A curated list of resources related to anti-virtualization techniques containing references to books, papers, blog posts, and other written resources.
Anti-virtualization techniques are used to detect and evade virtualized environments. These techniques are used by malware authors, anti-cheats and proprietary software among others to avoid detection by security researchers and analysts.
We generally divide anti-virtualization techniques (also called anti-VM or redpills) into 4 categories:
- Timing-based: These techniques rely on the fact that virtualized environments have different timing characteristics than physical machines.
- Behavior-based: These techniques rely on the fact that virtualized environments have different behaviors than physical machines.
- Signature-based: These techniques rely on the fact that virtualized environments have different signatures than physical machines.
- Based on a trusted third party: These techniques rely on the fact that virtualized environments have a trusted third party that can be used to detect them.
These techniques can be called redpills because they are used to detect the "red pill" of a virtualized environment. The term "red pill" comes from the movie "The Matrix" where the red pill is used to wake up the protagonist from the virtual world.
The red pill is a special case of the related "trusted computing" and the attestation concept (Zaidenberg et al. 2015d), In Trusted computing attestation a remote 3rd party or even local software tries to ensure the integrity of the local machine in terms of software (mainly) and hardware (sometimes).
- π Literature : everything written about anti-virtualization techniques
- Documentation (blogs, manuals, specifications, etc.)
- Scientific Research
- Media (videos, podcasts, etc.)
- π§ Tools : tools to detect and evade virtualized environments
- 𧩠Techniques : a list of anti-virtualization techniques
- About evasion techniques - Check Point Research : A collection of evasion techniques used by malware to avoid detection.
- Detecting Hypervisor-assisted Hooking - Maurice Heumann, see also Github Project EPT Hook Detection
- Evading ACPI checks in commercial virtualization platforms - Nick Peterson
- How anti-cheats detect system emulation - secret.club
- Detecting Hypervisor Presence on Windows 10 - Nick Peterson
- 7 Ways to Detect Virtualization from your VM [Xen,VirtualBox,KVM,OpenStack with KVM] - techglimpse.com
- Playing with GuLoader Anti-VM techniques - outpost24.com
- Detecting VMware by reading an invalid MSR - drew
- Defeating malware's Anti-VM techniques (CPUID-Based Instructions) - Sina Karvandi
- Deploy Hidden Virtual Machine For VMProtections Evasion And Dynamic Analysis - r0ttenbeef
The following papers are sorted by publication date (newest first):
- ARAP: Demystifying Anti Runtime Analysis Code in Android Apps (August 2024)
- Unraveling Shadows: Exploring the Realm of Elite Cyber Spies (July 2024)
- The Reversing Machine: Reconstructing Memory Assumptions (May 2024)
- CLOUDOSCOPE: Detecting Anti-Forensic Malware using Public Cloud Environments (June 2023)
- From Text to MITRE Techniques: Exploring the Malicious Use of Large Language Models for Generating Cyber Attack Payloads (May 2023)
- HyperDbg: Reinventing Hardware-Assisted Debugging (May 2022)
- On the Effectiveness of Binary Emulation in Malware Classification (April 2022)
- An automated framework for runtime analysis of malicious executables on Linux (2021)
- Bypassing Anti-Analysis of Commercial Protector Methods Using DBI Tools (2021)
- A Review on Android Malware: Attacks, Countermeasures and Challenges Ahead (2021)
- Longitudinal Study of the Prevalence of Malware Evasive Techniques (December 2021)
- POW-HOW: An enduring timing side-channel to evadeonline malware sandboxes (September 2021)
- Detection of Virtual Machines Based on Thread Scheduling (July 2021)
- Hypervisor-assisted dynamic malware analysis (June 2021)
- Sandbox Detection Using Hardware Side Channels (April 2021)
- Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks (March 2021)
- DBI, debuggers, VM: gotta catch them all: How to escape or fool debuggers with internal architecture CPU flaws? (June 2021)
- Reducing Malware Analysis Overhead With Coverings (January 2021)
- Creating Modern Blue Pills and Red Pills (July 2019)
- Rethinking anti-emulation techniques for large-scale software deployment (June 2019)
