Skip to content

v2.7.0 ๐ŸŽ‰

Latest
Latest

Choose a tag to compare

View all tags
@NotRequiem NotRequiem released this 05 Apr 20:57
· 43 commits to main since this release
v2.7.0
619d158
This commit was created on GitHub.com and signed with GitHubโ€™s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

2.7.0 Release

Added

  • HYPER_X: Integrity checks for spoofed Hyper-V states, based on the reverse-engineering process of the KiOp_SLDTSTRSMSW function located at KiPreprocessFault -> KiOpDecode -> KiOpLocateDecodeEntry in the Windows kernel.

  • VM::MSR: Detection of hypervisor patches that intentionally (and stupidly) make unknown MSRs not generate a #GP exception when called.

  • VM::KVM_INTERCEPTION: Detects KVM interception of VMMCALL by either handling it (so no exception occurs) or attempting to patch it on the fly when issuing VMCALL (#PF occurs rather than #UD); see https://lists.nongnu.org/archive/html/qemu-devel/2025-07/msg05044.html

  • VM::BREAKPOINT: Detects EPT/NPT hooking by forcing a nested-page-table redirection, watching for single-stepping. REP MOV based EPT detections (a similar method to https://github.com/JustasMasiulis/rep_mov_ept_detecc) are still under discussion; Hyperion anti-tamper was detected using this trick.

Improved

  • VM::TIMER: Now, VMAware is immune to any kind of TSC or hardware clock spoofing, as it relies on its own context-switch-based clock.
    For Intel:
    CPUID is unconditionally trapped; however, despite VMAware randomizing which CPU core the timing check runs on, bypasses that send an IPI across all vCPUs to pause the check are still not detected.

    • Since the only known way to cheat against this timing attack is to pause the counter thread, a simple worker routine that will run on the same core as the counter thread will be introduced in the next version to detect any single pause.
    • Instruction scanning with byte array analysis or similar measures to patch the memory or modify the routine on the fly would bring even more detection vectors and severely affect VM performance.
    • The ratios are still experimental, so by caching and optimizing specific leaf paths, a hypervisor could make it below the adjusted threshold for this release. This will be patched in the next release.

    For AMD:
    CPUID is a conditionally exiting instruction, and no suitable unconditionally exiting instruction exists for user-mode apps, meaning that with some hypervisor patches, it can bypass timing anomalies. Research to detect this is still under development, as it is affecting every major anticheat right now (see Evaluated Detections).

  • VM::POWER_CAPABILITIES accuracy by checking all sleep and hibernation file states.

Fixed

  • VM::NVRAM false flags when invalid or no Secure Boot certificates were detected, or when mismatches between active and default PK/KEK variables were detected.
  • VM::IOREG_GREP false flagging bare-metal macOS devices.
  • VM::CLOCK false flagging a few Surface Pro models due to the lack of a PIT timer.
  • VM::FIRMWARE triggering HPET detections in buggy firmware that the kernel would report as dysfunctional, thereby disabling it; more info at this issue.
  • VM::FIRMWARE triggering FADT hypervisor vendor identity checks in machines that do not respect UEFI specifications; detected on HP OmniBook X Laptop 14-fe1xxx.
  • VM::DISPLAY possible false flags due to high-DPI 4K monitors at Windowsโ€™ default 250% scaling.
  • Every false flag known to date and/or reported in v2.6.0

Removed

  • VM::SMBIOS_INTEGRITY (false flags machines with buggy SMBIOS firmware tables; detected on HP Spectre x360 Convertible 14-ea1xxx)
  • VM:OBJECTS (renamed to VM::KERNEL_OBJECTS)
  • VM::PCI_DEVICES (renamed to VM::DEVICES)
  • VM::DEVICE_HANDLES (renamed to VM::HANDLES)

Secondary Changes

  • Completely redesigned the brand mechanism.
  • Performance improvements in VM brand and hardening checks.
  • Added runtime SHA-256 hash output of CLI builds for integrity verification.
  • Added guidelines for better issue and PR creation; added contributor graph images in main README.md.
  • Removed versioning in files so that they can be programatically fetched despite release updates.
  • Updated old CRC32 hashes for VirtualBox detections in VM::BOOT_LOGO.
  • Modified scores of several techniques for better accuracy, such as VM::TEMPERATURE.
  • Renamed several brands for clarity, such as HYPERV_ARTIFACT to HYPERV_ROOT.
  • Rearranged Windows techniques by detection probability according to the latest VMAware runs on hardened environments.

Evaluated Detections

  • KiOp_MOVAPS behavior on Wine when triggering alignment fault exceptions on instructions. False flags occur on some mobile CPUs, old CPUs, or when running inside a binary translator layer (x86 -> ARM); see https://www.unknowncheats.me/forum/anti-cheat-bypass/729130-article-wine-detection.html

  • STIBP and RDPRU default interception checks on KVM. It is logistically impossible to track which AMD CPUs lack these instructions but do not lack SVM features without maintaining a huge CPU database, which would otherwise create false positives in real-world scenarios.

  • Forcing 4D page table walks and TLB pressure from CPL3 by using the traditional random pointer-chasing pattern. The noise signal is too low to be detected in production environments.

  • XSAVE states not being emulated correctly by KVM after disabling VMCB offset 0Ch, bit 18 in SVM after QEMU fully boots. Our research shows that a discrepancy between the active XCR0 size (what the kernel enables) and the size reported by the CPUID instruction (now being fetched by the CPU directly because interception is disabled) would reveal every attempt to disable CPUID interception after KVM configures the guest state. VMAware already checks for this bypass by calculating the active XCR0 + XSS features and the active size of XCR0 + IA32_XSS (the latter can be inferred from CPL3 even without direct access to the MSR). However, unimplemented patches in stock QEMU to virtualize CET_U could be applied so that no difference in XSAVE features is presented anymore, which I pasted here. Bypassers also discovered how to boot the VM with CPUID interception disabled from the very beginning, as it was simply an MSR issue with some of the MCE banks that were #GPing and bringing down the guest during early boot.
    Research to detect these VMs from both user mode (publicly) and kernel mode (privately) is still ongoing, as it brought bypasses in VGK, EAC, and other anticheats by several private (and very awkward) cheating communities; practically every MSR access and instruction "runs" in the host, while still presenting a clean firmware state and optionally legitimate Hyper-V artifacts, allowing virtual memory reads from the undetected hypervisor layer.

VirusTotal Results and Executables

https://www.virustotal.com/gui/file/2adbfb7d92c5f368acca31b2c71cd5f860e3a028ca5891636dacea7da07b886d?nocache=1

The Windows binaries were generated in the CI/CD purely from the source code here.

The Linux binaries, on the other hand, were generated through the cmake file present in the root directory of the repository.

Contact

For any inquiries, contact us on Discord at shenzken or kr.nl, or email us at jeanruyv@gmail.com.

Caution

A bug in the current VirtualBox stable release causes VMAware to crash the VM when attempting to detect virtualization. The issue has already been reported and will be fixed; see VirtualBox/virtualbox#616 for details. Until the VirtualBox team resolves it, use vmaware-vbox-compat.exe or build from fix/virtualbox-compatibility if you want to enable protection without crashes on affected systems. Note that using this will disable specific checks against some public and private patches used to spoof VM presence.

Assets 10
Loading