{"id":41769792,"url":"https://github.com/kernelwernel/vmaware","last_synced_at":"2026-01-25T03:01:15.071Z","repository":{"id":194521001,"uuid":"682289450","full_name":"kernelwernel/VMAware","owner":"kernelwernel","description":"Advanced VM detection library and tool","archived":false,"fork":false,"pushed_at":"2026-01-15T08:24:32.000Z","size":25379,"stargazers_count":988,"open_issues_count":0,"forks_count":104,"subscribers_count":19,"default_branch":"main","last_synced_at":"2026-01-15T14:50:48.862Z","etag":null,"topics":["anti","anticheat","bochs","cpp","detect","detection","hyperv","hypervisor","hypervisor-detection","introspection","kvm","library","machine","qemu","vbox","virtual","virtualbox","vm","vm-detection","vmware"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/kernelwernel.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"kernelwernel","patreon":null,"open_collective":null,"ko_fi":null,"tidelift":null,"community_bridge":null,"liberapay":null,"issuehunt":null,"lfx_crowdfunding":null,"polar":null,"buy_me_a_coffee":null,"thanks_dev":null,"custom":null}},"created_at":"2023-08-23T21:16:10.000Z","updated_at":"2026-01-15T11:23:04.000Z","dependencies_parsed_at":"2023-12-29T09:25:36.474Z","dependency_job_id":"9730c03c-9037-4199-a0d7-53c173c7ae82","html_url":"https://github.com/kernelwernel/VMAware","commit_stats":null,"previous_names":["kernelwernel/vmaware"],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/kernelwernel/VMAware","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kernelwernel%2FVMAware","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kernelwernel%2FVMAware/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kernelwernel%2FVMAware/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kernelwernel%2FVMAware/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/kernelwernel","download_url":"https://codeload.github.com/kernelwernel/VMAware/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/kernelwernel%2FVMAware/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28742973,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-25T02:46:29.005Z","status":"ssl_error","status_checked_at":"2026-01-25T02:44:29.968Z","response_time":113,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anti","anticheat","bochs","cpp","detect","detection","hyperv","hypervisor","hypervisor-detection","introspection","kvm","library","machine","qemu","vbox","virtual","virtualbox","vm","vm-detection","vmware"],"created_at":"2026-01-25T03:00:38.854Z","updated_at":"2026-01-25T03:01:15.063Z","avatar_url":"https://github.com/kernelwernel.png","language":"C++","readme":"\u003cp align=\"center\"\u003e\n   \u003cimg src=\"assets/banner.jpg\" align=\"center\" width=\"500\" title=\"VMAware\"\u003e\n   \u003cbr\u003e\n   \u003cimg align=\"center\" src=\"https://img.shields.io/github/actions/workflow/status/kernelwernel/VMAware/cmake-multi-platform.yml\"\u003e\n   \u003cimg align=\"center\" src=\"https://img.shields.io/github/downloads/kernelwernel/VMAware/total\"\u003e\n   \u003cimg align=\"center\" src=\"https://img.shields.io/badge/License-MIT-yellow.svg\"\u003e\n   \u003ca href=\"https://deepwiki.com/kernelwernel/VMAware\"\u003e\u003cimg align=\"center\" src=\"https://deepwiki.com/badge.svg\" alt=\"Ask DeepWiki\"\u003e\u003c/a\u003e\n   \u003ca href=\"https://github.com/kernelwernel/VMAware/actions/workflows/code_ql_analysis.yml\"\u003e\n     \u003cimg align=\"center\" src=\"https://github.com/kernelwernel/VMAware/actions/workflows/code_ql_analysis.yml/badge.svg\" alt=\"CodeQL Analysis\"\u003e\n   \u003c/a\u003e\n\n   \u003cdiv align=\"center\"\u003e\n      \u003cb\u003eVMAware\u003c/b\u003e (VM + Aware) is a cross-platform C++ library for virtual machine detection.