A Lilu plug-in modeled after ECEnabler and RestrictEvents which resolves _sysctl__children to get the sysctl_oid_list for hv_vmm_present in the kern node, allowing VMHide to reroute it to a custom function: vmh_sysctl_vmm_present which selectively returns VMM presence value depending on a filtered list of known processes to hide from, including but not limited to sysctl and the Kernel itself.
This kernel extension was developed specifically for macOS 15 Sequoia but has been tested from Sonoma (although not required) to Sequoia (15.2) with the intention of fixing a side effect of the following new implementation for Xcode/Hypervisor.framework macOS guests on M-Series hardware supporting limited iCloud support, which can be seen in Apple's Developer Documentation as well.
-
Hides VMM presence from various Apple ID related processes, sysctl, and the kernel.
-
Utilizes Carnation's first ProjectExtension Log2Disk to provide easy bug reporting.
-
Source code contains a visible list that can easily be updated and PR'd to add more.
To use VMHide, you must be using the latest version of Lilu (atleast 1.6.9+ required) to properly load the plug-in.
VMHide has a few set of possible states it can be set to. By default, simply dropping the Kernel Extension in your kext folder and updating config.plist with ProperTree, will automatically hide VMM status if you are on a virtual machine. To specifically set the state for debugging and contributors testing code you can add a boot argument with the following options:
vmhState - Accepts the intended state of action.
enabled-> Force hiding VMM Status. Bypasses actual VM requirement during initial boot.disabled-> Force enabling VMM Status. On non-hypervisors, force spoofing as one.strict-> Force VMM status 0 on all processes, regardless of Filter.
If you find that you're running into issues that must be reported, or wish to contribute to the list of processes that should not be VM-aware, you can use Log2Disk's support to write a local log file with information from VMHide written to easily read within macOS and for sharing the log.
Please note that at the time of writing this information, the inclusion of L2D has not been made public, and the following boot arguments will not do anything. This information exists for future usage and as a placeholder.
l2dEnable - One way switch, having this argument enables Log2Disk.
l2dLogLevel - Set the Log2Disk verbosity level.
error-> Only log ERROR messages to disk.warning-> Only log WARNING messages to disk.info-> Only log INFO messages to disk.all-> Log all messages, even simple ones.
Example boot-args for Developers/Contributors (This is not required to use VMHide)
-l2dEnable vmhState=enabled l2dLogLevel=allIf you have any changes or improvements you'd like to contribute for review and merge, to update conventional mistakes or for QoL, as well as maybe even adding whole new features, you can follow the general outline below to get a local copy of the source building.
-
Install/Update
Xcode- Visit https://xcodereleases.com/ for your appropriate latest version.
-
Prepare source code
git clone https://github.com/Carnations-Botanica/VMHide.gitcd VMHidegit clone https://github.com/acidanthera/MacKernelSDK- Get the latest
DEBUGLilu.kext from Releases and place in the root of the repo. Example required placement is below.- VMHide/VMHide.xcodeproj <- Xcode Project file.
- VMHide/VMHide/ <- Project Contents.
- VMHide/MacKernelSDK <-
gitcloned from a Terminal. - VMHide/Lilu.kext <- Actual .kext file here.
- VMHide/README.md <- How you can tell you're in the root.
-
Launch
.xcodeprojwith Xcode to begin!kern_start.cpp- Contains functions such asvmh_sysctl_vmm_present.kern_start.hpp- Header for Main, sets up various macros and globals and the VMH class.
1Revenger1 - Took the time to explain how to develop kernel extensions from scratch, continues to provide ways to improve the source code of VMHide including the upgrade to using onPatcherLoadForce! They have been credited as a contributor with the Initial Commit.
Zormeister - Example code for onPatcherLoadForce, as well as introducing a new check for ensuring Kernel is R/W at the time of redirection of the original handler for VMM.
Lilu - The patching engine that makes this kernel extension possible.
MacKernelSDK - An amazing SDK used to standardize the usage of various kernel APIs across multiple versions of OS X / macOS. Makes this kernel extension possible.
ECEnabler - Served as the basis for the very first attempts building for macOS 15 and testing ideas in removed test CI commits.
RestrictEvents - SoftwareUpdate Header file was used to learn and understand how to interact with _sysctl__children. There is header code taken directly from RestrictEvents, such as Macros for the mapping of the oid list. All appropriate credit is intended to be given to whoever worked on that!