- Malware Dynamic Analysis Evasion Techniques (November 2018)
- Follow the WhiteRabbit: Towards Consolidation of On-the-Fly Virtualization and Virtual Machine Introspection (September 2018)
- New attack technique based on Meltdown. Using speculative instructions to detect virtualization (May 2018)
- Handling Anti-Virtual Machine Techniques in Malicious Software (December 2017)
- A Study of I/O Performance of Virtual Machines (June 2017)
- Detecting Hardware -Assisted Virtualization (July 2016)
- Advanced or Not? A Comparative Study of the Use of Anti-debugging and Anti-VM Techniques in Generic and Targeted Malware (May 2016)
- A Survey of Stealth Malware Attacks, Mitigation Measures, and Steps Toward Autonomous Open World Solutions (March 2016)
- Virtual Machines Detection Methods Using IP Timestamps Pattern Characteristic (February 2016)
- Research on Utilizing Emulab for Malware Analysis (February 2016)
- Two challenges of stealthy hypervisors detection : time cheating and data fluctuations (2015)
- New Methods for Detecting Malware Infections and New Attacks against Hardware Virtualization (2015)
- Hyperprobe: Towards Virtual Machine Extrospection (2015), see also Presentation Video
- Mal-EVE: Static detection model for evasive malware (August 2015)
- An assessment of virtual machine assails (January 2015)
- Cardinal Pill Testing of System Virtual Machines (August 2014)
- An analysis of hardware-assisted virtual machine based rootkits (June 2014)
- VMDE: Virtual Machines Detection Enhanced (November 2013)
- Anti-virtual machines and emulations (June 2012)
- Virtualization Security: Virtual Machine Monitoring and Introspection (2011)
- Malware Virtualization-Resistant Behavior Detection (December 2011)
- Detecting Environment-Sensitive Malware (September 2011)
- On the Impossibility of Detecting Virtual Machine Monitors (2009)
- Detecting the Presence of Virtual Machines Using the Local Data Table (2009)
- Stealth sandbox analysis of malware (August 2009)
- Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware (June 2008)
- Attacks on More Virtual Machine Emulators (2007), see associated slides
- Attacks on Virtual Machine Emulators (2007), see associated slides
- Detecting System Emulators (October 2007)
- Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction (October 2007)
- Hiding Virtualization from Attackers and Malware (May 2007)
- On the Cutting Edge: Thwarting Virtual Machine Detection (2006)
- Methods for Virtual Machine Detection (June 2006)
- LISA15 - Hyperprobe: Towards Virtual Machine Extrospection
- Don't Tell Joanna, The Virtualized Rootkit Is Dead, see associated slides
Tools are divided into their respective categories (by default, all tools are in user-mode):
| Icon | Description |
|---|---|
| π§ | Linux |
| πͺ | Windows |
| π | macOS |
| π½ | raw / no OS / UEFI |
| π | kernel-mode |
Start of the list:
- π§πͺπ | VMAware : Easy-to-use cross-platform C++ VM detection library and tool
- π§ | Hypervisor-Phantom : Advanced malware analysis tool for evading detection from advanced malware.
- πͺ | Pafish : testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do.
- πͺ | VMDE : Virtual Machines Detection Enhanced, source from VMDE paper, adapted to 2015.
- πͺ | Hypervision-Detection : Detects virtual machines and malware analysis environments
- πͺ | Al-khaser : al-khaser is a PoC "malware" application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.
- π½πͺ | illusion-rs : Rusty Hypervisor - Windows UEFI Blue Pill Type-1 Hypervisor in Rust (Codename: Illusion)
- specifically see Hypervisor detection section
- ππͺ | hyperdetect.cc: C++ code snippet that checks for a βlazyβ hypervisor running in kernel-mode
- πͺ | antivmdetection : Script to create templates to use with VirtualBox to make vm detection harder
- πͺ | InviZzzible : InviZzzible is a tool for assessment of your virtual environments in an easy and reliable way. It contains the most recent and up to date detection and evasion techniques as well as fixes for them.
- πͺ | Anti-VM : C++ Windows-based implementation of several anti-vm techniques used in malware development.
- π§ | apate : Apate performs anti-debugging, anti-VM and anti-sandbox tests, to see if your linux system is able to stay under the radar.
- π§ | inside-vm : Detect if code is running inside a virtual machine (x86 and x86-64 only).
