Skip to content

Linux and Windows VMs evasion fully written in Go

License

Notifications You must be signed in to change notification settings

PreResearch-Labs/VM-Detection

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

VM Detection

This project is a Go implementation of well-known techniques trying to detect if the program is being run in a virtual machine. There are many C programs already doing this, but none written in pure Go.

See this paper for more details.

Usage

First download the package

$ go get github.com/ShellCode33/VM-Detection/vmdetect

Then see main.go to use it in your own project.

This project is compatible for both Linux and Windows, you can use the following command to cross-compile it :

$ GOOS=windows go build main.go
$ file main.exe

Common techniques

  • Look for known mac address prefix
  • Look for known interface names
  • Look at CPU features using cpuid instruction (cpuid)

GNU/Linux techniques

  • Look for known strings in the DMI table /sys/class/dmi/id/*
  • Look for hints in the kernel ring buffer /dev/kmsg
  • Look for known LKM - Loadable Kernel Modules - /proc/modules
  • Check existence of known files

Windows techniques

  • Check existence of known registry keys
  • Look for known strings in some registry key's content
  • Check existence of known files

Credits

Thanks to @hippwn for its contribution

Thanks systemd for being that awesome.

Thanks to CheckPoint's researchers for their wonderful website

About

Linux and Windows VMs evasion fully written in Go

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 100.0%