\n      \u003cbr\u003e\n      \u003cbr\u003e\n      \u003ca href=\"README_CN.md\"\u003e中文 🇨🇳\u003c/a\u003e | \u003ca href=\"README_FR.md\"\u003eFrançais 🇫🇷\u003c/a\u003e | \u003ca href=\"README_KR.md\"\u003e한국어 🇰🇷\u003c/a\u003e\n   \u003c/div\u003e\n\u003c/p\u003e\n\n- - -\n\nThe library is:\n- Very easy to use\n- Cross-platform (Windows + MacOS + Linux)\n- Features around 100 unique VM detection techniques [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#flag-table)]\n- Features the most cutting-edge techniques\n- Able to detect over 70 VM brands including VMware, VirtualBox, QEMU, Hyper-V, and much more [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#brand-table)]\n- Able to beat VM hardeners\n- Compatible with x86 and ARM, with backwards compatibility for 32-bit systems\n- Very flexible, with total fine-grained control over which techniques get executed\n- Able to detect various VM and semi-VM technologies like hypervisors, emulators, containers, sandboxes, and so on\n- Available with C++11 and above\n- Header-only\n- Free of any external dependencies\n- Memoized, meaning past results are cached and retrieved if ran again for performance benefits \n- Fully MIT-licensed, allowing unrestricted use and distribution\n\n\u003cbr\u003e\n\n\u003e [!NOTE]\n\u003e We are looking for translators willing to translate this README into your native language if it isn't included. If you'd like to contribute, feel free to give us a PR! \n\n\n## Example 🧪\n```cpp\n#include \"vmaware.hpp\"\n#include \u003ciostream\u003e\n\nint main() {\n    if (VM::detect()) {\n        std::cout \u003c\u003c \"Virtual machine detected!\" \u003c\u003c \"\\n\";\n    } else {\n        std::cout \u003c\u003c \"Running on baremetal\" \u003c\u003c \"\\n\";\n    }\n\n    std::cout \u003c\u003c \"VM name: \" \u003c\u003c VM::brand() \u003c\u003c \"\\n\";\n    std::cout \u003c\u003c \"VM type: \" \u003c\u003c VM::type() \u003c\u003c \"\\n\";\n    std::cout \u003c\u003c \"VM certainty: \" \u003c\u003c (int)VM::percentage() \u003c\u003c \"%\" \u003c\u003c \"\\n\";\n    std::cout \u003c\u003c \"VM hardening: \" \u003c\u003c (VM::is_hardened() ? \"likely\" : \"not found\") \u003c\u003c \"\\n\";\n}\n```\n\npossible output:\n```\nVirtual machine detected!\nVM name: VirtualBox\nVM type: Hypervisor (type 2)\nVM certainty: 100%\nVM hardening: not found\n```\n\n\u003cbr\u003e\n\n## Structure ⚙️\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"assets/vmaware.png\" align=\"center\" title=\"VMAware\"\u003e\n\u003cbr\u003e\n\u003c/p\u003e\n\n\u003cbr\u003e\n\n## CLI tool 🔧\nThis project also provides a handy CLI tool utilising the full potential of what the library can do. It also has cross-platform support.\n\nBelow is an example of a basic QEMU system with no hardening modifications on Linux.\n\n\u003cimg src=\"assets/demo.png\" title=\"cli\"\u003e\n\n\u003c!-- Try it out on [Compiler Explorer](https://godbolt.org/z/4sKa1sqrW)!--\u003e\n\n\u003cbr\u003e\n\n## Installation 📥\nTo install the library, download the `vmaware.hpp` file in the latest [release section](https://github.com/kernelwernel/VMAware/releases/latest) to your project. The binaries are also located there. No CMake or shared object linkages are necessary, it's literally that simple.\n\nHowever, if you want the full project (globally accessible headers with \u003cvmaware.hpp\u003e and the CLI tool), follow these commands:\n```bash\ngit clone https://github.com/kernelwernel/VMAware \ncd VMAware\n```\n\n### FOR LINUX:\n```bash\nsudo dnf/apt/yum update -y # change this to whatever your distro is\nmkdir build\ncd build\ncmake ..\nsudo make install\n```\n\n### FOR MACOS:\n```bash\nmkdir build\ncd build\ncmake ..\nsudo make install\n```\n\n### FOR WINDOWS:\n```bash\ncmake -S . -B build/ -G \"Visual Studio 16 2019\"\n```\n\nOptionally, you can create a debug build by appending `-DCMAKE_BUILD_TYPE=Debug` to the cmake arguments.