kernelwernel
commented
2 months ago ok so 2 things:
-
for the MAC address check, what the technique does is compare your actual MAC address to those of various VM brands. Hybrid Analysis VMs usually have the address of
0A:00:27:XX:XX:XX, and i'm not sure why you got that result if i'm being honest. It's either an oversight on my part or it was some kind of rare coincidence where your mac address has been set to what Hybrid Analysis would've done by sheer chance. This is the first time I received this kind of problem. I'll remove the Hybrid Analysis MAC check. -
For the VMware devices check, that's a very new technique that's been added right when the 1.6 version of the library was made. I didn't expect all new checks to be perfect but i'll remove this technique in particular seeing that you've received a false positive.
LionHackerman
Using Acer Laptop running Windows 10 22H2 and I get the following output:
`C:\Users\Lion\Downloads>vm --disable-hyperv-host [NOT DETECTED] Checking VMID... [NOT DETECTED] Checking CPU brand... [NOT DETECTED] Checking CPUID hypervisor bit... [NOT DETECTED] Checking CPUID 0x4 leaf... [NOT DETECTED] Checking hypervisor brand... [NOT DETECTED] Checking RDTSC... [NOT DETECTED] Checking sidt null byte... [NOT DETECTED] Checking processor count... [ DETECTED ] Checking MAC address... [NOT DETECTED] Checking temperature... [NOT DETECTED] Checking systemd virtualisation... [NOT DETECTED] Checking chassis vendor... [NOT DETECTED] Checking chassis type... [NOT DETECTED] Checking Dockerenv... [NOT DETECTED] Checking dmidecode output... [NOT DETECTED] Checking dmesg output... [NOT DETECTED] Checking hwmon presence... [NOT DETECTED] Checking cursor... [NOT DETECTED] Checking VMware registry... [NOT DETECTED] Checking VBox registry... [NOT DETECTED] Checking users... [NOT DETECTED] Checking DLLs... [NOT DETECTED] Checking registry... [NOT DETECTED] Checking Sunbelt CWSandbox directory... [NOT DETECTED] Checking Wine... [NOT DETECTED] Checking VM files... [NOT DETECTED] Checking hw.model... [NOT DETECTED] Checking disk size... [NOT DETECTED] Checking VBox default specs... [NOT DETECTED] Checking VBox network provider match... [NOT DETECTED] Checking computer name... [NOT DETECTED] Checking hostname... [NOT DETECTED] Checking low memory space... [NOT DETECTED] Checking VM processes... [NOT DETECTED] Checking default Linux user/host... [NOT DETECTED] Checking VBox window class... [NOT DETECTED] Checking gamarue ransomware technique... [NOT DETECTED] Checking 0x4 leaf of VMID... [NOT DETECTED] Checking Parallels techniques... [NOT DETECTED] Checking RDTSC VMEXIT... [NOT DETECTED] Checking loaded DLLs... [NOT DETECTED] Checking QEMU CPU brand... [NOT DETECTED] Checking BOCHS CPU techniques... [NOT DETECTED] Checking VirtualPC motherboard... [NOT DETECTED] Checking BIOS serial number... [NOT DETECTED] Checking Hyper-V registry... [NOT DETECTED] Checking Hyper-V WMI output... [NOT DETECTED] Checking VirtualBox shared folders... [NOT DETECTED] Checking MSSMBIOS... [NOT DETECTED] Checking MacOS hw.memsize... [NOT DETECTED] Checking MacOS registry IO-kit... [NOT DETECTED] Checking IO registry grep... [NOT DETECTED] Checking MacOS SIP... [NOT DETECTED] Checking KVM registries... [NOT DETECTED] Checking KVM drivers... [NOT DETECTED] Checking KVM directories... [NOT DETECTED] Checking HKLM registries... [NOT DETECTED] Checking Audio device... [NOT DETECTED] Checking qemu-ga process... [NOT DETECTED] Checking MSR validity... [NOT DETECTED] Checking QEMU processes... [NOT DETECTED] Checking QEMU directories... [NOT DETECTED] Checking VPC processes... [NOT DETECTED] Checking VPC invalid instructions... [NOT DETECTED] Checking SIDT... [NOT DETECTED] Checking SGDT... [NOT DETECTED] Checking SLDT... [NOT DETECTED] Checking Offensive Security SIDT... [NOT DETECTED] Checking Offensive Security SGDT... [NOT DETECTED] Checking Offensive Security SLDT... [NOT DETECTED] Checking VirtualPC SIDT... [NOT DETECTED] Checking Hyper-V motherboard... [NOT DETECTED] Checking Extra VM files... [NOT DETECTED] Checking /proc/iomem file... [NOT DETECTED] Checking /proc/ioports file... [NOT DETECTED] Checking /proc/scsi/scsi file... [NOT DETECTED] Checking VMware dmesg... [NOT DETECTED] Checking STR instruction... [NOT DETECTED] Checking VMware IO port backdoor... [NOT DETECTED] Checking VMware port memory... [NOT DETECTED] Checking SMSW instruction... [NOT DETECTED] Checking mutex strings... [NOT DETECTED] Checking uptime... [NOT DETECTED] Checking unusual thread count... [NOT DETECTED] Checking Intel thread count mismatch... [NOT DETECTED] Checking Intel Xeon thread count mismatch... [NOT DETECTED] Checking VM memory regions... [ DETECTED ] Checking VMware devices... [NOT DETECTED] Checking Hyper-V CPUID... [NOT DETECTED] Checking Cuckoo directory... [NOT DETECTED] Checking Cuckoo pipe... [NOT DETECTED] Checking Hyper-V Azure hostname... [NOT DETECTED] Checking general VM hostnames... [NOT DETECTED] Checking screen resolution... [NOT DETECTED] Checking bogus device string... [NOT DETECTED] Checking mouse device... [NOT DETECTED] Checking BlueStacks folders...
VM brand: Hybrid Analysis VM likeliness: 99% VM confirmation: true VM detections: 2/97
====== CONCLUSION: Very likely a Hybrid Analysis VM ======`
Is there a way we can just have detections base on VM detections only? Seems to be much more reliable in my case.