perf: improved is_hardened() speed by using a new cache mechanism

Author: Requiem

TODO.md

@@ -1,24 +1,20 @@
-- [ ] add C++20 concepts for the VM::add_custom() function
-- [ ] add c++20 module support 
 - [ ] upload the lib to dnf 
 - [ ] upload the lib to apt 
-- [ ] make a man file in markdown for the cli tool
 - [ ] implement techniques from here https://stackoverflow.com/questions/43026032/detect-running-on-virtual-machine
 - [ ] check if bios date in /sys/class/dmi/id/ could be useful under QEMU
-- [ ] add a .so, .dll, and .dylib shared object files in the release 
 - [ ] /sys/class/dmi/id/product_name check this in qemu
-- [ ] fix "dmidecode not found" error
 - [ ] implement techniques from here https://www.cyberciti.biz/faq/linux-determine-virtualization-technology-command/
 - [ ] implement techniques from virt-what
-- implement empty /sys/class dirs:
-    - iommu
-    - power_supply
-- check for presence of /dev/virtio-ports dir
-- replace all thread mismatch techniques to C style arrays
-
+- [ ] implement empty /sys/class dirs:
+    - [ ] iommu
+    - [ ] power_supply
+- [ ] check for presence of /dev/virtio-ports dir
+- [ ] add the library to conan.io 
+- [ ] add a reliable ci/cd for the debug binary
+- [ ] add an extra faq on ignoring false negatives and virtual devices on host 
+- [ ] research 86box and pcem detection vectors 
 
 # Distant plans
-- add the library to conan.io when released
 - add a python version of the library (or any other lang for that matter)
 - add a GUI version of the lib
 - add a rust version of the lib

docs/documentation.md

@@ -10,8 +10,8 @@
 - [`VM::conclusion()`](#vmconclusion)
 - [`VM::detected_count()`](#vmdetected_count)
 - [`VM::is_hardened()`](#vmis_hardened)
-- [`(advanced) VM::flag_to_string()`](#vmflag_to_string)
-- [`(advanced) VM::detected_enums()`](#vmdetected_enums)
+- [`(Advanced) VM::flag_to_string()`](#advanced-vmflag_to_string)
+- [`(Advanced) VM::detected_enums()`](#advanced-vmdetected_enums)
 - [vmaware struct](#vmaware-struct)
 - [Notes and overall things to avoid](#notes-and-overall-things-to-avoid)
 - [Flag table](#flag-table)
@@ -25,7 +25,7 @@
 
 ## `VM::detect()`
 
-This is basically the main function you're looking for, which returns a bool. If no parameter is provided, all the recommended checks will be performed. But you can optionally set what techniques are used.
+This is basically the main function you're looking for, which returns a bool. If no parameter is provided, all the recommended checks will be performed. But you can optionally set which techniques are used.
 
 ```cpp
 #include "vmaware.hpp"
@@ -46,10 +46,9 @@ int main() {
 
     /**
      * All checks are performed including techniques that are
-     * disabled by default for a viariety of reasons. There are
-     * around 5 technique that are disabled. If you want all 
-     * techniques for the sake of completeness, then you can use
-     * this flag but remember that there may be potential 
+     * disabled by default for a viariety of reasons. If you 
+     * want all techniques for the sake of completeness, then 
+     * you can use this flag but remember that there may be potential 
      * performance bottlenecks and an increase in false positives.
      */ 
     bool is_vm3 = VM::detect(VM::ALL);
@@ -99,7 +98,7 @@ int main() {
 <br>
 
 ## `VM::percentage()`
-This will return a `std::uint8_t` between 0 and 100. It'll return the certainty of whether it has detected a VM based on all the techniques available as a percentage. The lower the value, the less chance it's a VM. The higher the value, the more likely it is. 
+This will return a `std::uint8_t` between 0 and 100. It'll return the certainty of whether it has detected a VM based on all the techniques available as a percentage.
 
 ```cpp
 #include "vmaware.hpp"
@@ -118,8 +117,8 @@ int main() {
         std::cout << "Unsure if it's a VM\n";
     }
 
-    // converted to std::uint32_t for console character encoding reasons
-    std::cout << "percentage: " << static_cast<std::uint32_t>(percent) << "%\n"; 
+    // converted to int for console character encoding reasons
+    std::cout << "percentage: " << static_cast<int>(percent) << "%\n"; 
 
     return 0;
 }
@@ -322,22 +321,18 @@ This will detect whether the environment has any hardening indications as a `boo
 
 Internally, this function works by analysing which combination of techniques are expected to be detected together. If a certain combination rule is mismatched, it indicates some kind of tampering of the system which assumes some sort of VM hardening.
 
