Awesome Anti-Virtualization [](https://awesome.re)

July 15, 2025 Β· View on GitHub

A curated list of resources related to anti-virtualization techniques containing references to books, papers, blog posts, and other written resources.

Anti-virtualization techniques are used to detect and evade virtualized environments. These techniques are used by malware authors, anti-cheats and proprietary software among others to avoid detection by security researchers and analysts.

We generally divide anti-virtualization techniques (also called anti-VM or redpills) into 4 categories:

  • Timing-based: These techniques rely on the fact that virtualized environments have different timing characteristics than physical machines.
  • Behavior-based: These techniques rely on the fact that virtualized environments have different behaviors than physical machines.
  • Signature-based: These techniques rely on the fact that virtualized environments have different signatures than physical machines.
  • Based on a trusted third party: These techniques rely on the fact that virtualized environments have a trusted third party that can be used to detect them.

These techniques can be called redpills because they are used to detect the "red pill" of a virtualized environment. The term "red pill" comes from the movie "The Matrix" where the red pill is used to wake up the protagonist from the virtual world.

The red pill is a special case of the related "trusted computing" and the attestation concept (Zaidenberg et al. 2015d), In Trusted computing attestation a remote 3rd party or even local software tries to ensure the integrity of the local machine in terms of software (mainly) and hardware (sometimes).

Contents

:books: Literature

Documentation

Back to top

Scientific Research

The following papers are sorted by publication date (newest first):

Back to top

Media

Back to top

:wrench: Tools

Tools are divided into their respective categories (by default, all tools are in user-mode):

IconDescription
🐧Linux
πŸͺŸWindows
🍏macOS
πŸ’½raw / no OS / UEFI
πŸš€kernel-mode

Start of the list:

  • 🐧πŸͺŸπŸ | VMAware : Easy-to-use cross-platform C++ VM detection library and tool
  • 🐧 | Hypervisor-Phantom : Advanced malware analysis tool for evading detection from advanced malware.
  • πŸͺŸ | Pafish : testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do.
  • πŸͺŸ | VMDE : Virtual Machines Detection Enhanced, source from VMDE paper, adapted to 2015.
  • πŸͺŸ | Hypervision-Detection : Detects virtual machines and malware analysis environments
  • πŸͺŸ | Al-khaser : al-khaser is a PoC "malware" application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.
  • πŸ’½πŸͺŸ | illusion-rs : Rusty Hypervisor - Windows UEFI Blue Pill Type-1 Hypervisor in Rust (Codename: Illusion)
  • πŸš€πŸͺŸ | hyperdetect.cc: C++ code snippet that checks for a β€œlazy” hypervisor running in kernel-mode
  • πŸͺŸ | antivmdetection : Script to create templates to use with VirtualBox to make vm detection harder
  • πŸͺŸ | InviZzzible : InviZzzible is a tool for assessment of your virtual environments in an easy and reliable way. It contains the most recent and up to date detection and evasion techniques as well as fixes for them.
  • πŸͺŸ | Anti-VM : C++ Windows-based implementation of several anti-vm techniques used in malware development.
  • 🐧 | apate : Apate performs anti-debugging, anti-VM and anti-sandbox tests, to see if your linux system is able to stay under the radar.
  • 🐧 | inside-vm : Detect if code is running inside a virtual machine (x86 and x86-64 only).
  • πŸͺŸ | EPT Hook Detection
  • πŸͺŸ | PyDefender : Anti Virtulization, Anti Debugging, AntiVM, Anti Virtual Machine, Anti Debug, Anti Sandboxie, Anti Sandbox, VM Detect package for Python.
  • πŸͺŸ | GoDefender : Anti Virtulization, Anti Debugging, AntiVM, Anti Virtual Machine, Anti Debug, Anti Sandboxie, Anti Sandbox, VM Detect package for Go. Windows ONLY.
  • 🐧πŸͺŸ | Metasploit : Open-source penetration testing framework that includes virtual machine detection modules
  • 🐧 | systemd-detect-virt (man page) : systemd-detect-virt detects execution in a virtualized environment. It identifies the virtualization technology and can distinguish full machine virtualization from container virtualization. systemd-detect-virt exits with a return value of 0 (success) if a virtualization technology is detected, and non-zero (error) otherwise.

