diff --git a/TODO.md b/TODO.md index 83e7ecc..9cbb7eb 100644 --- a/TODO.md +++ b/TODO.md @@ -21,7 +21,6 @@ - [ ] update sourceforge - [ ] rearrange the techniques so that the more likely ones will be executed first - [ ] update the conclusion with the VM type -- [ ] add a description of every vm brand detected in the CLI - [ ] make a hardware scanner module where it'll find for VM strings in all sorts of devices - [ ] add more QEMU techniques - [ ] implement techniques from here https://www.cyberciti.biz/faq/linux-determine-virtualization-technology-command/ diff --git a/src/cli.cpp b/src/cli.cpp index af22ff5..ae8fd47 100644 --- a/src/cli.cpp +++ b/src/cli.cpp @@ -595,71 +595,71 @@ std::string vm_description(const std::string& vm_brand) { return ""; } - std::map description_table { + std::map description_table{ { VM::brands::VBOX, "Oracle VirtualBox (formerly Sun VirtualBox, Sun xVM VirtualBox and InnoTek VirtualBox) is a free and commercial hosted hypervisor for x86 and Apple ARM64 virtualization developed by Oracle Corporation initially released in 2007. It supports Intel's VT-x and AMD's AMD-V hardware-assisted virtualization, while providing an extensive feature set as a staple of its flexibility and wide use cases." }, { VM::brands::VMWARE, "VMware is a free and commercial type 2 hypervisor initially released in 1999 and acquired by EMC, then Dell, and finally Broadcom Inc in 2023. It was the first commercially successful company to virtualize the x86 architecture, and has since produced many sub-versions of the hypervisor since its inception. It uses binary translation to re-write the code dynamically for a faster performance." }, - { VM::brands::VMWARE_EXPRESS, "" }, - { VM::brands::VMWARE_ESX, "" }, - { VM::brands::VMWARE_GSX, "discontinued" }, - { VM::brands::VMWARE_WORKSTATION, "" }, - { VM::brands::VMWARE_FUSION, "discontinued on 30 April 2024" }, - { VM::brands::VMWARE_HARD, "" }, + { VM::brands::VMWARE_EXPRESS, "VMware Express (formerly VMware GSX Server Express) was a free entry-level version of VMware's hosted hypervisor for small-scale virtualization. Released in 2003, it offered basic VM management capabilities but lacked advanced features like VMotion. Discontinued in 2006 as VMware shifted focus to enterprise solutions like ESX and vSphere." }, + { VM::brands::VMWARE_ESX, "VMware ESX (Elastic Sky X) was a type 1 bare-metal hypervisor released in 2001 for enterprise environments. It introduced VMFS clustered filesystems and direct hardware access through its service console. Deprecated in 2010 in favor of the lighter ESXi architecture, which removed the Linux-based service console for improved security." }, + { VM::brands::VMWARE_GSX, "VMware GSX Server (Ground Storm X) was a commercial type 2 hypervisor (2001-2006) for Windows/Linux hosts, targeting departmental server consolidation. Supported features like VM snapshots and remote management through VI Web Access. Discontinued as VMware transitioned to ESX's bare-metal architecture for better performance in enterprise environments." }, + { VM::brands::VMWARE_WORKSTATION, "VMware Workstation is a commercial type 2 hypervisor for Windows/Linux hosts, first released in 1999. Enables nested virtualization, 4K display support, and DirectX 11/OpenGL 4.1 acceleration. Popular with developers for testing multi-tier configurations and legacy OS compatibility through its Unity view mode." }, + { VM::brands::VMWARE_FUSION, "VMware Fusion was a macOS-hosted hypervisor (2007-2024) that allowed Intel-based Macs to run Windows/Linux VMs with Metal graphics acceleration and Retina display support. Discontinued due to Apple's transition to ARM64 architecture with Apple Silicon chips, which required significant architectural changes incompatible with x86 virtualization." }, + { VM::brands::VMWARE_HARD, "VMware Hardware-Assisted Virtualization refers to optimizations leveraging Intel VT-x/AMD-V CPU extensions in products like ESXi and Workstation. Enhances performance by reducing binary translation overhead for privileged instructions, particularly beneficial for 64-bit guests and Windows Hyper-V enlightened VMs." }, { VM::brands::BHYVE, "bhyve (pronounced \"bee hive\", formerly written as BHyVe for \"BSD hypervisor\") is a free type 2 hosted hypervisor initially written for FreeBSD. It can also be used on a number of illumos based distributions including SmartOS, OpenIndiana, and