Skip to content

Removed unreliable detections and improved VM::TIMER #544

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 30, 2025
Merged

Removed unreliable detections and improved VM::TIMER #544

merged 7 commits into from
Oct 30, 2025

Conversation

@NotRequiem
Copy link
Collaborator

@NotRequiem NotRequiem commented Oct 30, 2025

No description provided.

@NotRequiem NotRequiem merged commit 3140c48 into main Oct 30, 2025
10 checks passed
@umbrageodotus
Copy link

umbrageodotus commented Nov 2, 2025

Removing the unreliable detections seems like a bad idea.

@NotRequiem
Copy link
Collaborator Author

NotRequiem commented Nov 2, 2025

no.

@kernelwernel
Copy link
Owner

kernelwernel commented Nov 3, 2025

Removing the unreliable detections seems like a bad idea.

I'm interested in hearing more about your opinions on this. Can you explain further why you think this is the case? I'd really like to have a discussion on this topic since I'm kind of undecided on the issue.

@umbrageodotus
Copy link

umbrageodotus commented Nov 3, 2025

no.

Great commentary! 🤷

@umbrageodotus
Copy link

umbrageodotus commented Nov 3, 2025

Removing the unreliable detections seems like a bad idea.

I'm interested in hearing more about your opinions on this. Can you explain further why you think this is the case? I'd really like to have a discussion on this topic since I'm kind of undecided on the issue.

I feel like they should be disabled by default, but users should be able to enable them if they want to...

@NotRequiem
Copy link
Collaborator Author

NotRequiem commented Nov 3, 2025

Great commentary! 🤷

Sorry, I felt like this was a joke because I couldn't imagine how someone would actually think "removing unreliable detections" is a bad idea.

I feel like they should be disabled by default, but users should be able to enable them if they want to...

No. Those techniques are not a proof, or even a suspicion, of a program running under a virtual machine, but anyways here's your detailed explanation:

VM::VBOX_DEFAULT: You can't say you're running inside a VM because your system has, let's say, 4 GB of RAM and 80GB of disk size, simple as that, I just don't want stupid detections used in production code, it was useless from the very beginning because it only apported 25 of score, which made it basically mathematically impossible for a VM to be flagged because a combination of a strong technique + that technique in particular

VM::BOOT_MANAGER: This was a detection that never detected a VM, I added it when I was experimenting with NVRAM in order to detect patches abusing ACPI and SMBIOS passthrough, and the technique was quite slow.
Firstly, I made it so that it would parse and check if the first boot entry corresponds to the Windows boot manager, and test how many times it false flagged legitimate users using other bootloaders.
Of course false flags appeared and they were not only a few precisely, so I decided to look for the Windows manager in any part of the boot entry sector (however, and as expected, even the most vanilla VMs had the boot manager in any of the boot entries, just not in the first one)

But hey, honestly, if you want to have techniques that will never detect a VM reliably or will only false flag, just feel free to add them again to your codebase, but I won't maintain them.

@umbrageodotus
Copy link

umbrageodotus commented Nov 3, 2025

Great commentary! 🤷

Sorry, I felt like this was a joke because I couldn't imagine how someone would actually think "removing unreliable detections" is a bad idea.

I feel like they should be disabled by default, but users should be able to enable them if they want to...

No. Those techniques are not a proof, or even a suspicion, of a program running under a virtual machine, but anyways here's your detailed explanation:

VM::VBOX_DEFAULT: You can't say you're running inside a VM because your system has, let's say, 4 GB of RAM and 80GB of disk size, simple as that, I just don't want stupid detections used in production code, it was useless from the very beginning because it only apported 25 of score, which made it basically mathematically impossible for a VM to be flagged because a combination of a strong technique + that technique in particular

VM::BOOT_MANAGER: This was a detection that never detected a VM, I added it when I was experimenting with NVRAM in order to detect patches abusing ACPI and SMBIOS passthrough, and the technique was quite slow. Firstly, I made it so that it would parse and check if the first boot entry corresponds to the Windows boot manager, and test how many times it false flagged legitimate users using other bootloaders. Of course false flags appeared and they were not only a few precisely, so I decided to look for the Windows manager in any part of the boot entry sector (however, and as expected, even the most vanilla VMs had the boot manager in any of the boot entries, just not in the first one)

But hey, honestly, if you want to have techniques that will never detect a VM reliably or will only false flag, just feel free to add them again to your codebase, but I won't maintain them.

Oh, it was just those 2? Sorry, I thought it was more then. I'm all for it then.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@NotRequiem @umbrageodotus @kernelwernel