/

Virtual Machine Detection

Protection Module: VirtualMachineDetection

Detects if your application is running inside a virtual machine environment.

Available for:

  • Desktop Applications (Windows, Linux, macOS)
  • Server Applications
  • Console Applications

How It Works

Virtual Machine Detection analyzes system characteristics to identify if the application is running in a virtualized environment rather than on physical hardware.

Detection Methods:

  • CPUID Analysis - Checks CPU vendor strings and hypervisor presence bit
  • Hardware Signatures - Analyzes BIOS, motherboard, and system manufacturer
  • Registry Keys (Windows) - Detects VM-specific registry entries
  • Device Drivers - Identifies virtualization-specific drivers
  • MAC Address Prefixes - Checks for known VM network adapter vendors
  • VM Guest Additions - Detects VMware Tools, VirtualBox Guest Additions, etc.
  • File System Artifacts - Looks for VM-specific files and directories
  • Performance Counters - Analyzes timing discrepancies typical of VMs

Supported Hypervisors:

  • VMware Workstation / VMware ESXi
  • Oracle VirtualBox
  • Microsoft Hyper-V
  • KVM / QEMU
  • Parallels Desktop
  • Xen
  • VirtualPC

Configuration

JSON Configuration

JSON
{
  "protections": {
    "VirtualMachineDetection": {
      "enabled": true,
      "action": "log"
    }
  }
}

Code-Based Configuration

C#
await Payload.ConfigureAsync(config =>
{
    config.AddProtection(ProtectionModuleType.VirtualMachineDetection, ActionType.Log);
});

Advanced Configuration

JSON
{
  "protections": {
    "VirtualMachineDetection": {
      "enabled": true,
      "action": "log",
      "intervalMs": 120000,
      "config": {
        "detectOnStartup": true,
        "periodicChecks": false,
        "allowedVMs": ["hyper-v"]
      }
    }
  }
}

Available Actions

ActionBehaviorRecommended For
LogRecord detection and continueAnalytics, understanding deployment environments
CloseTerminate applicationSoftware with strict licensing (physical machines only)
CustomExecute custom handlerDegraded functionality mode, license enforcement
NoneDetect only, no actionTesting, development

Common Use Case

Most applications use Log action to gather analytics about deployment environments. Close action is typically reserved for licensing scenarios where the software is sold per physical machine.

Configuration Parameters

Detection Modes

JSON
{
  "config": {
    "detectOnStartup": true,
    "periodicChecks": false,
    "allowedVMs": []
  }
}
ParameterDescriptionDefaultRecommendation
detectOnStartupCheck immediately when app launchestrueAlways enable
periodicChecksContinue checking during runtimefalseUsually not needed (VM state rarely changes)
allowedVMsArray of allowed VM types[]Use for specific deployment scenarios

Allowed VMs

JSON
{
  "config": {
    "allowedVMs": ["hyper-v", "kvm"]
  }
}

Supported values:

  • "vmware" - VMware products
  • "virtualbox" - Oracle VirtualBox
  • "hyper-v" - Microsoft Hyper-V
  • "kvm" - KVM/QEMU
  • "parallels" - Parallels Desktop
  • "xen" - Xen hypervisor

When to Use

Recommended for:

  • License Enforcement - Software licensed per physical machine
  • Security Research - Detect malware analysis environments
  • Deployment Analytics - Understand where your software runs
  • Performance Optimization - Apply VM-specific optimizations
  • Sandbox Detection - Identify automated analysis systems

Not recommended for:

  • Cloud-native applications (always run in VMs)
  • Applications designed for virtual environments
  • Development tools (developers commonly use VMs)

Cloud Deployment Consideration:

C#
await Payload.ConfigureAsync(config =>
{
    var isCloudDeployment = Environment.GetEnvironmentVariable("CLOUD_PROVIDER") != null;

    if (!isCloudDeployment)
    {
        config.AddProtection(ProtectionModuleType.VirtualMachineDetection, ActionType.Log);
    }
});

