A Rust command‑line tool to detect whether the system is running inside a virtual machine by inspecting low‑level CPU and OS artifacts.
- Low level Rust bindings for privileged instructions (RDMSR, WRMSR, XGETBV etc.).
- ACPI RSDP discovery (Linux by scanning the physical memory in the BIOS area; Windows by
GetSystemFirmwareTable). - I/O port access for VMware backdoor detection, and general port I/O (Linux only).
- Virtualization heuristics scoring system based on multiple indicators.
- Two collection modes: safe (uses non-privileged probes, and works in user mode), and privileged (attempts ring-0, and may require additional permissions).
- Command line interface with
--privilegedand--verboseflags for flexible operation. - Linux and Windows support.
Building from source requires:
| Tool | Purpose | Install |
|---|---|---|
| Rust and Cargo | Compile Rust code | Install via rustup.rs (Recommended for all platforms). |
| nasm | assembles .asm files | Linux: Use your package manager, i.e: apt install nasm; For Windows: Install via nasm.us |
| ar (gnu binutils) | Packages objects into static archives for rust | Part of binutils; Linux: apt install binutils, Windows: Available via MinGw-w64, (e.g, via MSYS2, or WSL). |
| These tools are only required when compiling from source. |
Quick start with Makefile
The project includes a makefile that makes everything simpler, make sure you have the prerequisites then:
- Clone the repository:
git clone https://github.com/czeti/vmxionr2.git
cd vmxionr2- Verify that all prerequisites are present:
make check-deps- Build the release binary:
make release # optimised release build- Run the tool:
make run ARGS="--help"- To run with arguments:
make run ARGS="--privileged --verbose"Run make help to see all available targets, common ones include:
| Target | Description |
|---|---|
| all | Alias for build |
| build | Build debug binaries |
| release | Build release binaries |
| test | Run all tests |
| clean | Clean build artifacts |
| run | Run the CLI (use ARGS="" to pass arguments) |
| fmt | Format all code |
| clippy | Run clippy lints |
| check-deps | Verify required tools (nasm, ar) are present |
| Option | Description |
|---|---|
-p, --privileged |
Enable privileged mode (requires special permissions), attempts to access MSR, I/O ports, and scan ACPI RSDP. |
-v, --verbose |
Shows extra detail (idt/gdt limits, descriptor anomaly score). |
-h, --help |
Prints help information. |
No special permissions:
$ make runOutput:
--------------- VM detection report ---------------
VM probability 12.50%
verdict: likely bare metal
hypervisor present: false
tsc value: 1234567890
ldt selector: 0
idt base: 0xffffffff00000000
gdt base: 0xffffffff00000000
--------------- END ---------------sudo make run ARGS="--privileged"Output:
running in privileged mode. this may require root or special permissions
...
-
Privileged probes (MSR access, I/O ports, ACPI scan) require root/Administrator privileges; on Windows these functions are stubbed and return default values.
-
VMware backdoor detection works only on Linux and requires I/O port access.
-
The heuristic score is empirical and may produce false positives/negatives; it should not be used as the sole basis for security decisions.
-
CPU must support the
cpuid,rdtsc, and related instructions (all x86‑64 CPUs do). -
On Windows, the
os_probescrate uses WinAPI for ACPI; I/O port functions are stubs and always return 0.
This project is licensed under the MIT LICENSE.
Contributions are welcome! Please open an issue or submit a pull request on GitHub. Make sure to run make test and make fmt before submitting.