Back to top

:jigsaw: Techniques

TechniqueDescriptionCertaintyPlatformCode reference
VMIDCheck CPUID output of manufacturer ID for known VMs/hypervisors at leaf 0 and 0x40000000-0x40000100100%🐧πŸͺŸπŸlink
CPU brandCheck if CPU brand model contains any VM-specific string snippets50%🐧πŸͺŸπŸlink
Hypervisor bitCheck if hypervisor feature bit in CPUID eax bit 31 is enabled (always false for physical CPUs)100%🐧πŸͺŸπŸlink
Hypervisor stringCheck for hypervisor brand string length (would be around 2 characters in a host machine)75%🐧πŸͺŸπŸlink
TimerCheck for timing anomalies in the system45%🐧πŸͺŸπŸlink
Thread countCheck if there are only 1 or 2 threads, which is a common pattern in VMs with default settings (nowadays physical CPUs should have at least 4 threads for modern CPUs)35%🐧πŸͺŸπŸlink
MAC addressCheck if mac address starts with certain VM designated values20%🐧πŸͺŸlink
TemperatureCheck if thermal directory in linux is present, might not be present in VMs15%🐧link
Chassis vendorCheck if the chassis vendor is a VM vendor65%🐧link
Chassis typeCheck if the chassis type is valid (it's very often invalid in VMs)20%🐧link
/.dockerenvCheck if /.dockerenv or /.dockerinit file is present30%🐧link
dmidecode outputCheck if dmidecode output matches a VM brand55%🐧link
dmesg outputCheck if dmesg output matches a VM brand55%🐧link
/sys/class/hwmonCheck if /sys/class/hwmon/ directory is present. If not, likely a VM35%🐧link
5th sidt byteCheck if the 5th byte after sidt is null45%🐧link
DLLCheck for VM-specific DLLs25%πŸͺŸlink
RegistryCheck for VM-specific registry values50%πŸͺŸlink
VM filesFind for VM-specific specific files25%πŸͺŸlink
hwmodelCheck if the sysctl for the hwmodel does not contain the "Mac" string100%🍏link
Disk sizeCheck if disk size is under or equal to 50GB60%🐧link
RAM and disk size VBoxCheck for default RAM and DISK sizes set by VirtualBox25%🐧πŸͺŸlink
VBox networkCheck for VirtualBox network provider string100%πŸͺŸlink
Computer nameCheck if the computer name (not username to be clear) is VM-specific10%πŸͺŸlink
Wine fileCheck wine_get_unix_file_name file for Wine100%πŸͺŸlink
HostnameCheck if hostname is specific10%πŸͺŸlink
KVM directoriesCheck for KVM directory "Virtio-Win"30%πŸͺŸlink
QEMU directoriesCheck for QEMU-specific blacklisted directories30%πŸͺŸlink
Power capabilitiesCheck what power states are enabled50%πŸͺŸlink
Disk drive IDChecks for virtual machine signatures in disk drive device identifiers100%πŸͺŸlink
VM processesCheck for any VM processes that are active15%πŸͺŸlink
User and hostnameCheck for default VM username and hostname for linux10%🐧link
GamarueCheck for Gamarue ransomware technique which compares VM-specific Window product IDs10%πŸͺŸlink
Bochs faulty CPUCheck for various Bochs-related emulation oversights through CPU checks100%🐧πŸͺŸπŸlink
MSSMBIOSCheck MSSMBIOS registry for VM-specific signatures100%πŸͺŸlink
Low memoryCheck if memory is too low for MacOS system15%🍏link
IO kitCheck MacOS' IO kit registry for VM-specific strings100%🍏link
ioreg commandCheck for VM-strings in ioreg commands for MacOS100%🍏link
System Integrity ProtectionCheck if System Integrity Protection is disabled (likely a VM if it is)40%🍏link
HKLMCheck HKLM registries for specific VM strings25%πŸͺŸlink
QEMU processCheck for "qemu-ga" process10%🐧link
VirtualPC backdoorCheck for official VPC method75%πŸͺŸlink
sidt instructionCheck for sidt instruction method25%πŸͺŸlink
sgdt instructionCheck for sgdt instruction method30%πŸͺŸlink
sldt instructionCheck for sldt instruction method15%πŸͺŸlink
Offensive Security sidtCheck for Offensive Security SIDT method60%πŸͺŸlink
Offensive Security sgdtCheck for Offensive Security SGDT method60%πŸͺŸlink
Offensive Security sldtCheck for Offensive Security SLDT method20%πŸͺŸlink
VirtualPC sidtCheck for sidt method with VPC's 0xE8XXXXXX range15%πŸͺŸlink
VMware iomemCheck for VMware string in /proc/iomem65%🐧link
VMware ioportsCheck for VMware string in /proc/ioports70%🐧link
VMware scsiCheck for VMware string in /proc/scsi/scsi40%🐧link
VMware dmesgCheck for VMware-specific device name in dmesg output65%🐧link
VMware str instructionCheck str assembly instruction method for VMware35%πŸͺŸlink
VMware IO port backdoorCheck for official VMware io port backdoor technique100%πŸͺŸlink
VMware memory IO portCheck for VMware memory using IO port backdoor85%πŸͺŸlink
smsw instructionCheck for SMSW assembly instruction technique30%πŸͺŸlink
Mutex stringsCheck for mutex strings of VM brands85%πŸͺŸlink
Odd CPU threadsCheck for odd CPU threads, usually a sign of modification through VM setting because 99% of CPUs have even numbers of threads80%🐧πŸͺŸπŸlink