OmniOS. bhyve has a modern codebase and uses fewer resources compared to its competitors. In the case of FreeBSD, the resource management is more efficient." }, { VM::brands::KVM, "KVM is a free and open source module of the Linux kernel released in 2007. It uses hardware virtualization extensions, and has had support for hot swappable vCPUs, dynamic memory management, and Live Migration. It also reduces the impact that memory write-intensive workloads have on the migration process. KVM emulates very little hardware components, and it defers to a higher-level client application such as QEMU." }, { VM::brands::QEMU, "The Quick Emulator (QEMU) is a free and open-source emulator that uses dynamic binary translation to emulate a computer's processor. It translates the emulated binary codes to an equivalent binary format which is executed by the machine. It provides a variety of hardware and device models for the VM, while often being combined with KVM. However, no concrete evidence of KVM was found for this system." }, { VM::brands::QEMU_KVM, "The Quick Emulator (QEMU) is a free and open-source emulator that uses dynamic binary translation to emulate a computer's processor. It translates the emulated binary codes to an equivalent binary format which is executed by the machine. It provides a variety of hardware and device models for the VM, while often being combined with KVM which the library has detected as the case for this system." }, - { VM::brands::KVM_HYPERV, "" }, - { VM::brands::QEMU_KVM_HYPERV, "" }, + { VM::brands::KVM_HYPERV, "KVM-HyperV integration allows Linux KVM hosts to expose Hyper-V-compatible paravirtualization interfaces to Windows guests. Enables performance optimizations like enlightened VMCS (Virtual Machine Control Structure) and TSC (Time Stamp Counter) synchronization, reducing overhead for Windows VMs running on Linux hypervisors." }, + { VM::brands::QEMU_KVM_HYPERV, "QEMU-KVM with Hyper-V extensions combines QEMU's device emulation with Hyper-V's paravirtual clock, synthetic interrupts, and VP index support. This configuration optimizes Windows guest performance on Linux hosts by reducing exit latency and improving timer precision through Hyper-V enlightenment interfaces." }, { VM::brands::HYPERV, "Hyper-V is Microsoft's proprietary native hypervisor that can create x86 VMs on Windows. Released in 2008, it supercedes previous virtualization solutions such as Microsoft Virtual Server and Windows VirtualPC. Hyper-V uses partitioning to isolate the guest OSs, and has \"enlightenment\" features for bypassing device emulation layers, allowing for faster execution including when Windows is virtualization on Linux." }, - { VM::brands::HYPERV_VPC, "" }, - { VM::brands::MSXTA, "" }, + { VM::brands::HYPERV_VPC, "Hyper-V Virtual PC compatibility layer maintains support for legacy Virtual PC 2007 configurations, including VHD disk formats and VM additions. Primarily used for migrating older Windows XP/Vista VMs to modern Hyper-V environments while preserving backward compatibility with legacy virtualization tools." }, + { VM::brands::MSXTA, "MSXTA (Microsoft Xen Technology Adaptation) was an experimental project (2005-2007) that integrated Xen hypervisor components with Windows Server. Explored paravirtualization concepts later incorporated into Hyper-V's enlightenments, though never officially released due to architectural differences between Xen's and Microsoft's virtualization approaches." }, { VM::brands::PARALLELS, "Parallels is a hypervisor providing hardware virtualization for Mac computers. It was released in 2006 and is developed by Parallels, a subsidiary of Corel. It is a hardware emulation virtualization software, using hypervisor technology that works by mapping the host computer's hardware resources directly to the VM's resources. Each VM thus operates with virtually all the resources of a physical computer." }, { VM::brands::XEN, "Xen is a free and open-source type 1 hypervisor. Originally developed by the University of Cambridge Computer Laboratory and is now being developed by the Linux Foundation with support from Intel, Arm Ltd, Huawei, AWS, Alibaba Cloud, AMD, and more. It runs in a more privileged CPU state than any other software on the machine, except for firmware. It uses GNU GRUB as its bootloader, and then loads a paravirtualized host OS into the host domain (dom0)." }, - { VM::brands::ACRN, "" }, - { VM::brands::QNX, "" }, - { VM::brands::HYBRID, "" }, - { VM::brands::SANDBOXIE, "" }, + { VM::brands::ACRN, "ACRN (Adaptive Cloud Resource Nexus) is Intel's open-source type 1 hypervisor optimized for IoT edge devices. Features hybrid real-time capabilities with split architecture: Service VM handles I/O while User VMs run safety-critical workloads. Supports automotive scenarios like digital clusters and IVI systems on Apollo Lake platforms." }, + { VM::brands::QNX, "QNX Hypervisor is a real-time virtualization platform for embedded systems, enabling concurrent execution of QNX Neutrino RTOS and Linux/Android on ARM/x86. Provides time partitioning with <1μs interrupt latency for automotive systems, certified to ISO 26262 ASIL D safety standards. Used in Audi MIB3 and BMW iDrive systems." }, + { VM::brands::HYBRID, "Hybrid virtualization combines multiple techniques like containers (Docker) and hypervisors (KVM) through projects like Kata Containers. Creates lightweight VMs that behave like containers, offering hardware isolation while maintaining container-like density. Used in cloud-native environments requiring strict security boundaries between workloads." }, + { VM::brands::SANDBOXIE, "Sandboxie is an application sandbox for Windows that redirects file/registry writes to virtualized storage. Acquired by Sophos in 2019 and open-sourced in 2020, it uses kernel-mode drivers (SbieDrv.sys) to isolate processes without full VM overhead. Commonly used for testing untrusted software or browsing securely." }, { VM::brands::DOCKER, "Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called containers. The service has both free and premium tiers. The software that hosts the containers is called Docker Engine. It's used to automate the deployment of applications in lightweight containers so that applications can work efficiently in different environments in isolation." }, { VM::brands::WINE, "Wine is a free and open-source compatibility layer to allow application software and computer games developed for Microsoft Windows to run on Unix-like operating systems. Developers can compile Windows applications against WineLib to help port them to Unix-like systems. Wine is predominantly written using black-box testing reverse-engineering, to avoid copyright issues. No code emulation or virtualization occurs." }, - { VM::brands::VPC, "" }, - { VM::brands::ANUBIS, "" }, - { VM::brands::JOEBOX, "" }, - { VM::brands::THREATEXPERT, "" }, - { VM::brands::CWSANDBOX, "" }, + { VM::brands::VPC, "Microsoft Virtual PC (2004-2011) was a consumer-focused type 2 hypervisor for running Windows XP/Vista guests. Featured \"Undo Disks\" for rollback capability and host-guest integration components. Discontinued after Windows 7's XP Mode due to Hyper-V's emergence, lacking hardware-assisted virtualization support." }, + { VM::brands::ANUBIS, "Anubis Sandbox is a malware analysis platform that executes suspicious files in instrumented VMs/containers. Tracks API calls, registry changes, and network patterns using kernel drivers and hooking techniques. Generates detailed JSON reports with IOC extraction, used by cybersecurity teams for threat intelligence." }, + { VM::brands::JOEBOX, "Joe Sandbox (formerly JoeBox) is a cloud-based malware analysis solution with Deep Learning classification. Features multi-OS analysis (Windows/Linux/Android), memory forensics, and MITRE ATT&CK mapping. Offers hybrid analysis combining static/dynamic techniques with 400+ behavioral indicators for enterprise threat hunting." }, + { VM::brands::THREATEXPERT, "ThreatExpert was an automated malware analysis service (2007-2013) that provided behavioral reports via web API. Pioneered mass-scale analysis with heuristic detection of packers/rootkits. Discontinued as competing services like VirusTotal and Hybrid Analysis adopted similar cloud-based approaches with richer feature sets." }, + { VM::brands::CWSANDBOX, "CWSandbox (Comodo Valkyrie) is a cloud-based threat analysis system using kernel-mode instrumentation. Employs machine learning to detect zero-day exploits through API call sequencing and network pattern analysis. Integrated with Comodo's endpoint protection for automated threat blocking based on sandbox verdicts." }, { VM::brands::COMODO, "Comodo is a proprietary sandbox running an isolated operating environment. Comodo have integrated sandboxing technology directly into the security