Merge pull request #139 from kernelwernel/dev

Dev

Author: kernelwernel

TODO.md

@@ -44,6 +44,7 @@
 - [ ] test the VM::modify_score() function
 - [ ] check if bios date in /sys/class/dmi/id/ could be useful under QEMU
 - [ ] make the cli demo in the readme for the 1.8 version
+- [ ] fix the percentage thing for the disabled techniques
 
 # Distant plans
 - add the library to conan.io when released

src/cli.cpp

@@ -48,7 +48,7 @@ constexpr const char* date = "August 2024";
 
 constexpr const char* bold = "\033[1m";
 constexpr const char* ansi_exit = "\x1B[0m";
-constexpr const char* red = "\x1B[38;2;239;75;75m";
+constexpr const char* red = "\x1B[38;2;239;75;75m"; 
 constexpr const char* orange = "\x1B[38;2;255;180;5m";
 constexpr const char* green = "\x1B[38;2;94;214;114m";
 constexpr const char* red_orange = "\x1B[38;2;247;127;40m";
@@ -58,6 +58,7 @@ constexpr const char* grey = "\x1B[38;2;108;108;108m";
 enum arg_enum : std::uint8_t {
     HELP,
     VERSION,
+    ALL,
     DETECT,
     STDOUT,
     BRAND,
@@ -66,7 +67,6 @@ enum arg_enum : std::uint8_t {
     CONCLUSION,
     NUMBER,
     TYPE,
-    HYPERV, // will be removed in the next release
     NOTES,
     SPOOFABLE,
     NULL_ARG
@@ -120,6 +120,7 @@ R"(Usage:
 Options:
  -h | --help        prints this help menu
  -v | --version     print cli version and other details
+ -a | --all         run the result with ALL the techniques enabled (might contain false positives)
  -d | --detect      returns the result as a boolean (1 = VM, 0 = baremetal)
  -s | --stdout      returns either 0 or 1 to STDOUT without any text output (0 = VM, 1 = baremetal)
  -b | --brand       returns the VM brand string (consult documentation for full output list)
@@ -335,6 +336,10 @@ std::string type(const std::string &brand_str) {
 }
 
 bool is_spoofable(const VM::enum_flags flag) {
+    if (arg_bitset.test(ALL)) {
+        return false;
+    }
+
     switch (flag) {
         case VM::MAC:
         case VM::DOCKERENV:
@@ -418,12 +423,28 @@ bool are_perms_required(const VM::enum_flags flag) {
 #endif
 }
 
+
+bool is_disabled(const VM::enum_flags flag) {
+    if (arg_bitset.test(ALL)) {
+        return false;
+    }
+
+    switch (flag) {
+        case VM::RDTSC:
+        case VM::RDTSC_VMEXIT:
+        case VM::CURSOR: return true;
+        default: return false;
+    }
+}
+
+
 void general() {
     const std::string detected = ("[  " + std::string(green) + "DETECTED" + std::string(ansi_exit) + "  ]");
     const std::string not_detected = ("[" + std::string(red) + "NOT DETECTED" + std::string(ansi_exit) + "]");
     const std::string spoofable = ("[" + std::string(red) + " SPOOFABLE " + std::string(ansi_exit) + "]");
     const std::string note = ("[    NOTE    ]");               
     const std::string no_perms = ("[" + std::string(grey) + "  NO PERMS  " + std::string(ansi_exit) + "]");
+    const std::string disabled = ("[" + std::string(grey) + "  DISABLED  " + std::string(ansi_exit) + "]");
     const std::string tip = (std::string(green) + "TIP: " + std::string(ansi_exit));
 
     auto checker = [&](const VM::enum_flags flag, const char* message) -> void {
@@ -441,6 +462,11 @@ void general() {
         }
 #endif
 
