Skip to content

v2.6.0 πŸŽ‰

Latest
Latest

Choose a tag to compare

View all tags
@NotRequiem NotRequiem released this 25 Jan 01:04
· 181 commits to main since this release
v2.6.0
4a441cd

Important

πŸŽ‰ 1,000 Stars Milestone

We are proud to announce that VMAware has reached 1000 stars!

This milestone marks the evolution of this project from a simple experiment into one of the gold standards for open-source virtual machine detection. What started as just a hobby side project 3 years ago has brought us here, running on tens of thousands of machines, collaborating with anticheats and security-related projects, appearing on scientific papers, and further advancing the field of VM detections.

Thank you to all our contributors and users for supporting the project ❀️

- @kernelwernel and @NotRequiem

Main Changes (Detections)

Added

  • VM::SMBIOS_INTEGRITY: Specifically targeting Oracle hypervisors.
  • VM::EDID: This technique aims to detect non-standard EDID values used by patches.
  • VM::CPU_HEURISTIC: This technique aims to detect spoofed CPUs commonly used in public hardened setups, such as Nika-Read-Only.
    • Detection of hidden instruction capabilities (AES, YMM state, RDRAND).
    • Detection of spoofed CPU vendors (AMD CPU spoofed as Intel, or vice versa).
    • Detection of spoofed motherboards (AMD motherboard having an Intel CPU, and vice versa).
  • VM::CLOCK: Detection of "must-have" bare-metal system timers:
    • PIT/AT timer (PC-class System Timer).
    • HPET (PNP0103, checked in VM::FIRMWARE).

Improved

  • VM::BOCHS_CPU
  • VM::TIMER:
    • New latency thresholds based on more than 100,000 tests over 10,000 different machines.
    • New mathematical algorithm based on gap-based clustering, able to detect contaminated results due to kernel noise.
    • New tamper-proof algorithm to retrieve CPU base speed.
    • Improved unconditional vmexits.
    • Improved vCPU pinning and thread affinity.
    • Improved checks based on comparing TSC scale with clock frequency.
    • New check capable of detecting every RDTSC/RDTSCP patch by cross-referencing kernel interrupt timers vs. TSC scaling.
  • VM::DMI_SCAN
  • VM::FIRMWARE
  • VM::PCI_DEVICES
  • VM::HW_MODEL
  • VM::MAC_SIP
  • VM::WINE
  • VM::POWER_CAPABILITIES
  • VM::GAMARUE
  • VM::SGDT
  • VM::SLDT
  • VM::MUTEX
  • VM::CUCKOO_DIR
  • VM::CUCKOO_PIPE
  • VM::DISPLAY
  • VM::DRIVERS
  • VM::DISK_SERIAL
  • VM::IVSHMEM
  • VM::DEVICE_HANDLES
  • VM::VIRTUAL_REGISTRY
  • VM::AUDIO
  • VM::ACPI_SIGNATURE
  • VM::TRAP
  • VM::UD
  • VM::DBVM
  • VM::OBJECTS
  • VM::NVRAM:
    • Detection of missing EFI vars found in every bare-metal system.
    • Detection of illegitimate injected Secure Boot certificates.
    • Detection of mismatched EFI var relationships.
    • Detection of OVMF firmware patterns.
  • util::is_proc_running: Updated to read /proc/[pid]/cmdline binary data more accurately to handle embedded nulls.
  • util::hyper_x(): Updated detection logic for Hyper-V artifact types (Root partition vs. Guest vs. Enlightenment).

Fixed

  • std::source_location usage for Apple systems.
  • Compilation for crc32 function targets on ARM.
  • Linux cooling detections.
  • Linux SIGSEGV exception on some (exotic) machines without PCI device storage.
  • Support for the new MSVC v145 compiler, with enum underlying type canonicalization.
  • Crashes in VM::TRAP in Clang when compiled with MSVC toolset with all stack optimizations enabled and frame pointers omitted, causing a non-volatile register (specifically RBX) being corrupted. This happened because cpuid clobbers RBX, and while we added push/pop rbx, the usage of EXCEPTION_EXECUTE_HANDLER causes the OS to unwind the stack without executing the pop rbx instruction.
  • Every false flag known to date and/or reported in v2.5.0

Removed

  • VM::TPM
  • VM::REGISTRY_VALUES
  • VM::REGISTRY_KEYS
  • VM::HYPERV_QUERY (Renamed to VM::HYPERVISOR_QUERY)
  • VM::BOOT_MANAGER
  • VM::SMBIOS_PASSTHROUGH (Renamed to VM::SMBIOS_INTEGRITY)
  • VM::GENERAL_HOSTNAME
  • VM::VBOX_DEFAULT
  • VM::INTEL_THREAD_MISMATCH (Moved to VM::THREAD_MISMATCH)
  • VM::AMD_THREAD_MISMATCH (Moved to VM::THREAD_MISMATCH)
  • VM::XEON_THREAD_MISMATCH (Moved to VM::THREAD_MISMATCH)

Evaluated Detections

Those are detections that were tested in previous versions of VMAware but not added to production due to them not being reliable enough.

