style: updated architecture clauses

Author: Requiem

src/vmaware.hpp

@@ -4169,9 +4169,7 @@ struct VM {
      * @implements VM::TIMER
      */
     [[nodiscard]] static bool timer() {
-    #if (ARM || !x86)
-        return false;
-    #else
+    #if (x86)
         if (util::is_running_under_translator()) {
             debug("TIMER: Running inside a binary translation layer");
             return false;
@@ -4182,9 +4180,9 @@ struct VM {
         }
 
     #if (WINDOWS)
-        const HANDLE th = GetCurrentThread();
+        const HANDLE hCurrentThread = reinterpret_cast<HANDLE>(-2LL);
         const DWORD_PTR wantedMask = (DWORD_PTR)1;
-        const DWORD_PTR prevMask = SetThreadAffinityMask(th, wantedMask);
+        const DWORD_PTR prevMask = SetThreadAffinityMask(hCurrentThread, wantedMask);
     #endif 
 
         // Case A - Hypervisor without RDTSC patch
@@ -4342,16 +4340,16 @@ struct VM {
             debug("TIMER: RDTSC -> ", firstRatio, ", QIT -> ", secondRatio, ", Ratio: ", difference);
 
             if (prevMask != 0) {
-                SetThreadAffinityMask(th, prevMask);
+                SetThreadAffinityMask(hCurrentThread, prevMask);
             }
 
             if (difference > 10) {
                 return true; // both ratios will always differ if a RDTSC trap is present, since the hypervisor can't account for the XOR/NOP loop
             }
             // TLB flushes or side channel cache attacks are not even tried due to how ineffective they are against stealthy hypervisors
         #endif
-        return false;
     #endif
+        return false;
     }
 
 #if (LINUX)
@@ -5368,7 +5366,7 @@ struct VM {
      * @implements VM::SIDT
      */
     [[nodiscard]] static bool sidt() {
-    #if (LINUX && (GCC || CLANG))
+    #if (LINUX && (GCC || CLANG) && x86)
         u8 values[10] = { 0 };
 
         fflush(stdout);
@@ -5398,15 +5396,15 @@ struct VM {
         #else
                 return false;
         #endif
-    #elif (WINDOWS)
+    #elif (WINDOWS && x86)
         SYSTEM_INFO si;
         GetNativeSystemInfo(&si);
-
         DWORD_PTR originalMask = 0;
+        const HANDLE hCurrentThread = reinterpret_cast<HANDLE>(-2LL);
 
         for (DWORD i = 0; i < si.dwNumberOfProcessors; ++i) {
             const DWORD_PTR mask = (DWORD_PTR)1 << i;
-            const DWORD_PTR previousMask = SetThreadAffinityMask(GetCurrentThread(), mask);
+            const DWORD_PTR previousMask = SetThreadAffinityMask(hCurrentThread, mask);
 
             if (previousMask == 0) {
                 continue;
@@ -5449,14 +5447,14 @@ struct VM {
                 debug("SIDT: VPC/Hyper-V signature detected on core %u", i);
 
                 if (originalMask != 0) {
-                    SetThreadAffinityMask(GetCurrentThread(), originalMask);
+                    SetThreadAffinityMask(hCurrentThread, originalMask);
                 }
                 return core::add(brands::VPC);
             }
         }
 
         if (originalMask != 0) {
-            SetThreadAffinityMask(GetCurrentThread(), originalMask);
+            SetThreadAffinityMask(hCurrentThread, originalMask);
         }
 
         return false;
@@ -5493,7 +5491,9 @@ struct VM {
      * @implements VM::GENERAL_HOSTNAME
      */
     [[nodiscard]] static bool general_hostname() {
-        std::string hostname = util::get_hostname();
+        const std::string hostname = util::get_hostname();
+
+        debug("GENERAL_HOSTNAME: ", hostname);
 
         auto cmp = [&](const char* str2) -> bool {
             return (hostname == str2);
@@ -6314,7 +6314,7 @@ struct VM {
 
