1.8 release

kernelwernel · kernelwernel · commit 4011a00ceb4e · 2024-08-18T05:37:47.000+01:00
diff --git a/docs/documentation.md b/docs/documentation.md
@@ -203,6 +203,12 @@ This will essentially return the VM brand as a `std::string`. The exact possible
 - `Hyper-V artifact (not an actual VM)`
 - `User-mode Linux`
 - `IBM PowerVM`
+- `Google Compute Engine (KVM)`
+- `OpenStack (KVM)`
+- `KubeVirt (KVM)`
+- `AWS Nitro System (KVM-based)`
+- `Podman`
+- `WSL`
 
 If none were detected, it will return `Unknown`. It's often NOT going to produce a satisfying result due to technical difficulties with accomplishing this, on top of being highly dependent on what mechanisms detected a VM. This is especially true for VMware sub-versions (ESX, GSX, Fusion, etc...) Don't rely on this function for critical operations as if it's your golden bullet. It's arguably unreliable and it'll most likely return `Unknown` (assuming it is actually running under a VM).
 
diff --git a/src/cli.cpp b/src/cli.cpp
@@ -247,6 +247,13 @@ SimpleVisor
 Hyper-V artifact (not an actual VM)
 User-mode Linux
 IBM PowerVM
+Google Compute Engine (KVM)
+OpenStack (KVM)
+KubeVirt (KVM)
+AWS Nitro System (KVM-based)
+Podman
+WSL
+OpenVZ
 )";
 
     std::exit(0);
@@ -274,6 +281,11 @@ std::string type(const std::string &brand_str) {
         { "Intel HAXM", "Hypervisor (type 1)" },
         { "Intel KGT (Trusty)", "Hypervisor (type 1)" },
         { "SimpleVisor", "Hypervisor (type 1)" },
+        { "Google Compute Engine (KVM)", "Hypervisor (type 1)" },
+        { "OpenStack (KVM)", "Hypervisor (type 1)" },
+        { "KubeVirt (KVM)", "Hypervisor (type 1)" },
+        { "IBM PowerVM", "Hypervisor (type 1)" },
+        { "AWS Nitro System EC2 (KVM-based)", "Hypervisor (type 1)" },
 
         // type 2
         { "VirtualBox", "Hypervisor (type 2)" },
@@ -307,11 +319,15 @@ std::string type(const std::string &brand_str) {
         { "Jailhouse", "Partitioning Hypervisor" },
         { "Unisys s-Par", "Partitioning Hypervisor" },
         { "Docker", "Container" },
+        { "Podman", "Container" },
+        { "OpenVZ", "Container" },
         { "Microsoft Virtual PC/Hyper-V", "Hypervisor (either type 1 or 2)" },
         { "Lockheed Martin LMHS", "Hypervisor (unknown type)" },
         { "Wine", "Compatibility layer" },
         { "Apple VZ", "Unknown" },
-        { "Hyper-V artifact (not an actual VM)", "No VM" }
+        { "Hyper-V artifact (not an actual VM)", "No VM" },
+        { "User-mode Linux", "Paravirtualised" },
+        { "WSL", "Hybrid Hyper-V (type 1 and 2)" }, // debatable tbh
     };
 
     auto it = type_table.find(brand_str);
@@ -365,7 +381,8 @@ bool is_spoofable(const VM::enum_flags flag) {
         case VM::BLUESTACKS_FOLDERS: 
         case VM::EVENT_LOGS: 
         case VM::KMSG: 
-        case VM::XEN_PROC: return true;
+        case VM::VM_PROCS: 
+        case VM::PODMAN_FILE: return true;
         default: return false;
     }
 }
@@ -564,7 +581,7 @@ void general() {
     checker(VM::HYPERVISOR_DIR, "Hypervisor directory (Linux)");
     checker(VM::UML_CPU, "User-mode Linux CPU");
     checker(VM::KMSG, "/dev/kmsg hypervisor message");
-    checker(VM::XEN_PROC, "/proc/xen");
+    checker(VM::VM_PROCS, "various VM files in /proc");
     checker(VM::VBOX_MODULE, "VBox kernel module");
     checker(VM::SYSINFO_PROC, "/proc/sysinfo");
     checker(VM::DEVICE_TREE, "/proc/device-tree");
diff --git a/src/vmaware.hpp b/src/vmaware.hpp
@@ -417,7 +417,7 @@ struct VM {
         HYPERVISOR_DIR,
         UML_CPU,
         KMSG,
-        XEN_PROC,
+        VM_PROCS,
         VBOX_MODULE,
         SYSINFO_PROC,
         DEVICE_TREE,
@@ -547,9 +547,10 @@ struct VM {
     static constexpr const char* GCE = "Google Compute Engine (KVM)";
     static constexpr const char* OPENSTACK = "OpenStack (KVM)";
     static constexpr const char* KUBEVIRT = "KubeVirt (KVM)";
-    static constexpr const char* AWS_NITRO = "AWS Nitro System (KVM-based)";
+    static constexpr const char* AWS_NITRO = "AWS Nitro System EC2 (KVM-based)";
     static constexpr const char* PODMAN = "Podman";
     static constexpr const char* WSL = "WSL";
+    static constexpr const char* OPENVZ = "OpenVZ";
 
