept hardware breakpoints | ๐ช | 100% | This hypervisor detection also affects debuggers | link | ||
VM::POPF | Check whether a hypervisor delays trap flags over exiting instructions | ๐ช | 100% | link | |||
VM::EIP_OVERFLOW | Check whether a hypervisor does not correctly emulate instructions in compatibility mode | ๐ช | 100% | link | |||
VM::CGROUP | Check for cgroup paths in /proc/self/cgroup | ๐ง | 70% | link |
Brand table
This is the table of all the brands the lib supports.
| String | Variable alias | VM type | Notes |
|---|---|---|---|
| Unknown | brands::NULL_BRAND | Unknown | This is the default brand it returns if none were found |
| VirtualBox | brands::VBOX | Hypervisor (type 2) | |
| VMware | brands::VMWARE | Hypervisor (type 2) | |
| VMware Express | brands::VMWARE_EXPRESS | Hypervisor (type 2) | |
| VMware ESX | brands::VMWARE_ESX | Hypervisor (type 1) | |
| VMware GSX | brands::VMWARE_GSX | Hypervisor (type 2) | |
| VMware Workstation | brands::VMWARE_WORKSTATION | Hypervisor (type 2) | |
| VMware Fusion | brands::VMWARE_FUSION | Hypervisor (type 2) | |
| VMware (with VmwareHardenedLoader) | brands::VMWARE_HARD | Hypervisor (type 2) | See the repository |
| bhyve | brands::BHYVE | Hypervisor (type 2) | |
| KVM | brands::KVM | Hypervisor (type 1) | |
| QEMU | brands::QEMU | Emulator/Hypervisor (type 2) | |
| QEMU+KVM | brands::QEMU_KVM | Hypervisor (type 1) | |
| KVM Hyper-V Enlightenment | brands::KVM_HYPERV | Hypervisor (type 1) | |
| QEMU+KVM Hyper-V Enlightenment | brands::QEMU_KVM_HYPERV | Hypervisor (type 1) | |
| Microsoft Hyper-V | brands::HYPERV | Hypervisor (type 1) | |
| Microsoft Virtual PC/Hyper-V | brands::HYPERV_VPC | Hypervisor (either type 1 or 2) | |
| Parallels | brands::PARALLELS | Hypervisor (type 2) | |
| Xen HVM | brands::XEN | Hypervisor (type 1) | |
| ACRN | brands::ACRN | Hypervisor (type 1) | |
| QNX hypervisor | brands::QNX | Hypervisor (type 1) | |
| Hybrid Analysis | brands::HYBRID | Sandbox | |
| Sandboxie | brands::SANDBOXIE | Sandbox | |
| Docker | brands::DOCKER | Container | |
| Wine | brands::WINE | Compatibility layer | |
| Virtual PC | brands::VPC | Hypervisor (type 2) | |
| Anubis | brands::ANUBIS | Sandbox | |
| JoeBox | brands::JOEBOX | Sandbox | |
| ThreatExpert | brands::THREATEXPERT | Sandbox | |
| CWSandbox | brands::CWSANDBOX | Sandbox | |
| Comodo | brands::COMODO | Sandbox | |
| Bochs | brands::BOCHS | Emulator | |
| NetBSD NVMM | brands::NVMM | Hypervisor (type 2) | |
| OpenBSD VMM | brands::BSD_VMM | Hypervisor (type 2) | |
| Intel HAXM | brands::INTEL_HAXM | Hypervisor (type 1) | |
| Unisys s-Par | brands::UNISYS | Partitioning Hypervisor | |
| Lockheed Martin LMHS | brands::LMHS | Hypervisor (unknown type) | Yes, you read that right. The lib can detect VMs running on US military fighter jets, apparently. |
| Cuckoo | brands::CUCKOO | Sandbox | |
| BlueStacks | brands::BLUESTACKS | Emulator | |
| Jailhouse | brands::JAILHOUSE | Partitioning Hypervisor | |
| Apple VZ | brands::APPLE_VZ | Unknown | |
| Intel KGT (Trusty) | brands::INTEL_KGT | Hypervisor (type 1) | |
| Microsoft Azure Hyper-V | brands::AZURE_HYPERV | Hypervisor (type 1) | |
| SimpleVisor | brands::SIMPLEVISOR | Hypervisor (type 1) | |
| Hyper-V root partition (host system, not an actual VM) | brands::HYPERV_ARTIFACT | Host machine | Windows Hyper-V has a tendency to modify host hardware values with VM values. In other words, this brand signifies that you're running on a host system, but the Hyper-V that's installed (either by default or manually by the user) is misleadingly making the whole system look like it's in a VM when in reality it's not. For more information, refer to this graph. |
| User-mode Linux | brands::UML | Paravirtualised/Hypervisor (type 2) | |
| IBM PowerVM | brands::POWERVM | Hypervisor (type 1) | |
| OpenStack (KVM) | brands::OPENSTACK | Hypervisor (type 1) | |
| KubeVirt (KVM) | brands::KUBEVIRT | Hypervisor (type 1) | |
| AWS Nitro System EC2 (KVM-based) | brands::AWS_NITRO | Hypervisor (type 1) | |
| Podman | brands::PODMAN | Container | |
