VMAware-C

██╗   ██╗███╗   ███╗ █████╗ ██╗    ██╗ █████╗ ██████╗ ███████╗     ██████╗
██║   ██║████╗ ████║██╔══██╗██║    ██║██╔══██╗██╔══██╗██╔════╝    ██╔════╝
██║   ██║██╔████╔██║███████║██║ █╗ ██║███████║██████╔╝█████╗      ██║     
╚██╗ ██╔╝██║╚██╔╝██║██╔══██║██║███╗██║██╔══██║██╔══██╗██╔══╝      ██║     
 ╚████╔╝ ██║ ╚═╝ ██║██║  ██║╚███╔███╔╝██║  ██║██║  ██║███████╗    ╚██████╗
  ╚═══╝  ╚═╝     ╚═╝╚═╝  ╚═╝ ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝     ╚═════╝

VMAware-C is a pure C port of the VMAware C++ library for virtual machine detection on Windows.

⚠️ Note: This is an AI-generated port created by GitHub Copilot (Claude). It is inspired by and based on the original VMAware project by kernelwernel.

---

Features ✨

• Pure C11 - No C++ dependencies, compatible with any C compiler
• Windows-focused - Optimized for Windows VM detection
• 40+ Detection Techniques - CPUID, registry, drivers, timing, and more
• 70+ VM Brands - VMware, VirtualBox, Hyper-V, QEMU, KVM, and many others
• Lightweight - ~5,500 lines of code, no external dependencies
• Memoized - Results are cached for performance
• MIT Licensed - Free for any use

---

Quick Start 🚀

Basic Example

#include "vmaware.h"
#include <stdio.h>

int main(void) {
    if (vm_detect(VM_DEFAULT)) {
        printf("Virtual machine detected!\n");
    } else {
        printf("Running on baremetal\n");
    }

    printf("VM name: %s\n", vm_brand(VM_DEFAULT));
    printf("VM type: %s\n", vm_type(VM_DEFAULT));
    printf("VM certainty: %d%%\n", vm_percentage(VM_DEFAULT));
    
    return 0;
}

Output Example (in VirtualBox)

Virtual machine detected!
VM name: VirtualBox
VM type: Hypervisor (type 2)
VM certainty: 100%

---

Installation 📥

Option 1: Copy Files

Simply copy the src/ folder to your project and include vmaware.h:

#include "vmaware.h"

Option 2: Build with CMake

git clone https://github.com/your-repo/vmaware-c.git
cd vmaware-c
mkdir build && cd build
cmake ..
cmake --build .

Option 3: Manual Compilation (MSVC)

cl /I src src\*.c /Fe:vmaware_cli.exe

Option 4: Manual Compilation (MinGW)

gcc -Wall -Wextra -std=c11 -I src src/*.c -o vmaware_cli.exe

---

API Reference 📖

Core Functions

Function	Description	Return
vm_detect(flags)	Check if running in a VM	bool
vm_brand(flags)	Get detected VM brand name	const char*
vm_type(flags)	Get VM type description	const char*
vm_percentage(flags)	Get detection certainty (0-100)	uint8_t
vm_detected_count()	Count of triggered techniques	uint8_t
vm_conclusion(flags)	Human-readable conclusion	const char*

Flag Constants

Flag	Description
VM_DEFAULT	Run all default techniques
VM_ALL	Run ALL techniques (including risky ones)
VM_HIGH_THRESHOLD	Require higher certainty for detection

Individual Technique Check

// Check a specific technique
if (vm_check_technique(VM_HYPERVISOR_BIT)) {
    printf("Hypervisor bit is set!\n");
}

---

Detection Techniques 🔍

Cross-Platform (x86)

ID	Technique	Description	Points
VM_VMID	CPUID Vendor ID	Check for VM vendor strings	100
VM_CPU_BRAND	CPU Brand String	VM indicators in brand	95
VM_HYPERVISOR_BIT	Hypervisor Bit	CPUID ECX.31 flag	100
VM_HYPERVISOR_STR	Hypervisor String	Hypervisor brand length	100
VM_BOCHS_CPU	Bochs Detection	Bochs emulator oversights	100
VM_TIMER	RDTSC Timing	Execution timing analysis	100
VM_THREAD_MISMATCH	Thread Count	CPU thread verification	50
VM_CPUID_SIGNATURE	CPUID Signature	Known VM signatures	95
VM_KGT_SIGNATURE	Intel KGT	Intel KGT hypervisor	80

Windows-Specific

ID	Technique	Description	Points
VM_DLL	DLL Check	VM-related DLLs	45
VM_WINE	Wine Detection	Wine compatibility layer	85
VM_MUTEX	Mutex Objects	VM mutex names	85
VM_VIRTUAL_REGISTRY	Registry Keys	VM registry entries	65
VM_DRIVERS	Driver Check	VM driver files	65
VM_DISK_SERIAL	Disk Serial	VM disk identifiers	60
VM_DISPLAY	Display Adapter	VM graphics adapters	35
VM_VMWARE_BACKDOOR	VMware Backdoor	VMware I/O port	100
VM_TRAP	Trap Flag	Debugger detection	100
...	...	See full list	...