+        if (is_disabled(flag)) {
+            std::cout << disabled << " Skipped " << message << "\n";
+            return;
+        }
+
         if (VM::check(flag)) {
             std::cout << detected << " Checking " << message << "...\n";
             detected_count++;
@@ -493,7 +519,7 @@ void general() {
     checker(VM::DLL, "DLLs");
     checker(VM::REGISTRY, "registry");
     checker(VM::CWSANDBOX_VM, "Sunbelt CWSandbox directory");
-    checker(VM::WINE_CHECK, "Wine");
+    //checker(VM::WINE_CHECK, "Wine");
     checker(VM::VM_FILES, "VM files");
     checker(VM::HWMODEL, "hw.model");
     checker(VM::DISK_SIZE, "disk size");
@@ -504,7 +530,7 @@ void general() {
     checker(VM::MEMORY, "low memory space");
     checker(VM::VM_PROCESSES, "VM processes");
     checker(VM::LINUX_USER_HOST, "default Linux user/host");
-    checker(VM::VBOX_WINDOW_CLASS, "VBox window class");
+    //checker(VM::VBOX_WINDOW_CLASS, "VBox window class");
     checker(VM::GAMARUE, "gamarue ransomware technique");
     checker(VM::VMID_0X4, "0x4 leaf of VMID");
     checker(VM::PARALLELS_VM, "Parallels techniques");
@@ -695,9 +721,10 @@ int main(int argc, char* argv[]) {
         std::exit(0);
     } 
 
-    static constexpr std::array<std::pair<const char*, arg_enum>, 23> table {{
+    static constexpr std::array<std::pair<const char*, arg_enum>, 24> table {{
         { "-h", HELP },
         { "-v", VERSION },
+        { "-a", ALL },
         { "-d", DETECT },
         { "-s", STDOUT },
         { "-b", BRAND },
@@ -708,6 +735,7 @@ int main(int argc, char* argv[]) {
         { "-t", TYPE },
         { "--help", HELP },
         { "--version", VERSION },
+        { "--all", ALL },
         { "--detect", DETECT },
         { "--stdout", STDOUT },
         { "--brand", BRAND },
@@ -716,7 +744,6 @@ int main(int argc, char* argv[]) {
         { "--brand-list", BRAND_LIST },
         { "--number", NUMBER },
         { "--type", TYPE },
-        { "--disable-hyperv-host", HYPERV },
         { "--disable-notes", NOTES },
         { "--spoofable", SPOOFABLE }
     }};
@@ -782,15 +809,17 @@ int main(int argc, char* argv[]) {
         auto settings = [&]() -> std::bitset<max_bits> {
             std::bitset<max_bits> setting_bits;
 
-            if (arg_bitset.test(HYPERV)) {
-                std::cerr << "--disable-hyperv-host has been deprecated, the determination of whether it's a host Hyper-V or VM Hyper-V is now done automatically";
-                return 1;
+            if (arg_bitset.test(SPOOFABLE)) {
+                setting_bits.set(VM::SPOOFABLE);
             }
 
-            if (arg_bitset.test(SPOOFABLE)) {
+            if (arg_bitset.test(ALL)) {
+                setting_bits |= VM::ALL;
                 setting_bits.set(VM::SPOOFABLE);
             }
 
+            setting_bits.set(NULL_ARG);
+
             return setting_bits;
         };
 

src/vmaware.hpp

@@ -49,7 +49,6 @@
  * }
  */
 
-
 #if (defined(_MSC_VER) || defined(_WIN32) || defined(_WIN64) || defined(__MINGW32__))
 #define MSVC 1
 #define LINUX 0
@@ -1036,12 +1035,16 @@ struct VM {
             return vec;
         }
 
-        // basically checks whether all the techniques were cached (with exception of VM::CURSOR)
+        // basically checks whether all the techniques were cached (with exception of techniques disabled by default)
         static bool all_present() {
             if (cache_table.size() == technique_count) {
                 return true;
-            } else if (cache_table.size() == static_cast<std::size_t>(technique_count) - 1) {
-                return (!cache_keys.test(CURSOR));
+            } else if (cache_table.size() == static_cast<std::size_t>(technique_count) - 3) {
+                return (
+                    !cache_keys.test(CURSOR) &&
+                    !cache_keys.test(RDTSC_VMEXIT) &&
+                    !cache_keys.test(RDTSC)
+                );
             }
 
             return false;
@@ -1682,13 +1685,22 @@ struct VM {
 
             core_debug("HYPER_X: eax = ", eax);
 