 #if (LINUX || APPLE)
     /**
-     * @brief Check if there are only 1 or 2 threads, which is a common pattern in VMs with default settings (nowadays physical CPUs should have at least 4 threads for modern CPUs
+     * @brief Check if there are only 1 or 2 threads, which is a common pattern in VMs with default settings, nowadays physical CPUs should have at least 4 threads for modern CPUs
      * @category x86 (ARM might have very low thread counts, which is why it should be only for x86)
      * @implements VM::THREAD_COUNT
      */
@@ -6649,7 +6649,6 @@ struct VM {
         #if (_WIN32_WINNT < _WIN32_WINNT_WIN8)
             return false;
         #else
-
             __try {
                 BOOL isNativeVhdBoot = 0;
                 // we dont call NtQuerySystemInformation with SystemPrefetchPathInformation | SystemHandleInformation
@@ -6844,8 +6843,8 @@ struct VM {
      * @implements VM::VPC_INVALID
      */
     [[nodiscard]] static bool vpc_invalid() {
-    #if (x86_32 && !CLANG)
         bool rc = false;
+    #if (x86_32 && !CLANG)
 
         auto IsInsideVPC_exceptionFilter = [](PEXCEPTION_POINTERS ep) -> DWORD {
             PCONTEXT ctx = ep->ContextRecord;
@@ -6883,11 +6882,8 @@ struct VM {
         __except (IsInsideVPC_exceptionFilter(GetExceptionInformation())) {
             rc = false;
         }
-
-        return rc;
-    #else
-        return false;
     #endif
+        return rc;
     }
 
 
@@ -6902,12 +6898,12 @@ struct VM {
     #if (x86)
         SYSTEM_INFO si;
         GetNativeSystemInfo(&si);
-
         DWORD_PTR originalMask = 0;
+        const HANDLE hCurrentThread = reinterpret_cast<HANDLE>(-2LL);
 
         for (DWORD i = 0; i < si.dwNumberOfProcessors; ++i) {
             const DWORD_PTR mask = (DWORD_PTR)1 << i;
-            const DWORD_PTR previousMask = SetThreadAffinityMask(GetCurrentThread(), mask);
+            const DWORD_PTR previousMask = SetThreadAffinityMask(hCurrentThread, mask);
 
             if (previousMask == 0) {
                 continue;
@@ -6956,7 +6952,7 @@ struct VM {
         }
 
         if (originalMask != 0) {
-            SetThreadAffinityMask(GetCurrentThread(), originalMask);
+            SetThreadAffinityMask(hCurrentThread, originalMask);
         }
     #endif
         return found;
@@ -6972,16 +6968,17 @@ struct VM {
      * @implements VM::SLDT
      */
     [[nodiscard]] static bool sldt() {
+        bool found = false;
     #if (x86_32)
         SYSTEM_INFO si;
         GetNativeSystemInfo(&si);
-        const DWORD_PTR origMask = SetThreadAffinityMask(GetCurrentThread(), 1);
-        SetThreadAffinityMask(GetCurrentThread(), origMask);
+        const HANDLE hCurrentThread = reinterpret_cast<HANDLE>(-2LL);
+        const DWORD_PTR origMask = SetThreadAffinityMask(hCurrentThread, 1);
+        SetThreadAffinityMask(hCurrentThread, origMask);
 
-        bool found = false;
         for (DWORD i = 0; i < si.dwNumberOfProcessors; ++i) {
             const DWORD_PTR mask = (DWORD_PTR)1 << i;
-            if (SetThreadAffinityMask(GetCurrentThread(), mask) == 0)
+            if (SetThreadAffinityMask(hCurrentThread, mask) == 0)
                 continue;
 
             u8 ldtr_buf[4] = { 0xEF, 0xBE, 0xAD, 0xDE };
@@ -7013,11 +7010,9 @@ struct VM {
                 break;
         }
 
-        SetThreadAffinityMask(GetCurrentThread(), origMask);
-        return found;
-    #else
-        return false;
+        SetThreadAffinityMask(hCurrentThread, origMask);
     #endif
+        return found;
     }
 
 
@@ -7028,9 +7023,7 @@ struct VM {
      * @implements VM::SMSW
      */
     [[nodiscard]] static bool smsw() {
-    #if (!x86_64)
-        return false;
-    #elif (x86_32)
+    #if (x86_32)
         u32 reax = 0;
 
         __asm
@@ -7066,9 +7059,11 @@ struct VM {
         if ((tr & 0xFF) == 0x00 && ((tr >> 8) & 0xFF) == 0x40) {
             return core::add(brands::VMWARE);
         }
-    #endif
 
         return false;
+    #else
+        return false;
+    #endif
     }
 
 
@@ -7080,13 +7075,13 @@ struct VM {
      * @implements VM::VMWARE_BACKDOOR
      */
     [[nodiscard]] static bool vmware_backdoor() {
+        bool is_vm = false;
     #if (x86_32 && !CLANG)
         u32 a = 0;
         u32 b = 0;
 
         constexpr std::array<i16, 2> ioports = { { 'VX' , 'VY' } };
         i16 ioport;
-        bool is_vm = false;
 