Intel thread mismatchCheck for Intel CPU thread count database if it matches the system's thread count95%🐧πŸͺŸπŸlink
Xeon thread mismatchSame as above, but for Xeon Intel CPUs95%🐧πŸͺŸπŸlink
Nettitude VM memoryCheck for memory regions to detect VM-specific brands100%πŸͺŸlink
Cuckoo directoryCheck for cuckoo directory using crt and WIN API directory functions30%πŸͺŸlink
Cuckoo pipeCheck for Cuckoo specific piping mechanism30%πŸͺŸlink
Hyper-V hostnameCheck for default Azure hostname format regex (Azure uses Hyper-V as their base VM brand)30%🐧πŸͺŸlink
General hostnameCheck for commonly set hostnames by certain VM brands10%🐧πŸͺŸlink
Screen resolutionCheck for pre-set screen resolutions commonly found in VMs20%πŸͺŸlink
Device stringCheck if bogus device string would be accepted25%πŸͺŸlink
BlueStacks foldersCheck for the presence of BlueStacks-specific folders5%🐧link
CPUID signatureCheck for signatures in leaf 0x40000001 in CPUID95%🐧πŸͺŸπŸlink
KVM bitmaskCheck for KVM CPUID bitmask range for reserved values40%🐧πŸͺŸπŸlink
Intel KGT signatureCheck for Intel KGT (Trusty branch) hypervisor signature in CPUID80%🐧πŸͺŸπŸlink
QEMU DMICheck for presence of QEMU in the /sys/devices/virtual/dmi/id directory40%🐧link
QEMU USBCheck for presence of QEMU in the /sys/kernel/debug/usb/devices directory20%🐧link
Hypervisor directoryCheck for presence of any files in /sys/hypervisor directory20%🐧link
User Mode Linux CPUCheck for the "UML" string in the CPU brand80%🐧link
kmsg logsCheck for any indications of hypervisors in the kernel message logs5%🐧link
Xen VM processesCheck for a Xen VM process10%🐧link
VBox kernel moduleCheck for a VBox kernel module15%🐧link
sysinfo processCheck for potential VM info in /proc/sysinfo15%🐧link
Device treeCheck for specific files in /proc/device-tree directory20%🐧link
DMI scanCheck for string matches of VM brands in the linux DMI50%🐧link
SMBIOS VM bitCheck for the VM bit in the SMBIOS data50%🐧link
Podman fileCheck for podman file in /run/5%🐧link
WSL processCheck for WSL or microsoft indications in /proc/ subdirectories30%🐧link
ANY.RUN driverCheck for any.run driver presence65%πŸͺŸlink
ANY.RUN directoryCheck for any.run directory and handle the status code35%πŸͺŸlink
Driver namesCheck for VM-specific names for drivers100%πŸͺŸlink
sidt baseCheck for unknown IDT base address100%πŸͺŸlink
HDD serialCheck for serial numbers of virtual disks100%πŸͺŸlink
Port connectionsCheck for physical connection ports25%πŸͺŸlink
GPU capabilitiesCheck for GPU capabilities related to VMs100%πŸͺŸlink
GPU VM stringsCheck for specific GPU string signatures related to VMs100%πŸͺŸlink
VM devicesCheck for VM-specific devices45%πŸͺŸlink
idt and GDT scanCheck if the IDT and GDT virtual base addresses are equal across different CPU cores when not running under Hyper-V50%πŸͺŸlink
Processor countCheck for number of processors50%πŸͺŸlink
Core countCheck for number of cores50%πŸͺŸlink
ACPI temperatureCheck for device's temperature25%πŸͺŸlink
Processor IDCheck if any processor has an empty Processor ID using SMBIOS data25%πŸͺŸlink
QEMU /sys/Check for existence of "qemu_fw_cfg" directories within /sys/module and /sys/firmware70%🐧link
lshw QEMUCheck for QEMU string instances with lshw command80%🐧link
Virtual processorsCheck if the number of virtual and logical processors are reported correctly by the system50%πŸͺŸlink
Hyper-V queryCheck if a call to NtQuerySystemInformation with the 0x9f leaf fills a _SYSTEM_HYPERVISOR_DETAIL_INFORMATION structure100%πŸͺŸlink
VM memory poolsCheck for system pools allocated by hypervisors80%πŸͺŸlink
AMD SEVCheck for AMD-SEV MSR running on the system50%🐧🍏link
AMD thread count mismatchCheck for AMD CPU thread count database if it matches the system's thread count95%🐧πŸͺŸπŸlink
Native VHDCheck for OS being booted from a VHD container100%πŸͺŸlink
Virtual registryCheck for particular object directory which is present in Sandboxie virtual environment but not in usual host systems65%πŸͺŸlink
Firmware signaturesCheck for VM signatures and patched strings by hardeners in firmware, while ensuring the BIOS serial is valid75%πŸͺŸπŸ§link
File access historyCheck if the number of accessed files are too low for a human-managed environment15%🐧link
Audio deviceCheck if audio device is present25%πŸͺŸlink
Unrecognised physical x86 CPU manufacturerCheck if the CPU manufacturer is not known50%🐧πŸͺŸπŸlink
OSXSAVECheck if running xgetbv in the XCR0 extended feature register triggers an exception50%πŸͺŸlink
nsjail PIDCheck if process status matches with nsjail patterns with PID anomalies75%🐧link
PCIe bridge nameCheck for PCIe bridge names for known VM keywords and brands100%🐧link

Back to top

Contributing

Contributions are welcome! Please read the contribution guidelines first.