\n\n\u003cbr\u003e\n\n### CMake installation\n```cmake\n# edit this\nset(DIRECTORY \"/path/to/your/directory/\")\n\nset(DESTINATION \"${DIRECTORY}vmaware.hpp\")\n\nif (NOT EXISTS ${DESTINATION})\n    message(STATUS \"Downloading VMAware\")\n    set(URL \"https://github.com/kernelwernel/VMAware/releases/latest/download/vmaware.hpp\")\n    file(DOWNLOAD ${URL} ${DESTINATION} SHOW_PROGRESS)\nelse()\n    message(STATUS \"VMAware already downloaded, skipping\")\nendif()\n```\n\nThe module file and function version is located [here](auxiliary/vmaware_download.cmake)\n\n\n\u003cbr\u003e\n\n## Documentation and code overview 📒\nYou can view the full docs [here](docs/documentation.md). All the details such as functions, techniques, settings, and examples are provided. Trust me, it's not too intimidating ;)\n\nIf you want to learn about the architecture and design of the library, head over to https://deepwiki.com/kernelwernel/VMAware\n\n\u003cbr\u003e\n\n## Q\u0026A ❓\n\n\u003cdetails\u003e\n\u003csummary\u003eHow does it work?\u003c/summary\u003e\n\u003cbr\u003e\n\n\u003e It utilises a comprehensive list of low-level and high-level anti-VM techniques that gets accounted in a scoring system. The scores (0-100) for each technique are given based on an objective criteria focused on detecting the most stealthy VMs by minimizing false positives as much as possible, and every technique that has detected a VM will have their score added to a single accumulative point, where a threshold point number will decide whether it's actually running in a VM.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eWho is this library for and what are the use cases?\u003c/summary\u003e\n\u003cbr\u003e\n\n\u003e It's designed for security researchers, VM engineers, anticheat developers, and pretty much anybody who needs a practical and rock-solid VM detection mechanism in their project. The library is useful for malware analysts testing the concealment of their VMs and for proprietary software developers aiming to protect their applications from reverse engineering. It's an effective tool to benchmark how well a VM can hide itself from detection.\n\u003e \n\u003e Additionally, software could adjust the behaviour of their program based on the detected environment. It could be useful for debugging and testing purposes, while system administrators could manage configurations differently. Finally, some applications might want to legally restrict usage in VMs as a license clause to prevent unauthorized distribution or testing.\n\u003e\n\u003e There are also projects that utilise our tool such as [Hypervisor-Phantom](https://github.com/Scrut1ny/Hypervisor-Phantom), which is an advanced malware analysis project that we helped strengthen their hypervisor environment and undetectability.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eWhy another VM detection project?\u003c/summary\u003e\n\u003cbr\u003e\n\n\u003e There's already loads of projects that have the same goal such as \n\u003ca href=\"https://github.com/CheckPointSW/InviZzzible\"\u003eInviZzzible\u003c/a\u003e, \u003ca href=\"https://github.com/a0rtega/pafish\"\u003epafish\u003c/a\u003e and \u003ca href=\"https://github.com/LordNoteworthy/al-khaser\"\u003eAl-Khaser\u003c/a\u003e. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. Additionally, the VM detections in all those projects are often not sophisticated enough to be practically applied to real-world scenarios while not providing enough VM detection techniques. An additional hurdle is that they are all GPL projects, so using them for proprietary projects (which would be the main audience for such a functionality), is out of the question. \n\u003e\n\u003e Pafish and InviZzzible have been abandoned for years. Although Al-Khaser does receive occasional updates and has a wide scope of detections that VMAware doesn't provide (anti-debugging, anti-injection, and so on), it still falls short due to the previously mentioned problems above.\n\u003e \n\u003e While those projects have been useful to VMAware to some extent, we wanted to make them far better. Our goal was to make the detection techniques to be accessible programmatically in a cross-platform and flexible way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection framework on steroids that focuses on practical and realistic usability for any scenario.\n\n\u003c/details\u003e\n\n\u003c!--\n\u003cdetails\u003e\n\u003csummary\u003eHow does it compare to paid VM detection libraries?