architecture of Comodo Internet Security to complement and strengthen the Firewall, Defense+ and Antivirus modules of their product line. It features a hybrid of user mode hooks along with a kernel mode driver, preventing any modification to files or registry on the host machine." }, { VM::brands::BOCHS, "Bochs (pronounced \"box\") is a free and open-source portable IA-32 and x86-64 IBM PC compatible emulator and debugger mostly written in C++. Bochs is mostly used for OS development and to run other guest OSs inside already running host OSs, while emulating the hardware needed such as hard drives, CD drives, and floppy drives. It doesn't utilize any host CPU virtualization features, therefore is slower than most virtualization software." }, { VM::brands::NVMM, "NVMM (NetBSD Virtual Machine Monitor) is NetBSD's native hypervisor for NetBSD 9.0. It provides a virtualization API, libnvmm, that can be leveraged by emulators such as QEMU. A unique property of NVMM is that the kernel never accesses guest VM memory, only creating it. Intel's Hardware Accelerated Execution Manager (HAXM) provides an alternative solution for acceleration in QEMU for Intel CPUs only, similar to Linux's KVM." }, - { VM::brands::BSD_VMM, "" }, + { VM::brands::BSD_VMM, "BSD VMM is FreeBSD's kernel subsystem powering the bhyve hypervisor. Implements Intel VT-x/AMD-V virtualization with direct device assignment (PCI passthrough). Supports UEFI boot and VirtIO paravirtualized devices, optimized for FreeBSD guests with FreeBSD-specific virtio_net(4) and virtio_blk(4) drivers." }, { VM::brands::INTEL_HAXM, "HAXM is a cross-platform hardware-assisted virtualization engine (hypervisor), widely used as an accelerator for Android Emulator and QEMU. HAXM runs as a kernel-mode driver on the host operating system thereby enabling applications like QEMU to utilize the hardware virtualization capabilities built into modern Intel CPUs, namely Intel Virtualization Technology. The project has been discontinued as of 2023." }, - { VM::brands::UNISYS, "" }, + { VM::brands::UNISYS, "Unisys ClearPath Forward is a mainframe virtualization platform combining custom CMOS/ASIC chips with Intel Xeon processors. Supports secure partitioning (s-PAR) for legacy OS 2200/MCP workloads, offering binary compatibility for 1960s-era Univac applications. Used in government systems requiring EAL4+ certification and air-gapped security." }, { VM::brands::LMHS, "LMHS is Lockheed Martin's native hypervisor. I assume you got this result because you're an employee in the company and you're doing security testing. But if you're not, how the hell did you get this result? Did you steal a US military fighter jet or something? I'm genuinely curious. I really don't expect anybody to have this result frankly but I'll assume it's just a false positive (please create an issue in the repo if it is)." }, - { VM::brands::CUCKOO, "" }, + { VM::brands::CUCKOO, "Cuckoo Sandbox is an open-source automated malware analysis system. Executes files in isolated environments (VirtualBox/QEMU) while monitoring API calls, network traffic, and memory changes. Features YARA rule matching and CAPE (Customized Automated Processing Engine) extensions for advanced threat hunting and IOC extraction." }, { VM::brands::BLUESTACKS, "BlueStacks is a chain of cloud-based cross-platform products developed by the San Francisco-based company of the same name. The BlueStacks App Player enables the execution of Android applications on computers running Microsoft Windows or macOS. It functions through an Android emulator referred to as App Player. The basic features of the software are available for free, while advanced features require a paid monthly subscription." }, { VM::brands::JAILHOUSE, "Jailhouse is a free and open source partitioning Hypervisor based on Linux, made by Siemens. It is able to run bare-metal applications or (adapted) operating systems besides Linux. For this purpose, it configures CPU and device virtualization features of the hardware platform in a way that none of these domains, called \"cells\", can interfere with each other in an unacceptable way." }, - { VM::brands::APPLE_VZ, "" }, - { VM::brands::INTEL_KGT, "" }, - { VM::brands::AZURE_HYPERV, "" }, + { VM::brands::APPLE_VZ, "Apple Virtualization.framework (VZ) is a macOS 12+ API for creating ARM64 VMs on Apple Silicon. Provides para-virtualized devices via VirtIO and Rosetta 