CPUID Hypervisor Vendor String

While the CPUID "hypervisor present" bit (leaf 1, ECX bit 31) only tells malware that it is virtualized, leaf 0x40000000 tells it which hypervisor. Cooperative hypervisors place a 12-character vendor signature in EBX, ECX, and EDX, letting a sample tailor its evasion to VMware, KVM, Hyper-V, or VirtualBox.

This is more discriminating than the present bit alone and is used both to bail out of analysis VMs and to fingerprint cloud sandboxes.

How it works

CPUID with EAX=0x40000000 returns the hypervisor's vendor identification in the order EBX:ECX:EDX. Common signatures include VMwareVMware, KVMKVMKVM, Microsoft Hv (Hyper-V), VBoxVBoxVBox, XenVMMXenVMM, and prl hyperv (Parallels).

#include <intrin.h>
#include <string.h>

int regs[4];
char vendor[13] = {0};

__cpuid(regs, 0x40000000);
memcpy(vendor + 0, &regs[1], 4);  // EBX
memcpy(vendor + 4, &regs[2], 4);  // ECX
memcpy(vendor + 8, &regs[3], 4);  // EDX

if (strcmp(vendor, "VMwareVMware") == 0 ||
    strcmp(vendor, "KVMKVMKVM\0\0\0") == 0) {
    // Specific hypervisor identified — evade.
}

On bare metal the leaf is reserved and typically returns zeros, so a non-empty, printable signature is itself a tell.

Detection & analysis

• Static analysis: search for the constant 0x40000000 loaded into a register before a cpuid, and for embedded vendor strings like VMwareVMware or KVMKVMKVM. These string literals are a high-confidence indicator.
• Dynamic analysis: trap cpuid (via VT-x exiting or an emulator hook) and return a blank/bare-metal signature for leaf 0x40000000. VMware and VirtualBox expose configuration options to spoof or clear the leaf.
• Detection rule hint: YARA-match any of the known 12-byte hypervisor signatures, or the immediate 0x40000000 adjacent to a cpuid opcode (0F A2); in tracing, log every cpuid with EAX=0x40000000.