- πͺ | EPT Hook Detection
- πͺ | PyDefender : Anti Virtulization, Anti Debugging, AntiVM, Anti Virtual Machine, Anti Debug, Anti Sandboxie, Anti Sandbox, VM Detect package for Python.
- πͺ | GoDefender : Anti Virtulization, Anti Debugging, AntiVM, Anti Virtual Machine, Anti Debug, Anti Sandboxie, Anti Sandbox, VM Detect package for Go. Windows ONLY.
- π§πͺ | Metasploit : Open-source penetration testing framework that includes virtual machine detection modules
- π§ | systemd-detect-virt (man page) :
systemd-detect-virtdetects execution in a virtualized environment. It identifies the virtualization technology and can distinguish full machine virtualization from container virtualization.systemd-detect-virtexits with a return value of 0 (success) if a virtualization technology is detected, and non-zero (error) otherwise.- See also
systemdcode systemd/src/basic/virt.c
- See also
| Technique | Description | Certainty | Platform | Code reference |
|---|---|---|---|---|
| VMID | Check CPUID output of manufacturer ID for known VMs/hypervisors at leaf 0 and 0x40000000-0x40000100 | 100% | π§πͺπ | link |
| CPU brand | Check if CPU brand model contains any VM-specific string snippets | 50% | π§πͺπ | link |
| Hypervisor bit | Check if hypervisor feature bit in CPUID eax bit 31 is enabled (always false for physical CPUs) | 100% | π§πͺπ | link |
| Hypervisor string | Check for hypervisor brand string length (would be around 2 characters in a host machine) | 75% | π§πͺπ | link |
| Timer | Check for timing anomalies in the system | 45% | π§πͺπ | link |
| Thread count | Check if there are only 1 or 2 threads, which is a common pattern in VMs with default settings (nowadays physical CPUs should have at least 4 threads for modern CPUs) | 35% | π§πͺπ | link |
| MAC address | Check if mac address starts with certain VM designated values | 20% | π§πͺ | link |
| Temperature | Check if thermal directory in linux is present, might not be present in VMs | 15% | π§ | link |
| Chassis vendor | Check if the chassis vendor is a VM vendor | 65% | π§ | link |
| Chassis type | Check if the chassis type is valid (it's very often invalid in VMs) | 20% | π§ | link |
| /.dockerenv | Check if /.dockerenv or /.dockerinit file is present | 30% | π§ | link |
| dmidecode output | Check if dmidecode output matches a VM brand | 55% | π§ | link |
| dmesg output | Check if dmesg output matches a VM brand | 55% | π§ | link |
| /sys/class/hwmon | Check if /sys/class/hwmon/ directory is present. If not, likely a VM | 35% | π§ | link |
| 5th sidt byte | Check if the 5th byte after sidt is null | 45% | π§ | link |
| DLL | Check for VM-specific DLLs | 25% | πͺ | link |
| Registry | Check for VM-specific registry values | 50% | πͺ | link |
| VM files | Find for VM-specific specific files | 25% | πͺ | link |
| hwmodel | Check if the sysctl for the hwmodel does not contain the "Mac" string | 100% | π | link |
| Disk size | Check if disk size is under or equal to 50GB | 60% | π§ | link |
| RAM and disk size VBox | Check for default RAM and DISK sizes set by VirtualBox | 25% | π§πͺ | link |
| VBox network | Check for VirtualBox network provider string | 100% | πͺ | link |
| Computer name | Check if the computer name (not username to be clear) is VM-specific | 10% | πͺ | link |
| Wine file | Check wine_get_unix_file_name file for Wine | 100% | πͺ | link |
| Hostname | Check if hostname is specific | 10% | πͺ | link |
| KVM directories | Check for KVM directory "Virtio-Win" | 30% | πͺ | link |
| QEMU directories | Check for QEMU-specific blacklisted directories | 30% | πͺ | link |
| Power capabilities | Check what power states are enabled | 50% | πͺ | link |
| Disk drive ID | Checks for virtual machine signatures in disk drive device identifiers | 100% | πͺ | link |
| VM processes | Check for any VM processes that are active | 15% | πͺ | link |
| User and hostname | Check for default VM username and hostname for linux | 10% | π§ | link |