2 binary translation for x86_64 Linux guests. Used by Lima and UTM to run Linux distributions natively on M1/M2 Macs without traditional hypervisor overhead." }, + { VM::brands::INTEL_KGT, "Intel Kernel Guard Technology (KGT) was a research hypervisor for Windows kernel protection. Demonstrated secure enclaves for critical OS components using VT-x/EPT before being superseded by CET (Control-flow Enforcement Technology) and HyperGuard in Windows 10." }, + { VM::brands::AZURE_HYPERV, "Azure Hyper-V is Microsoft's cloud-optimized hypervisor variant powering Azure VMs. Implements Azure-specific virtual devices like NVMe Accelerated Networking and vTPMs. Supports nested virtualization for running Hyper-V/containers within Azure VMs, enabling cloud-based CI/CD pipelines and dev/test environments." }, { VM::brands::NANOVISOR, "NanoVisor is a Hyper-V modification serving as the host OS of Xbox's devices: the Xbox System Software. It contains 2 partitions: the \"Exclusive\" partition is a custom VM for games, while the other partition, called the \"Shared\" partition is a custom VM for running multiple apps including the OS itself. The OS was based on Windows 8 Core at the Xbox One launch in 2013." }, - { VM::brands::SIMPLEVISOR, "" }, + { VM::brands::SIMPLEVISOR, "SimpleVisor is a minimalist Intel VT-x hypervisor by Alex Ionescu for Windows/Linux research. Demonstrates EPT-based memory isolation and hypercall handling. Used to study VM escapes and hypervisor rootkits, with hooks for intercepting CR3 changes and MSR accesses." }, { VM::brands::HYPERV_ARTIFACT, "The result means that the CLI has found Hyper-V, but as an artifact instead of an actual VM. Although the hardware values do in fact match with the brand due to how it's designed by Microsoft, the CLI has determined you are NOT in a Hyper-V VM from our \"Hyper-X\" mechanism which differentiates between an actual Hyper-V and a false Hyper-V VM that left out breadcrumbs in the system, making it seem like it's a real Hyper-V VM." }, - { VM::brands::UML, "" }, - { VM::brands::POWERVM, "" }, - { VM::brands::GCE, "" }, - { VM::brands::OPENSTACK, "" }, - { VM::brands::KUBEVIRT, "KubeVirt is a VM management add-on for Kubernetes. It provides a common ground for virtualization solutions on top of Kubernetes by extending its core by adding additional virtualization resource types where the Kubernetes API can be used to manage these VM resources alongside all other resources Kubernetes provides. Its functionality is to provide a runtime in order to define and manage VMs. " }, - { VM::brands::AWS_NITRO, "" }, - { VM::brands::PODMAN, "" }, + { VM::brands::UML, "User-Mode Linux (UML) allows running Linux kernels as user-space processes using ptrace-based virtualization. Primarily used for kernel debugging and network namespace testing. Offers lightweight isolation without hardware acceleration, but requires host/guest kernel version matching for stable operation." }, + { VM::brands::POWERVM, "IBM PowerVM is a type 1 hypervisor for POWER9/10 systems, supporting Live Partition Mobility and Shared Processor Pools. Implements VIOS (Virtual I/O Server) for storage/networking virtualization, enabling concurrent AIX, IBM i, and Linux workloads with RAS features like predictive failure analysis." }, + { VM::brands::GCE, "Google Compute Engine (GCE) utilizes KVM-based virtualization with custom Titanium security chips for hardware root of trust. Features live migration during host maintenance and shielded VMs with UEFI secure boot. Underpins Google Cloud's Confidential Computing offering using AMD SEV-SNP memory encryption." }, + { VM::brands::OPENSTACK, "OpenStack is an open-source cloud OS managing compute (Nova), networking (Neutron), and storage (Cinder) resources. Supports multiple hypervisors (KVM/Xen/Hyper-V) through driver plugins. Widely used in private clouds with features like Heat orchestration and Octavia load balancing." }, + { VM::brands::KUBEVIRT, "KubeVirt is a VM management add-on for Kubernetes. It provides a common ground for virtualization solutions on top of Kubernetes by extending its core by adding additional virtualization resource types where the Kubernetes API can be used to manage these VM resources alongside all other resources Kubernetes provides. Its functionality is to provide a runtime in order to define and manage VMs." }, + { VM::brands::AWS_NITRO, "AWS Nitro is Amazon's