---

Supported VM Brands 🖥️

VMAware-C can detect 70+ virtualization technologies:

Hypervisors

• VMware (Workstation, Fusion, ESXi)
• VirtualBox
• Microsoft Hyper-V
• QEMU/KVM
• Xen
• Parallels
• Bochs
• bhyve

Cloud Platforms

• Amazon AWS (Nitro, EC2)
• Microsoft Azure
• Google Cloud (GCE)
• Oracle Cloud
• Alibaba Cloud

Sandboxes & Analysis

• Cuckoo Sandbox
• Sandboxie
• Windows Sandbox
• Any.Run
• Joe Sandbox
• Hybrid Analysis

Emulators

• Wine
• QEMU (user-mode)
• DOSBox

Containers

• Docker
• Podman
• WSL/WSL2
• LXC

See complete brand list →

---

Project Structure 📁

vmaware_c/
├── src/
│   ├── vmaware.h          # Main public header (API + enums)
│   ├── vmaware.c          # Public API implementation
│   ├── vmaware_core.h     # Detection engine header
│   ├── vmaware_core.c     # Detection engine + x86 techniques
│   ├── vmaware_win.h      # Windows techniques header
│   ├── vmaware_win.c      # Windows-specific techniques
│   ├── vmaware_cpu.h      # CPU operations header
│   ├── vmaware_cpu.c      # CPUID, brand databases
│   ├── vmaware_memo.h     # Memoization header
│   ├── vmaware_memo.c     # Caching implementation
│   ├── vmaware_util.h     # Utilities header
│   ├── vmaware_util.c     # Helper functions
│   └── cli.c              # CLI application
├── test/
│   └── test_main.c        # Test suite
├── docs/
│   └── documentation.md   # Full documentation
├── CMakeLists.txt         # CMake build file
├── LICENSE                # MIT License
└── README.md              # This file

---

Building the CLI Tool 🔧

The CLI tool provides a comprehensive VM analysis:

# Build
gcc -Wall -Wextra -O2 -std=c11 -I src src/*.c -o vmaware.exe

# Run
./vmaware.exe

CLI Output Example

 ===== VMAware C Port =====

[CONCLUSION]: Running on baremetal (not a VM)

[DETECTED VMs]:
  None

[DETECTION DETAILS]:
  VM certainty: 0%
  Techniques triggered: 0

[TECHNIQUES]:
  VM_HYPERVISOR_BIT .... not detected
  VM_CPUID_SIGNATURE ... not detected
  VM_CPU_BRAND ......... not detected
  ...

---

Advanced Usage 💡

Custom Flag Combinations

// Create custom flagset
vm_flagset flags;
vm_flagset_clear_all(&flags);

// Enable specific techniques
vm_flagset_set(&flags, VM_HYPERVISOR_BIT);
vm_flagset_set(&flags, VM_CPUID_SIGNATURE);
vm_flagset_set(&flags, VM_VMWARE_BACKDOOR);

// Run detection
if (vm_detect_with_flags(&flags)) {
    printf("VM detected with custom checks\n");
}

Excluding Techniques

// Use defaults but exclude risky techniques
vm_flagset flags;
vm_flagset_set_all(&flags);
vm_flagset_clear(&flags, VM_VMWARE_BACKDOOR);  // Skip backdoor check

bool is_vm = vm_detect_with_flags(&flags);

Reset Cache

// Clear memoization cache for fresh detection
vm_reset();

---

Comparison with Original 📊

Feature	VMAware (C++)	VMAware-C
Language	C++11+	C11
Platforms	Windows, Linux, macOS	Windows only
Techniques	~90	~40
Header-only	Yes	No (multi-file)
Dependencies	None	None
VM Brands	70+	70+

---

Credits & Acknowledgements ✒️

This Port

Generated by: GitHub Copilot (Claude AI) - March 2026

This is an AI-assisted port of the original VMAware library. While functional, it may not include all features or optimizations of the original C++ version.

Original Project

VMAware - https://github.com/kernelwernel/VMAware

• kernelwernel - Creator and maintainer
• Requiem (NotRequiem) - Co-developer
• All original contributors listed in the VMAware repository

Research & Techniques

• Check Point Research
• Unprotect Project
• Al-Khaser
• pafish

---

Legal 📜

License

This project is licensed under the MIT License - see the LICENSE file.

Disclaimer

This software is provided for educational and legitimate security research purposes only. The authors are not responsible for any misuse or damage caused by this software.

Do not use this library for malicious purposes.

---

Contributing 🤝

Contributions are welcome! Please feel free to:

1. Report bugs or issues
2. Suggest new detection techniques
3. Improve documentation
4. Submit pull requests

---

See Also 🔗

• Original VMAware (C++)
• VMAware Documentation
• Al-Khaser - Anti-malware research tool
• pafish - Paranoid Fish

---

If you find this project useful, please consider starring the original VMAware project!