  • MSR ranges not injecting #GP correctly, specifically KVM's 0x4b564d08-0x4b564dff ASCII tag; normally, VEH redirection happens on most hypervisors.
  • Last Branch Record (LastBranchFromIp) virtualization checks using ICEBP (INT 01 kernel handler) with debug bits and trap flags.
  • EDK II (TianoCore) EFI checks.
  • BIOS POST timing checks.
  • Kernel-Power log queries to detect nominal CPU frequency and timing status.
  • ACPI divergence tests with SSDT and DSDT device scopes.

Secondary Changes

Additions

  • cpu::get_model() and cpu::stepping_struct: To parse CPU brand strings and family/model/stepping data more accurately.
  • util::get_ntdll(): Manually walks the PEB to find the base address of ntdll.dll.
  • util::get_function_address(): Manually parses the Export Address Table (EAT) of a module to find function pointers by name.
  • util::get_manufacturer_model(): Retrieves BIOS information via Registry (Windows).
  • cpu::is_leaf_supported(): Caches supported CPUID leaves.
  • French, Korean, and Chinese translations of our library.

Improvements

  • Prevented RWX memory from being allocated entirely; prevented heap memory from being allocated in any part of the core.
  • Rewrote every check using the Windows NT API. We concluded not to implement a direct/indirect syscall core due to incompatibilities with anti-cheat systems and other security products that currently use VMAware.
  • Hardware-accelerated precomputed hashing + O(1) lookup for CPU DB fetches.
  • Improved automatic hardened environment guesses.
  • Removed redundant utility functions.
  • More conclusive hypervisor detection reports.
  • constexpr-ization.
  • Memo caching for various elements.
  • CPU fetching utility function performance.
  • CPU database performance for the thread database technique.
  • Code clarity in all core and technique functions.
  • Windows module handling.
  • Core technique management.
  • Technique argument handler.
  • Brand fetching mechanism.
  • Renamed macros to prevent conflicts with other user-defined preprocessor directives.
  • Updated VMAware performance benchmarks.
  • Direct retrieval of Windows pseudo-handles without calling APIs.
  • Support for all Intel Core Ultra processors in our DB

Next Plans under consideration

  • Removal of the dev branch.
  • Instruction test in compatibility mode (jmp similar to Heaven's Gate technique). As an example, look for instructions intercepted by hypervisors like popf that have the exact same encoding in compat mode and 64 bit, but have a difference depending on which mode the CPU is running under, which are the most probable to have been overlooked by kernel developers.
  • Abusing faulty RFLAGS/DR6/DR7 injections when forcing an exception to detect hypervisors like DBVM.
  • Addition of side-channel cache attacks and TLB flushes to our timing set.
  • VM::STEALTH mode (disabled by default), which will detect IAT, EAT, VMT, VEH and other kind of basic inline hooks via in-memory vs on-disk module comparisons and digital signature checks to detect if VMAware routines are being intercepted, by minimizing as much as possible conflicts with other anti-debugging/anti-cheating projects running our library.
  • Addition of vmexit latency detection patterns made by BiLSTM RNN models.
  • Open-source kernel-level checks without exposing a digitally signed driver.
  • Other surprises.

VirusTotal Results and Executables

https://www.virustotal.com/gui/file/fdcb107e4831679f6d97e212fef7041040b018670b25f929a5c3efdc58e3ab96?nocache=1

The Windows binaries were generated in the CI/CD purely from the source code here, excluding the debug binary, which was compiled manually to avoid people having runtime issues with the binary.

The Linux binaries, on the other hand, were generated through the cmake file present in the root directory of the repository.

Note

This update is focused on detecting both private and public hardened setups, primarily via CPU instruction abuse, non-volatile RAM checks and timing attacks. Our strongest and most documented technique (VM::TIMER) has now a score of 100% and will now conclude a VM if triggered. We're ready to release a patch version (2.6.1) if this decision happens to be too risky. Report any possible issues you may find to fine-tune our algorithms.

Contact

For any inquiries, contact us on Discord at shenzken or kr.nl, or email us at jeanruyv@gmail.com.

Contributors

kernelwernel and NotRequiem
Assets 10
Loading