Skip to content

ShellCode33/VM-Detection

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

41 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

VM Detection

Go Reference GoReportCard

This project is a Go implementation of well-known techniques trying to detect if the program is being run in a virtual machine. There are many C programs already doing this, but none written in pure Go.

See this paper for more details.

Usage

First download the package

$ go get github.com/ShellCode33/VM-Detection/vmdetect

Then see main.go to use it in your own project.

This project is compatible for both Linux and Windows, you can use the following command to cross-compile it :

$ GOOS=windows go build main.go
$ file main.exe

Common techniques

  • Look for known mac address prefix
  • Look for known interface names
  • Look at CPU features using cpuid instruction (cpuid)

GNU/Linux techniques

  • Look for known strings in the DMI table /sys/class/dmi/id/*
  • Look for hints in the kernel ring buffer /dev/kmsg
  • Look for known LKM - Loadable Kernel Modules - /proc/modules
  • Check existence of known files

Windows techniques

  • Check existence of known registry keys
  • Look for known strings in some registry key's content
  • Check existence of known files

Credits

Thanks to @hippwn for its contribution

Thanks systemd for being that awesome.

Thanks to CheckPoint's researchers for their wonderful website