-            if (eax == 12) {
+            const bool is_eax_valid = ((eax == 11) || (eax == 12));
+
+            const std::array<std::string, 2> cpu = cpu::cpu_manufacturer(cpu::leaf::hypervisor);
+
+            const bool is_cpu_hyperv = (
+                (cpu.at(0) == "Microsoft Hv") ||
+                (cpu.at(1) == "Microsoft Hv")
+            );
+    
+            if (is_eax_valid || is_cpu_hyperv) {
                 // SMBIOS check
-                const std::string p = SMBIOS_string();
+                const std::string smbios = SMBIOS_string();
 
-                core_debug("HYPER_X: SMBIOS string = ", p);
+                core_debug("HYPER_X: SMBIOS string = ", smbios);
 
-                if (p == "VIRTUAL MACHINE") {
+                if (smbios == "VIRTUAL MACHINE") {
                     return add(false);
                 }
 
@@ -1707,19 +1719,19 @@ struct VM {
                 std::wstring logName = L"Microsoft-Windows-Kernel-PnP/Configuration";
                 std::vector<std::wstring> searchStrings = { L"Virtual_Machine", L"VMBUS" };
 
-                const bool found = util::query_event_logs(logName, searchStrings);
+                const bool event_log = util::query_event_logs(logName, searchStrings);
 
-                if (found) {
+                if (event_log) {
                     return add(false);
                 }
 
 
                 // at this point, it's fair to assume it's Hyper-V artifacts on 
                 // host since none of the "VM-only" techniques returned true
                 return add(true);
-            } else if (eax == 11) {
+            //} else if () {
                 // actual Hyper-V VM, might do something within this scope in the future idk
-                return add(false);
+                //return add(false);
             } else {
                 return add(false);
             }
@@ -3013,6 +3025,7 @@ struct VM {
      * @category Windows
      */
     [[nodiscard]] static bool cursor_check() try {
+        return true;
 #if (!MSVC)
         return false;
 #else
@@ -4408,23 +4421,42 @@ struct VM {
         if (intel) {
             // technique 1: not a valid brand 
             if (brand == "              Intel(R) Pentium(R) 4 CPU        ") {
+                debug("BOCHS_CPU: technique 1 found");
                 return core::add(BOCHS);
             }
         } else if (amd) {
             // technique 2: "processor" should have a capital P
             if (brand == "AMD Athlon(tm) processor") {
+                debug("BOCHS_CPU: technique 2 found");
                 return core::add(BOCHS);
             }
 
             // technique 3: Check for absence of AMD easter egg for K7 and K8 CPUs
-            // note: QEMU may also have this but i'm not sure
+            /*
             u32 unused, eax = 0;
             cpu::cpuid(eax, unused, unused, unused, 1);
 
             constexpr u8 AMD_K7 = 6;
             constexpr u8 AMD_K8 = 15;
 
-            const u32 family = ((eax >> 8) & 0xF);
+            auto is_k7 = [](const u32 eax) -> bool {
+                const u32 family = (eax >> 8) & 0xF;
+                const u32 model = (eax >> 4) & 0xF;
+                const u32 extended_family = (eax >> 20) & 0xFF;
+                const u32 extended_model = (eax >> 16) & 0xF;
+
+                if (family == 6 && extended_family == 0) {
+                    if (model == 1 || model == 2 || model == 3 || model == 4) {
+                        return true;
+                    }
+                }
+
+                return false;
+            };
+
+            auto is_k8 = [](const u32 eax) -> bool {
+                // TODO
+            };
 
             if (family != AMD_K7 && family != AMD_K8) {
                 return false;
@@ -4434,8 +4466,10 @@ struct VM {
             cpu::cpuid(unused, unused, ecx_bochs, unused, cpu::leaf::amd_easter_egg);
 
             if (ecx_bochs == 0) {
+                debug("BOCHS_CPU: technique 3 found");
                 return core::add(BOCHS);
             }
+            */
         }
 
         return false;
@@ -5445,7 +5479,7 @@ struct VM {
      * @note code documentation paper in /papers/www.offensivecomputing.net_vm.pdf
      */
     [[nodiscard]] static bool offsec_sgdt() try {
-#if (!MSVC || !x86)
+#if (!MSVC || !x86 || GCC)
         return false;
 #elif (x86_32)
         unsigned char m[6]{};