     static flagset global_flags; // for certain techniques where the flags MUST be accessible
 
@@ -648,12 +649,13 @@ struct VM {
 
         // check Intel
         [[nodiscard]] static bool is_intel() {
-            constexpr u32 intel_ecx = 0x6c65746e;
+            constexpr u32 intel_ecx1 = 0x6c65746e; // "ntel"
+            constexpr u32 intel_ecx2 = 0x6c65746f; // "otel", this is because some Intel CPUs have a rare manufacturer string of "GenuineIotel"
 
             u32 unused, ecx = 0;
             cpuid(unused, unused, ecx, unused, 0);
 
-            return (ecx == intel_ecx);
+            return ((ecx == intel_ecx1) || (ecx == intel_ecx2));
         }
 
         // check for POSSIBILITY of hyperthreading, I don't think there's a 
@@ -8829,18 +8831,22 @@ struct VM {
      * @note idea from https://github.com/ShellCode33/VM-Detection/blob/master/vmdetect/linux.go
      * @category Linux
      */
-    [[nodiscard]] static bool xen_proc() try {
+    [[nodiscard]] static bool vm_procs() try {
 #if (!LINUX)
         return false;
 #else
         if (util::exists("/proc/xen")) {
             return core::add(XEN);
         }
 
+        if (util::exists("/proc/vz")) {
+            return core::add(OPENVZ);
+        }
+
         return false;
 #endif
     } catch (...) {
-        debug("XEN_PROC: caught error, returned false");
+        debug("VM_PROCS: caught error, returned false");
         return false;
     }
 
@@ -8990,7 +8996,13 @@ struct VM {
 
                 if (std::regex_search(content, std::regex(vm_string.first))) {
                     debug("DMI_SCAN: content = ", content);
-                    return core::add(vm_string.second);
+                    if (std::strcmp(vm_string.second, AWS_NITRO) == 0) {
+                        if (smbios_vm_bit()) {
+                            return core::add(AWS_NITRO);
+                        }
+                    } else {
+                        return core::add(vm_string.second);
+                    }
                 }
             }
         }
@@ -10063,7 +10075,8 @@ std::map<const char*, VM::brand_score_t> VM::core::brand_scoreboard{
     { VM::KUBEVIRT, 0 },
     { VM::AWS_NITRO, 0 },
     { VM::PODMAN, 0 },
-    { VM::WSL, 0 }
+    { VM::WSL, 0 },
+    { VM::OPENVZ, 0 }
 };
 
 
@@ -10261,7 +10274,7 @@ const std::map<VM::enum_flags, VM::core::technique> VM::core::technique_table =
     { VM::HYPERVISOR_DIR, { 20, VM::hypervisor_dir, false } },
     { VM::UML_CPU, { 80, VM::uml_cpu, false } },
     { VM::KMSG, { 10, VM::kmsg, true } },
-    { VM::XEN_PROC, { 20, VM::xen_proc, true } },
+    { VM::VM_PROCS, { 20, VM::vm_procs, true } },
     { VM::VBOX_MODULE, { 15, VM::vbox_module, false } },
     { VM::SYSINFO_PROC, { 15, VM::sysinfo_proc, false } },
     { VM::DEVICE_TREE, { 20, VM::device_tree, false } },