\u003c/summary\u003e\n\u003cbr\u003e\n\n\u003e There are several paid software solutions available for protecting software licenses from reverse engineering or cracking, such as \u003ca href=\"https://docs.sentinel.thalesgroup.com/home.htm\"\u003eThales' Sentinel RMS\u003c/a\u003e and \u003ca href=\"https://vmpsoft.com/\"\u003eVMProtect\u003c/a\u003e. These tools include VM detection as part of their feature set, though their primary focus is not necessarily VM detection unlike this project.\n\u003c/details\u003e\n--\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eWouldn't it make it inferior for having the project open source?\u003c/summary\u003e\n\u003cbr\u003e\n\n\u003e The only downside to VMAware is that it's fully open source, which makes the job of bypassers easier compared to having it closed source. However, We'd argue that's a worthy tradeoff by having as many VM detection techniques in an open and interactive manner rather than trying to obfuscate. Having it open source means we can have valuable community feedback to strengthen the library more effectively and accurately through discussions, collaborations, and competition against anti-anti-vm projects and malware analysis tools which try to hide it's a VM. \n\u003e \n\u003e All of this combined has further advanced the forefront innovations in the field of VM detections much more productively, compared to having it closed source. This is what made the project the best VM detection framework out there, and bypassing it has shown to be an immense challenge due to the sheer number of sophisticated and never-before-seen techniques we employ that other VM detectors don't use whether open or closed source (to our knowledge).\n\u003e\n\u003e In other words, it's about better quality AND quantity, better feedback, and better openness over security through obfuscation. It's the same reason why OpenSSH, OpenSSL, the Linux kernel, and other security-based software projects are relatively secure because of how there's more people helping to make it better compared to people trying to probe the source code with malicious intent. VMAware has this philosophy, and if you know anything about security, you should be familiar with the phrase: \"Security through obfuscation is NOT security\".\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003eHow effective are VM hardeners against the lib?\u003c/summary\u003e\n\u003cbr\u003e\n\n\u003e Publicly known hardeners are not effective and most of them on Windows have been beaten, but this doesn't mean that the lib is immune to them. Custom hardeners that we may not be aware of might have a theoretical advantage, but they are substantially more difficult to produce.\n\n\u003c/details\u003e\n\n\n\u003cdetails\u003e\n\u003csummary\u003eHow is it developed?\u003c/summary\u003e\n\u003cbr\u003e\n\n\u003e Based on online research (ranging from science papers to things like private game hacking forums and discord servers), we try to identify the methods currently used to hide VMs and investigate generic detections capable of detecting them, while constantly tracking their activity to ensure we stay one step ahead.\n\u003e\n\u003e Once we have developed production-level code, we upload it to the dev branch to start testing it in real environments, where products using our library on hundreds or even thousands of devices run our detection algorithms and silently alert us if a VM has been detected, to be later manually verified for false positives.\n\u003e \n\u003e If we believe that false positives have been corrected based on experimental tests and online evidence in public documentation and databases, we merge the changes to the main branch, assigning the new detections a score, taking into account their effectiveness, reliability, and their operation in conjunction with the rest of the techniques.\n\u003e\n\u003e Other situations (such as false flags, compilation errors, possible vulnerabilities, etc.) are immediately merged into the main branch.\n\u003e\n\u003e Once the library has undergone sufficient modifications compared to previous versions, we place the library in the releases section, explaining these changes in detail.