Code Examples

License Validation

C#
config.RegisterCustomAction("vm-license-check", async (threat) =>
{
    var vmType = threat.Metadata["vmType"]?.ToString();

    // Check if VM is allowed by license
    var licenseInfo = await LoadLicenseAsync();

    if (!licenseInfo.AllowsVirtualMachines)
    {
        await ShowLicenseViolationDialog(
            "This software is licensed for physical machines only. " +
            $"Detected environment: {vmType}"
        );

        Environment.Exit(-1);
    }
    else
    {
        // Log for analytics
        await LogDeploymentEnvironmentAsync(vmType);
    }
});

config.AddProtection(ProtectionModuleType.VirtualMachineDetection, "vm-license-check");

Degraded Functionality

C#
config.RegisterCustomAction("vm-degraded-mode", async (threat) =>
{
    var vmType = threat.Metadata["vmType"]?.ToString();

    // Show warning to user
    await ShowNotificationAsync(
        $"Running in virtualized environment ({vmType}). " +
        "Some features may be limited."
    );

    // Disable GPU-intensive features
    AppSettings.EnableHardwareAcceleration = false;
    AppSettings.MaxRenderQuality = RenderQuality.Medium;

    // Log analytics
    await AnalyticsService.TrackEvent("vm_detected", new { vmType });
});

Analytics Only

C#
config.RegisterCustomAction("vm-analytics", async (threat) =>
{
    var metadata = threat.Metadata;

    await AnalyticsService.TrackDeployment(new
    {
        IsVirtual = true,
        VMType = metadata["vmType"],
        Hypervisor = metadata["hypervisor"],
        CPUVendor = metadata["cpuVendor"],
        Environment = Environment.OSVersion.ToString()
    });
});

config.AddProtection(ProtectionModuleType.VirtualMachineDetection, "vm-analytics");

Performance Impact

Detection Time:

  • Initial check: 50-200ms
  • Subsequent checks: 30-100ms

CPU Usage: Negligible (<0.01% during checks) Memory: <500 KB

Recommended Intervals:

  • Single check: Set periodicChecks: false (recommended)
  • Periodic: 120000ms (2 minutes) or higher

One-Time Check

VM state rarely changes during application runtime. A single check on startup is usually sufficient. Periodic checks are only needed for long-running server applications where the environment might change.

Platform Compatibility

PlatformSupportDetection Methods
WindowsCPUID, Registry, WMI, Drivers
LinuxCPUID, DMI, /proc, /sys
macOSCPUID, System Profiler
.NET 6+Full support
.NET Core 3.1-5.0Full support
.NET Framework 4.6.2+Windows-specific detection

Threat Detection Details

When a VM is detected, the ThreatInfo object contains:

JSON
{
  "threatId": "VM-2025-12-28-3456",
  "description": "Virtual machine environment detected",
  "moduleType": "VirtualMachineDetection",
  "detectedAt": "2025-12-28T12:15:20Z",
  "confidence": 0.95,
  "metadata": {
    "vmType": "vmware",
    "hypervisor": "VMware ESXi 7.0",
    "cpuVendor": "GenuineIntel",
    "biosVendor": "Phoenix Technologies",
    "detectionMethod": "cpuid-hypervisor-bit",
    "guestAdditions": true,
    "macPrefix": "00:0C:29"
  }
}

Detection Evasion (Educational)

Educational Purpose Only

This information is provided for understanding how VM detection works and improving detection accuracy. Do not use to evade legitimate software protections.

Common Evasion Techniques:

  • Modifying CPUID responses
  • Hiding hypervisor presence bit
  • Changing BIOS/SMBIOS strings
  • Randomizing MAC addresses
  • Removing guest additions

Monitor's multi-layered approach makes evasion significantly more difficult by combining multiple independent detection methods.

Next Steps

Emulator Detection

Detect emulated environments

Actions

Configure threat responses

JSON Configuration

Advanced configuration

Previous
Debugger Detection
Next
Emulator Detection