| WSL | brands::WSL | Hybrid Hyper-V (type 1 and 2) | This is a type 1 at the fundamental level, but WSL has components that are reminiscent of type 2 VM designs to an extent. |
| OpenVZ | brands::OPENVZ | Container | |
| ANY.RUN | N/A | Sandbox | Removed from the lib, available only in the CLI due to ethical reasons. |
| Barevisor | brands::BAREVISOR | Hypervisor (type 1) | |
| HyperPlatform | brands::HYPERPLATFORM | Hypervisor (type 1) | |
| MiniVisor | brands::MINIVISOR | Hypervisor (type 1) | |
| Intel TDX | brands::INTEL_TDX | Trusted Domain | |
| LKVM | brands::LKVM | Hypervisor (type 1) | |
| AMD SEV | brands::AMD_SEV | VM encryptor | |
| AMD SEV-ES | brands::AMD_SEV_ES | VM encryptor | |
| AMD SEV-SNP | brands::AMD_SEV_SNP | VM encryptor | |
| Neko Project II | brands::NEKO_PROJECT | Emulator | |
| Google Compute Engine (KVM) | brands::GCE | Cloud VM service | |
| NoirVisor | brands::NOIRVISOR | Hypervisor (type 1) | |
| Qihoo 360 Sandbox | brands::QIHOO | Sandbox | |
| nsjail | brands::NSJAIL | Process isolator | |
| DBVM | brands::DBVM | Hypervisor (type 1) | See the Cheat Engine's Website |
| UTM | brands::UTM | Hypervisor (type 2) | |
| Compaq FX!32 | brands::COMPAQ | Emulator | |
| Insignia RealPC | brands::INSIGNIA | Emulator | |
| Connectix Virtual PC | brands::CONNECTIX | Emulator |
Setting flags
| Flag | Description | Specific to |
|---|---|---|
VM::ALL | This will enable all the technique flags, including checks that are disabled by default. | |
VM::DEFAULT | This represents a range of flags which are enabled if no default argument is provided. | |
VM::MULTIPLE | This will basically return a std::string message of which brands could be involved. For example, it could return "VMware or VirtualBox" instead of having a single brand string output. | VM::brand() |
VM::HIGH_THRESHOLD | This will set the threshold bar to confidently detect a VM by 2x higher. | VM::detect() and VM::percentage() |
VM::DYNAMIC | This will add 8 options to the conclusion message rather than 2, each with their own varying likelihoods. | VM::conclusion() |
VM::NULL_ARG | Does nothing, meant as a placeholder flag mainly for CLI purposes. It's best to ignore this. |
Variables
| Variable | Type | Description |
|---|---|---|
VM::technique_count | std::uint16_t | This will store the number of VM detection techniques |
VM::technique_vector | std::vector<std::uint8_t> | This will store all the technique macros as a vector. Useful if you're trying to loop through all the techniques for whatever operation you're performing. |
CLI documentation
| Shorthand | Full command | Description |
|---|---|---|
| -h | --help | Prints the help menu |
| -v | --version | Prints the version and miscellaneous details |
| -d | --detect | Prints the VM detection result (1 = VM, 0 = baremetal) |
| -s | --stdout | Returns either 0 or 1 to STDOUT without any text output (0 = VM, 1 = baremetal) |
| -b | --brand | Prints the most likely brand |
| -l | --brand-list | Prints all the possible VM brand strings the CLI supports |
| -c | --conclusion | Prints the conclusion message string |
| -p | --percent | Prints the VM likeliness percentage between 0 and 100 |
| -n | --number | Prints the number of VM detection techniques it can perform |
| -t | --type | Returns the VM type (if a VM was found) |
| -o | --output | Set the output path for files, specifically with the --json command |
| --disable-notes | No notes will be provided | |
| --high-threshold | A higher threshold bar for a VM detection will be applied | |
| --no-ansi | Removes all the ANSI encodings (color and text style). This is added due to some terminals not supporting ANSI escape codes while cluttering the output | |
| --dynamic | allow the conclusion message to be dynamic (8 possibilities instead of only 2) | |
| --verbose | add more information to the output | |
| --enums | display the technique enum name used by the lib | |
| --detected-only | Only display the techniques that were detected | |
| --json | Output a json-formatted file of the results |
Note
If you want a general result with the default settings, do not put any arguments. This is the intended way to use the CLI tool.