         for (u8 i = 0; i < ioports.size(); ++i) {
             ioport = ioports[i];
@@ -7121,18 +7116,15 @@ struct VM {
 
         if (is_vm) {
             switch (b) {
-            case 1:  return core::add(brands::VMWARE_EXPRESS);
-            case 2:  return core::add(brands::VMWARE_ESX);
-            case 3:  return core::add(brands::VMWARE_GSX);
-            case 4:  return core::add(brands::VMWARE_WORKSTATION);
-            default: return core::add(brands::VMWARE);
+                case 1:  return core::add(brands::VMWARE_EXPRESS);
+                case 2:  return core::add(brands::VMWARE_ESX);
+                case 3:  return core::add(brands::VMWARE_GSX);
+                case 4:  return core::add(brands::VMWARE_WORKSTATION);
+                default: return core::add(brands::VMWARE);
             }
         }
-
-        return false;
-    #else
-        return false;
     #endif
+        return is_vm;
     }
 
 
@@ -8485,9 +8477,9 @@ struct VM {
 
         CONTEXT origCtx{};
         origCtx.ContextFlags = CONTEXT_DEBUG_REGISTERS;
-        const HANDLE thrHandle = GetCurrentThread(); 
+        const HANDLE hCurrentThread = reinterpret_cast<HANDLE>(-2LL);
 
-        if (!NT_SUCCESS(pNtGetContextThread(thrHandle, &origCtx))) {
+        if (!NT_SUCCESS(pNtGetContextThread(hCurrentThread, &origCtx))) {
             PVOID freeBase = execMem; SIZE_T freeSize = trampSize;
             pNtFreeVirtualMemory(hCurrentProcess, &freeBase, &freeSize, MEM_RELEASE);
             return false;
@@ -8499,8 +8491,8 @@ struct VM {
         dbgCtx.Dr0 = baseAddr + 11; // single step breakpoint address
         dbgCtx.Dr7 = 1;             // enable local breakpoint 0
 
-        if (!NT_SUCCESS(pNtSetContextThread(thrHandle, &dbgCtx))) {
-            pNtSetContextThread(thrHandle, &origCtx);
+        if (!NT_SUCCESS(pNtSetContextThread(hCurrentThread, &dbgCtx))) {
+            pNtSetContextThread(hCurrentThread, &origCtx);
             PVOID freeBase = execMem; SIZE_T freeSize = trampSize;
             pNtFreeVirtualMemory(hCurrentProcess, &freeBase, &freeSize, MEM_RELEASE);
             return false;
@@ -8540,11 +8532,10 @@ struct VM {
             }
         }
 
-        pNtSetContextThread(thrHandle, &origCtx);
+        pNtSetContextThread(hCurrentThread, &origCtx);
 
         PVOID freeBase = execMem; SIZE_T freeSize = trampSize;
         pNtFreeVirtualMemory(hCurrentProcess, &freeBase, &freeSize, MEM_RELEASE);
-
     #endif
         return hypervisorCaught;
     }
@@ -8556,8 +8547,6 @@ struct VM {
      * @implements VM::UD
      */
     [[nodiscard]] static bool ud() {
-        bool saw_ud = false;
-
     #if (x86)
         // ud2; ret
         constexpr u8 ud_opcodes[] = { 0x0F, 0x0B, 0xC3 };
@@ -8571,9 +8560,10 @@ struct VM {
         constexpr u8 ud_opcodes[] = { 0x00, 0x00, 0x40, 0xD4, 0xC0, 0x03, 0x5F, 0xD6 };
     #else
         // architecture not supported by this check
-        return saw_ud;
+        return false;
     #endif
 
+        bool saw_ud = false;
         const HMODULE ntdll = util::get_ntdll();
         if (!ntdll) return false;
 
@@ -9384,6 +9374,7 @@ struct VM {
      * @implements VM::CPU_HEURISTIC
      */
     [[nodiscard]] static bool cpu_heuristic() {
+        bool spoofed = false;
     #if (x86)
         if (util::is_running_under_translator()) {
             debug("CPU_HEURISTIC: Running inside a binary translation layer");
@@ -9507,7 +9498,6 @@ struct VM {
             return false; // Zhaoxin? VIA/Centaur?
         }
 
-        bool spoofed = false;
         bool proceed = true;
         bool exception = false;
 
@@ -9640,11 +9630,8 @@ struct VM {
             pNtFreeVirtualMemory(hCurrentProcess, &freeBase, &freeSize, MEM_RELEASE);
             amd_target_mem = nullptr;
         }
-
-        return spoofed;
-    #else
-        return false;
     #endif
+        return spoofed;
     }