hypervisor for EC2, offloading network/storage to dedicated Nitro Cards. Uses Firecracker microVMs for Lambda/Fargate serverless compute. Provides bare-metal instance types (i3en.metal) with 3x better EBS throughput compared to traditional Xen-based instances." }, + { VM::brands::PODMAN, "Podman is a daemonless container engine by Red Hat using Linux namespaces/cgroups. Supports rootless containers and Docker-compatible CLI syntax. Integrates with systemd for service management and Quadlet for declarative container definitions. Part of the Podman Desktop suite for Kubernetes development." }, { VM::brands::WSL, "Windows Subsystem for Linux (WSL) is a feature of Microsoft Windows that allows for using a Linux environment without the need for a separate VM or dual booting. WSL requires fewer resources (CPU, memory, and storage) than a full virtual machine (a common alternative for using Linux in Windows), while also allowing the use of both Windows and Linux tools on the same set of files." }, - { VM::brands::OPENVZ, "" }, - { VM::brands::BAREVISOR, "" }, - { VM::brands::HYPERPLATFORM, "" }, - { VM::brands::MINIVISOR, "" }, - { VM::brands::INTEL_TDX, "" }, - { VM::brands::LKVM, "" }, - { VM::brands::AMD_SEV, "" }, - { VM::brands::AMD_SEV_ES, "" }, - { VM::brands::AMD_SEV_SNP, "" }, - { VM::brands::NULL_BRAND, "" } + { VM::brands::OPENVZ, "OpenVZ is a container-based virtualization for Linux using kernel-level isolation. Provides checkpointing and live migration through ploop storage. Requires matching host/guest kernel versions, largely superseded by LXC/LXD due to Docker's popularity and kernel namespace flexibility." }, + { VM::brands::BAREVISOR, "BareVisor is a research-focused type 1 hypervisor emphasizing minimal TCB (Trusted Computing Base). Supports x86/ARM with <10K LoC for secure enclave experiments. Used in academia to study TEEs (Trusted Execution Environments) and hypervisor-based intrusion detection systems." }, + { VM::brands::HYPERPLATFORM, "HyperPlatform is an Intel VT-x research hypervisor for Windows kernel introspection. Provides APIs for EPT hooking and MSR filtering. Used to develop anti-cheat systems and kernel exploit detectors by monitoring CR3 switches and exception handling." }, + { VM::brands::MINIVISOR, "MiniVisor is a lightweight ARM hypervisor for Cortex-A/R real-time systems. Implements secure world isolation for TrustZone applications, providing memory protection and interrupt virtualization. Used in automotive ECUs and industrial PLCs requiring mixed-criticality workloads." }, + { VM::brands::INTEL_TDX, "Intel TDX (Trust Domain Extensions) enhances VM confidentiality in cloud environments. Encrypts VM memory and registers using MKTME (Multi-Key Total Memory Encryption), isolating \"trust domains\" from hypervisors. Part of Intel's vPro platform for confidential computing on Xeon Scalable processors." }, + { VM::brands::LKVM, "LKVM (Linux Kernel Virtual Machine) is a minimal KVM frontend for Linux kernel testing. Provides CLI tools like `lkvm run` for quick VM creation with built-in 9pfs support. Used alongside QEMU for rapid boot testing and kernel panic debugging." }, + { VM::brands::AMD_SEV, "AMD Secure Encrypted Virtualization (SEV) encrypts VM memory with EPYC processor-based AES keys. Isolates guests from hypervisors using ASIDs (Address Space Identifiers), protecting against physical attacks and malicious cloud providers. Supported in Linux/KVM via libvirt SEV options." }, + { VM::brands::AMD_SEV_ES, "AMD SEV-Encrypted State (SEV-ES) extends SEV by encrypting CPU register states during VM exits. Prevents hypervisors from inspecting guest register contents, mitigating attacks using VMRUN/VMEXIT timing side channels. Requires guest OS modifications for secure interrupt handling." }, + { VM::brands::AMD_SEV_SNP, "AMD SEV-Secure Nested Paging (SEV-SNP) adds memory integrity protection to SEV-ES. Uses reverse map tables (RMP) to prevent hypervisor-mediated replay/spoofing attacks. Enables attested launch for cloud workloads via guest policy certificates and AMD's Key Distribution Service (KDS)." }, + { VM::brands::NULL_BRAND, "Indicates no detectable virtualization brand. This result may occur on bare-metal systems, unsupported/obscure hypervisors, or when anti-detection techniques (e.g., VM escaping) are employed by the guest environment." } }; std::map::const_iterator it = description_table.find(vm_brand);