| Gamarue | Check for Gamarue ransomware technique which compares VM-specific Window product IDs | 10% | πͺ | link |
| Bochs faulty CPU | Check for various Bochs-related emulation oversights through CPU checks | 100% | π§πͺπ | link |
| MSSMBIOS | Check MSSMBIOS registry for VM-specific signatures | 100% | πͺ | link |
| Low memory | Check if memory is too low for MacOS system | 15% | π | link |
| IO kit | Check MacOS' IO kit registry for VM-specific strings | 100% | π | link |
| ioreg command | Check for VM-strings in ioreg commands for MacOS | 100% | π | link |
| System Integrity Protection | Check if System Integrity Protection is disabled (likely a VM if it is) | 40% | π | link |
| HKLM | Check HKLM registries for specific VM strings | 25% | πͺ | link |
| QEMU process | Check for "qemu-ga" process | 10% | π§ | link |
| VirtualPC backdoor | Check for official VPC method | 75% | πͺ | link |
| sidt instruction | Check for sidt instruction method | 25% | πͺ | link |
| sgdt instruction | Check for sgdt instruction method | 30% | πͺ | link |
| sldt instruction | Check for sldt instruction method | 15% | πͺ | link |
| Offensive Security sidt | Check for Offensive Security SIDT method | 60% | πͺ | link |
| Offensive Security sgdt | Check for Offensive Security SGDT method | 60% | πͺ | link |
| Offensive Security sldt | Check for Offensive Security SLDT method | 20% | πͺ | link |
| VirtualPC sidt | Check for sidt method with VPC's 0xE8XXXXXX range | 15% | πͺ | link |
| VMware iomem | Check for VMware string in /proc/iomem | 65% | π§ | link |
| VMware ioports | Check for VMware string in /proc/ioports | 70% | π§ | link |
| VMware scsi | Check for VMware string in /proc/scsi/scsi | 40% | π§ | link |
| VMware dmesg | Check for VMware-specific device name in dmesg output | 65% | π§ | link |
| VMware str instruction | Check str assembly instruction method for VMware | 35% | πͺ | link |
| VMware IO port backdoor | Check for official VMware io port backdoor technique | 100% | πͺ | link |
| VMware memory IO port | Check for VMware memory using IO port backdoor | 85% | πͺ | link |
| smsw instruction | Check for SMSW assembly instruction technique | 30% | πͺ | link |
| Mutex strings | Check for mutex strings of VM brands | 85% | πͺ | link |
| Odd CPU threads | Check for odd CPU threads, usually a sign of modification through VM setting because 99% of CPUs have even numbers of threads | 80% | π§πͺπ | link |
| Intel thread mismatch | Check for Intel CPU thread count database if it matches the system's thread count | 95% | π§πͺπ | link |
| Xeon thread mismatch | Same as above, but for Xeon Intel CPUs | 95% | π§πͺπ | link |
| Nettitude VM memory | Check for memory regions to detect VM-specific brands | 100% | πͺ | link |
| Cuckoo directory | Check for cuckoo directory using crt and WIN API directory functions | 30% | πͺ | link |
| Cuckoo pipe | Check for Cuckoo specific piping mechanism | 30% | πͺ | link |
| Hyper-V hostname | Check for default Azure hostname format regex (Azure uses Hyper-V as their base VM brand) | 30% | π§πͺ | link |
| General hostname | Check for commonly set hostnames by certain VM brands | 10% | π§πͺ | link |
| Screen resolution | Check for pre-set screen resolutions commonly found in VMs | 20% | πͺ | link |
| Device string | Check if bogus device string would be accepted | 25% | πͺ | link |
| BlueStacks folders | Check for the presence of BlueStacks-specific folders | 5% | π§ | link |
| CPUID signature | Check for signatures in leaf 0x40000001 in CPUID | 95% | π§πͺπ | link |
| KVM bitmask | Check for KVM CPUID bitmask range for reserved values | 40% | π§πͺπ | link |
| Intel KGT signature | Check for Intel KGT (Trusty branch) hypervisor signature in CPUID | 80% | π§πͺπ | link |
| QEMU DMI | Check for presence of QEMU in the /sys/devices/virtual/dmi/id directory | 40% | π§ | link |
| QEMU USB | Check for presence of QEMU in the /sys/kernel/debug/usb/devices directory | 20% | π§ | link |