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eWhat about using this for malware?\u003c/summary\u003e\n\u003cbr\u003e\n\n\u003e This project is not soliciting the development of malware for obvious reasons. Even if you intend to use it for concealment purposes, it'll most likely be flagged by antiviruses anyways and nothing is obfuscated to begin with. \n\u003e\n\u003e We do not intentionally develop the library to try to stop or avoid EDR flags, such as using direct/indirect syscalling, inline hooking detection, and any other kind of malware evasion technique not related to hypervisor detection.\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eI have linker errors when compiling\u003c/summary\u003e\n\u003cbr\u003e\n\n\u003e If you're compiling with gcc or clang, add the \u003ccode\u003e-lm\u003c/code\u003e and \u003ccode\u003e-lstdc++\u003c/code\u003e flags, or use g++/clang++ compilers instead. If you're receiving linker errors from a brand new VM environment on Linux, update your system with `sudo apt/dnf/yum update -y` to install the necessary C++ components.\n\n\u003c/details\u003e\n\n\u003cbr\u003e\n\n## Issues, discussions, pull requests, and inquiries 📬\nIf you have any suggestions, ideas, or any sort of contribution, feel free to ask! I'll be more than happy to discuss either in the [issue](https://github.com/kernelwernel/VMAware/issues) or [discussion](https://github.com/kernelwernel/VMAware/discussions) sections. If you want to personally ask something in private, my discord is `kr.nl`.\n\nFor email inquiries: `jeanruyv@gmail.com`\n\nAnd if you found this project useful, a star would be appreciated :)\n\n\u003cbr\u003e\n\n## Credits, contributors, and acknowledgements ✒️\n- [kernelwernel](https://github.com/kernelwernel) (Maintainer and developer)\n- [Requiem](https://github.com/NotRequiem) (Maintainer and co-developer)\n- [Check Point Research](https://research.checkpoint.com/)\n- [Unprotect Project](https://unprotect.it/)\n- [Al-Khaser](https://github.com/LordNoteworthy/al-khaser)\n- [pafish](https://github.com/a0rtega/pafish)\n- [Matteo Malvica](https://www.matteomalvica.com)\n- N. Rin, EP_X0FF\n- [Peter Ferrie, Symantec](https://github.com/peterferrie)\n- [Graham Sutherland, LRQA Nettitude](https://www.nettitude.com/uk/)\n- [Alex](https://github.com/greenozon)\n- [Marek Knápek](https://github.com/MarekKnapek)\n- [Vladyslav Miachkov](https://github.com/fameowner99)\n- [(Offensive Security) Danny Quist](chamuco@gmail.com)\n- [(Offensive Security) Val Smith](mvalsmith@metasploit.com)\n- Tom Liston + Ed Skoudis\n- [Tobias Klein](https://www.trapkit.de/index.html)\n- [(S21sec) Alfredo Omella](https://www.s21sec.com/)\n- [hfiref0x](https://github.com/hfiref0x)\n- [Waleedassar](http://waleedassar.blogspot.com)\n- [一半人生](https://github.com/TimelifeCzy)\n- [Thomas Roccia (fr0gger)](https://github.com/fr0gger)\n- [systemd project](https://github.com/systemd/systemd)\n- mrjaxser\n- [iMonket](https://github.com/PrimeMonket)\n- Eric Parker's discord community \n- [ShellCode33](https://github.com/ShellCode33)\n- [Georgii Gennadev (D00Movenok)](https://github.com/D00Movenok)\n- [utoshu](https://github.com/utoshu)\n- [Jyd](https://github.com/jyd519)\n- [git-eternal](https://github.com/git-eternal)\n- [dmfrpro](https://github.com/dmfrpro)\n- [Teselka](https://github.com/Teselka)\n- [Kyun-J](https://github.com/Kyun-J)\n- [luukjp](https://github.com/luukjp)\n- [Randark](https://github.com/Randark-JMT)\n- [Scrut1ny](https://github.com/Scrut1ny)\n- [Lorenzo Rizzotti (Dreaming-Codes)](https://github.com/Dreaming-Codes)\n\n\u003cbr\u003e\n\n## Legal 📜\nI am not responsible nor liable for any damage you cause through any malicious usage of this project. \n\nLicense: MIT\n","funding_links":["https://github.com/sponsors/kernelwernel"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkernelwernel%2Fvmaware","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkernelwernel%2Fvmaware","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkernelwernel%2Fvmaware/lists"}