2.5.0 Release 🎉

2.5.0 Release

• Added UTM (macOS VM) brand

• Removed Hypervisor-Phantom brand (detected with generic checks)

• Added:

  • VM::BOOT_LOGO (Check the boot logo for known VM images)
  • VM::BOOT (Check to identify boot managers used in virtual machines)
  • VM::NVRAM (Check to counter firmware passthrough, specifically SSDT and SMBIOS)
  • VM::OBJECTS (Check to counter VM::TRAP bypasses by using KVM + Hyper-V)
  • VM::MAC_SYS (Check for VM-strings in system profiler commands for MacOS)
  • VM::ACPI_SIGNATURE (Check for exposed device location paths in the DSDT, for QEMU and Hyper-V)
  • VM::SMBIOS_PASSTHROUGH (Check for malformed/corrupted SMBIOS)

• Fixed:

  • Fixed ARM compilation issues
  • Fixed possible false flag when probing VMware's Virtual Machine Communication Interface
  • Fixed possible false flag when attempting to detect Hyper-V's VMBUS
  • Fixed detection for QEMU's Hyper-V enlightenments

• Improved:

  • VM::INTEL_THREAD_MISMATCH - Updated CPU database and token matching
  • VM::XEON_THREAD_MISMATCH - Updated CPU database and token matching
  • VM::AMD_THREAD_MISMATCH - Updated CPU database and token matching
  • VM::TIMER:
    New threshold ratios adjusted empirically with runs in more than 10,000 machines
    New split-lock detection
    New QPC algorithm that evicts hypervisors by avoiding a userland-triggered context switch
    New checks for nested virtualization
    New checks for detecting the current CPU speed
    New check capable of beating most public RDTSC patches
  • VM::VBOX_DEFAULT - Updated to cover all VirtualBox defaults in all architectures
  • VM::SIDT - Code safety improvements
  • VM::HYPERV_HOSTNAME - Updated to detect latest Azure's Hyper-V change
  • VM::FIRMWARE:
    Fixed DSDT, RSMB and FIRM fetching
    Compile-time byte-swap computation
    Faster raw binary search
    Improved KVM ACPI Device() signature check and moved it to VM::ACPI_SIGNATURE
    Removed power/adapter object checks due to false flags
    Removed SSDT revision checks due to false flags
    Removed _OSI parameter checks due to false flags on latest Surface Pro devices
    Removed DSDT revision checks (pre-experimental) due to false flags on Lenovo and Acer devices like 82GN and SP111-34N and 100+ others
    Removed thermal zones and PTS checks (pre-experimental) due to false flags on devices Toshiba Satellite Pro R40-C and 100+ others
    Removed FACP revision checks
    Added FACP integrity checks
    Added HPET presence checks when not running under ARM devices with virtual CPUs
    Added C2 and C3 latency checks
  • VM::PCI_DEVICES - Improved performance, improved detections on Hyper-V, debug output will now be in hexadecimal
  • VM::REGISTRY_KEYS - Improved performance, improved detections for VirtualBox and Hyper-V, fixed false flags on Wine
  • VM::POWER_CAPABILITIES - Better checks to detect commonly unsupported states on VMs
  • VM::REGISTRY_VALUES - Improved performance
  • VM::SGDT - Code safety improvements
  • VM::SLDT - Code safety improvements
  • VM::DISPLAY - Added display path, BPP and DPI checks
  • VM::DISK_SERIAL - Added generic checks for non physical drives, improved performance
  • VM::IVSHMEM - Dramatically improved performance
  • VM::VIRTUAL_PROCESSORS - Improved code simplicity and performance
  • VM::VIRTUAL_REGISTRY Improved performance
  • VM::TPM - Made it compatible with ARM devices with TPMs manufactured by Microsoft
  • VM::DBVM - Reduced memory fragmentation. Fixed an issue where an exception would be handled as a EXCEPTION_ACCESS_VIOLATION_READ rather than a EXCEPTION_ILLEGAL_INSTRUCTION
  • VM::DMESG - Code safety improvements
  • VM::NSJAIL_PID - Improved error handling and made process id fetching safer
  • VM::THREAD_COUNT - Cached thread count number to improve performance
  • VM::MAC_IOKIT - Additional keyboard checks
  • VM::MAC_SIP - New generic checks for hypervisor presence, focused on detecting UTM and kern.hv_vmm_present

  Other improvements:

  • New checks to detect whether the environment is hardened against VM detection techniques or not
  • New --json and --output commands in the CLI
  • New custom GetProcAddress implementation for better performance and stealthiness
  • New execution speed info when running with --verbose
  • Now the CLI console will not be closed automatically upon program termination
  • Improved binary translation checks on ARM
  • Improved conclusion messages and CLI output
  • Improved library core, overall performance and memory safety
  • Improved Windows version detection
  • Improved disk size and RAM size retrieval, using different APIs
  • Improved CPU fetching for AMD A series
  • Lowered detection scores of registry, GPU and power-capabilities techniques, increased VM::TIMER score
  • Deprecated --no-memo argument in the CLI
  • Type changes to WSL and Intel HAXM
  • Made hyper-x debug messages clearer
  • Better checks and reporting when the program is not running with enough privileges to run some techniques
  • On Windows, disk size checks will detect the drive where the OS is installed rather than fetching C:

• Removed:

  • VM::DISK_SIZE - Not a reliable proof of virtualization
  • VM::LOGICAL_PROCESSORS - Now handled by our thread databases
  • VM::PHYSICAL_PROCESSORS - Now handled by our thread databases
  • VM::ODD_THREADS - Now handled by our thread databases
  • VM::QEMU_PASSTHROUGH - Improved and renamed to VM::ACPI_SIGNATURE
  • VM::VBOX_NETWORK - Merged into VM::REGISTRY_KEYS

VirusTotal results and executables

https://www.virustotal.com/gui/file/48c30fd4dfd05b48512364e21104ccf34ab558a0838b956bc284690999b9d722

The Windows binaries were generated in the CI/CD purely from the source code here.

The Linux binaries on the other hand, were generated through the cmake file present in the root directory of the repository.

Extra

For any inquiries, contact us on Discord at shenzken or kr.nl, or email us at jeanruyv@gmail.com