| Hypervisor directory | Check for presence of any files in /sys/hypervisor directory | 20% | π§ | link |
| User Mode Linux CPU | Check for the "UML" string in the CPU brand | 80% | π§ | link |
| kmsg logs | Check for any indications of hypervisors in the kernel message logs | 5% | π§ | link |
| Xen VM processes | Check for a Xen VM process | 10% | π§ | link |
| VBox kernel module | Check for a VBox kernel module | 15% | π§ | link |
| sysinfo process | Check for potential VM info in /proc/sysinfo | 15% | π§ | link |
| Device tree | Check for specific files in /proc/device-tree directory | 20% | π§ | link |
| DMI scan | Check for string matches of VM brands in the linux DMI | 50% | π§ | link |
| SMBIOS VM bit | Check for the VM bit in the SMBIOS data | 50% | π§ | link |
| Podman file | Check for podman file in /run/ | 5% | π§ | link |
| WSL process | Check for WSL or microsoft indications in /proc/ subdirectories | 30% | π§ | link |
| ANY.RUN driver | Check for any.run driver presence | 65% | πͺ | link |
| ANY.RUN directory | Check for any.run directory and handle the status code | 35% | πͺ | link |
| Driver names | Check for VM-specific names for drivers | 100% | πͺ | link |
| sidt base | Check for unknown IDT base address | 100% | πͺ | link |
| HDD serial | Check for serial numbers of virtual disks | 100% | πͺ | link |
| Port connections | Check for physical connection ports | 25% | πͺ | link |
| GPU capabilities | Check for GPU capabilities related to VMs | 100% | πͺ | link |
| GPU VM strings | Check for specific GPU string signatures related to VMs | 100% | πͺ | link |
| VM devices | Check for VM-specific devices | 45% | πͺ | link |
| idt and GDT scan | Check if the IDT and GDT virtual base addresses are equal across different CPU cores when not running under Hyper-V | 50% | πͺ | link |
| Processor count | Check for number of processors | 50% | πͺ | link |
| Core count | Check for number of cores | 50% | πͺ | link |
| ACPI temperature | Check for device's temperature | 25% | πͺ | link |
| Processor ID | Check if any processor has an empty Processor ID using SMBIOS data | 25% | πͺ | link |
| QEMU /sys/ | Check for existence of "qemu_fw_cfg" directories within /sys/module and /sys/firmware | 70% | π§ | link |
| lshw QEMU | Check for QEMU string instances with lshw command | 80% | π§ | link |
| Virtual processors | Check if the number of virtual and logical processors are reported correctly by the system | 50% | πͺ | link |
| Hyper-V query | Check if a call to NtQuerySystemInformation with the 0x9f leaf fills a _SYSTEM_HYPERVISOR_DETAIL_INFORMATION structure | 100% | πͺ | link |
| VM memory pools | Check for system pools allocated by hypervisors | 80% | πͺ | link |
| AMD SEV | Check for AMD-SEV MSR running on the system | 50% | π§π | link |
| AMD thread count mismatch | Check for AMD CPU thread count database if it matches the system's thread count | 95% | π§πͺπ | link |
| Native VHD | Check for OS being booted from a VHD container | 100% | πͺ | link |
| Virtual registry | Check for particular object directory which is present in Sandboxie virtual environment but not in usual host systems | 65% | πͺ | link |
| Firmware signatures | Check for VM signatures and patched strings by hardeners in firmware, while ensuring the BIOS serial is valid | 75% | πͺπ§ | link |
| File access history | Check if the number of accessed files are too low for a human-managed environment | 15% | π§ | link |
| Audio device | Check if audio device is present | 25% | πͺ | link |
| Unrecognised physical x86 CPU manufacturer | Check if the CPU manufacturer is not known | 50% | π§πͺπ | link |
| OSXSAVE | Check if running xgetbv in the XCR0 extended feature register triggers an exception | 50% | πͺ | link |
| nsjail PID | Check if process status matches with nsjail patterns with PID anomalies | 75% | π§ | link |
| PCIe bridge name | Check for PCIe bridge names for known VM keywords and brands | 100% | π§ | link |
Contributions are welcome! Please read the contribution guidelines first.