A curated list of resources related to anti-virtualization techniques containing references to books, papers, blog posts, and other written resources.
Anti-virtualization techniques are used to detect and evade virtualized environments. These techniques are used by malware authors, anti-cheats and proprietary software among others to avoid detection by security researchers and analysts.
We generally divide anti-virtualization techniques (also called anti-VM or redpills) into 4 categories:
- Timing-based: These techniques rely on the fact that virtualized environments have different timing characteristics than physical machines.
- Behavior-based: These techniques rely on the fact that virtualized environments have different behaviors than physical machines.
- Signature-based: These techniques rely on the fact that virtualized environments have different signatures than physical machines.
- Based on a trusted third party: These techniques rely on the fact that virtualized environments have a trusted third party that can be used to detect them.
These techniques can be called redpills because they are used to detect the "red pill" of a virtualized environment. The term "red pill" comes from the movie "The Matrix" where the red pill is used to wake up the protagonist from the virtual world.
The red pill is a special case of the related "trusted computing" and the attestation concept (Zaidenberg et al. 2015d), In Trusted computing attestation a remote 3rd party or even local software tries to ensure the integrity of the local machine in terms of software (mainly) and hardware (sometimes).
- 📚 Literature : everything written about anti-virtualization techniques
- Documentation (blogs, manuals, specifications, etc.)
- Scientific Research
- Media (videos, podcasts, etc.)
- 🔧 Tools : tools to detect and evade virtualized environments
- 🧩 Techniques : a list of anti-virtualization techniques
- About evasion techniques - Check Point Research : A collection of evasion techniques used by malware to avoid detection.
- Detecting Hypervisor-assisted Hooking - Maurice Heumann, see also Github Project EPT Hook Detection
- Evading ACPI checks in commercial virtualization platforms - Nick Peterson
- How anti-cheats detect system emulation - secret.club
- Detecting Hypervisor Presence on Windows 10 - Nick Peterson
- 7 Ways to Detect Virtualization from your VM [Xen,VirtualBox,KVM,OpenStack with KVM] - techglimpse.com
- Playing with GuLoader Anti-VM techniques - outpost24.com
- Detecting VMware by reading an invalid MSR - drew
- Defeating malware's Anti-VM techniques (CPUID-Based Instructions) - Sina Karvandi
- Deploy Hidden Virtual Machine For VMProtections Evasion And Dynamic Analysis - r0ttenbeef
The following papers are sorted by publication date (newest first):
- Detection of Virtual Machines Based on Thread Scheduling (July 2021)
- Hypervisor-assisted dynamic malware analysis (June 2021)
- Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks (March 2021)
- DBI, debuggers, VM: gotta catch them all: How to escape or fool debuggers with internal architecture CPU flaws? (June 2021)
- Creating Modern Blue Pills and Red Pills (July 2019)
- Rethinking anti-emulation techniques for large-scale software deployment (June 2019)
- New attack technique based on Meltdown. Using speculative instructions to detect virtualization (May 2018)
- A Study of I/O Performance of Virtual Machines (June 2017)
- Detecting Hardware -Assisted Virtualization (July 2016)
- Virtual Machines Detection Methods Using IP Timestamps Pattern Characteristic (February 2016)
- Two challenges of stealthy hypervisors detection : time cheating and data fluctuations (2015)
- New Methods for Detecting Malware Infections and New Attacks against Hardware Virtualization (2015)
- Hyperprobe: Towards Virtual Machine Extrospection (2015), see also Presentation Video
- An assessment of virtual machine assails (January 2015)
- Cardinal Pill Testing of System Virtual Machines (August 2014)
- An analysis of hardware-assisted virtual machine based rootkits (June 2014)
- VMDE: Virtual Machines Detection Enhanced (November 2013)
- Anti-virtual machines and emulations (June 2012)
- Virtualization Security: Virtual Machine Monitoring and Introspection (2011)
- Malware Virtualization-Resistant Behavior Detection (December 2011)
- On the Impossibility of Detecting Virtual Machine Monitors (2009)
- Detecting the Presence of Virtual Machines Using the Local Data Table (2009)
- Stealth sandbox analysis of malware (August 2009)
- Attacks on More Virtual Machine Emulators (2007), see associated slides
- Attacks on Virtual Machine Emulators (2007), see associated slides
- Detecting System Emulators (October 2007)
- On the Cutting Edge: Thwarting Virtual Machine Detection (2006)
- Methods for Virtual Machine Detection (June 2006)
- LISA15 - Hyperprobe: Towards Virtual Machine Extrospection
- Don't Tell Joanna, The Virtualized Rootkit Is Dead, see associated slides
Tools are divided into their respective categories (by default, all tools are in user-mode):
| Icon | Description |
|---|---|
| 🐧 | Linux |
| 🪟 | Windows |
| 🍏 | macOS |
| 💽 | raw / no OS / UEFI |
| 🚀 | kernel-mode |
Start of the list:
- 🐧🪟🍏 | VMAware : Easy-to-use cross-platform C++ VM detection library and tool
- 🐧 | Hypervisor-Phantom : Advanced malware analysis tool for evading detection from advanced malware.
- 🪟 | Pafish : testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do.
- 🪟 | VMDE : Virtual Machines Detection Enhanced, source from VMDE paper, adapted to 2015.
- 🪟 | Hypervision-Detection : Detects virtual machines and malware analysis environments
- 🪟 | Al-khaser : al-khaser is a PoC "malware" application with good intentions that aims to stress your anti-malware system. It performs a bunch of common malware tricks with the goal of seeing if you stay under the radar.
- 💽🪟 | illusion-rs : Rusty Hypervisor - Windows UEFI Blue Pill Type-1 Hypervisor in Rust (Codename: Illusion)
- specifically see Hypervisor detection section
- 🚀🪟 | hyperdetect.cc: C++ code snippet that checks for a “lazy” hypervisor running in kernel-mode
- 🪟 | antivmdetection : Script to create templates to use with VirtualBox to make vm detection harder
- 🪟 | InviZzzible : InviZzzible is a tool for assessment of your virtual environments in an easy and reliable way. It contains the most recent and up to date detection and evasion techniques as well as fixes for them.
- 🪟 | Anti-VM : C++ Windows-based implementation of several anti-vm techniques used in malware development.
- 🐧 | apate : Apate performs anti-debugging, anti-VM and anti-sandbox tests, to see if your linux system is able to stay under the radar.
- 🐧 | inside-vm : Detect if code is running inside a virtual machine (x86 and x86-64 only).
- 🪟 | EPT Hook Detection
- 🪟 | PyDefender : Anti Virtulization, Anti Debugging, AntiVM, Anti Virtual Machine, Anti Debug, Anti Sandboxie, Anti Sandbox, VM Detect package for Python.
- 🪟 | GoDefender : Anti Virtulization, Anti Debugging, AntiVM, Anti Virtual Machine, Anti Debug, Anti Sandboxie, Anti Sandbox, VM Detect package for Go. Windows ONLY.
- 🐧🪟 | Metasploit : Open-source penetration testing framework that includes virtual machine detection modules
- 🐧 | systemd-detect-virt (man page) :
systemd-detect-virtdetects execution in a virtualized environment. It identifies the virtualization technology and can distinguish full machine virtualization from container virtualization.systemd-detect-virtexits with a return value of 0 (success) if a virtualization technology is detected, and non-zero (error) otherwise.- See also
systemdcode systemd/src/basic/virt.c
- See also
Coming soon
Contributions are welcome! Please read the contribution guidelines first.