-
-> [!WARNING]
-> This function should **NOT** be depended on for critical code. This is still a beta feature that hasn't been widely stress-tested as of 2.5.0. It works more as a heuristic assumption rather than a concrete guarantee.
+Similiary to `VM::brand()`, do not rely on this function for critical operations. This is meant to be a heuristic assumption rather than a concrete guarantee.
 
 
 ```cpp
 #include "vmaware.hpp"
 #include <iostream>
 
 int main() {
-    if (VM::detect()) {
-        if (VM::is_hardened()) {
-            std::cout << "Potential hardening detected" << "\n";
-        } else {
-            std::cout << "Unsure if hardened" << "\n";
-        }
+    if (VM::is_hardened()) {
+        std::cout << "Potential hardening detected" << "\n";
+    } else {
+        std::cout << "Unsure if hardened" << "\n";
     }
 
     return 0;
@@ -346,8 +341,13 @@ int main() {
 
 <br>
 
-## `VM::flag_to_string()`
+## (Advanced) `VM::flag_to_string()`
+
+<details>
+<summary>Show</summary>
+
 This will take a technique flag enum as an argument and return the string version of it. For example:
+
 ```cpp
 #include "vmaware.hpp"
 #include <iostream>
@@ -362,7 +362,7 @@ int main() {
 }
 ```
 
-The reason why this exists is because it can be useful for debugging purposes. It should be noted that the "VM::" part is not included in the string output, so that's based on the programmer's choice if it should remain in the string or not. The example given above is obviously useless since the whole code can be manually handwritten, but the function is especially convenient if it's being used with [`VM::technique_vector`](#variables). For example:
+The reason why this exists is because it can be useful for debugging and infodumping purposes. It should be noted that the "VM::" part is not included in the string output, so that's based on the programmer's choice if it should remain in the string or not. The example given above is obviously useless since the whole code can be manually handwritten, but the function is especially convenient if it's being used with [`VM::technique_vector`](#variables). For example:
 
 ```cpp
 #include "vmaware.hpp"
@@ -382,9 +382,15 @@ int main() {
 }
 ```
 
+</details>
+
 <br>
 
-## `VM::detected_enums()`
+## (Advanced) `VM::detected_enums()`
+
+<details>
+<summary>Show</summary>
+
 This is a function that will return a vector of all the technique flags that were detected as running in a VM. The return type is `std::vector<VM::enum_flags>`, and it's designed to give a more programmatic overview of the result. 
 
 ```cpp
@@ -402,6 +408,8 @@ int main() {
 }
 ```
 
+</details>
+
 <br>
 
 # vmaware struct
@@ -583,7 +591,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::DBVM` | Check if Dark Byte's VM is present | 🪟 | 150% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L9518) |
 | `VM::BOOT_LOGO` | Check boot logo for known VM images | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L9637) |
 | `VM::MAC_SYS` | Check for VM-strings in system profiler commands for MacOS | 🍏 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L7363) |
-| `VM::OBJECTS` | Check for any signs of VMs in Windows kernel object entities | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L9740) |
+| `VM::KERNEL_OBJECTS` | Check for any signs of VMs in Windows kernel object entities | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L9740) |
 | `VM::NVRAM` | Check for known NVRAM signatures that are present on virtual firmware | 🪟 | 100% | Admin |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L9926) |
 | `VM::SMBIOS_INTEGRITY` | Check if SMBIOS is malformed/corrupted in a way that is typical for VMs | 🪟 | 50% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L10357) |
 | `VM::EDID` | Check for non-standard EDID configurations | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L10368) |

src/cli.cpp

@@ -805,7 +805,7 @@ static void general(
     checker(VM::DBVM, "Dark Byte's hypervisor");
     checker(VM::BOOT_LOGO, "boot logo");
     checker(VM::MAC_SYS, "system profiler");
-    checker(VM::OBJECTS, "kernel objects");
+    checker(VM::KERNEL_OBJECTS, "kernel objects");
     checker(VM::NVRAM, "NVRAM");
     checker(VM::SMBIOS_INTEGRITY, "SMBIOS integrity");
     checker(VM::EDID, "EDID");

src/vmaware.hpp

@@ -60,7 +60,7 @@
  * - struct for internal core components       => line 11205
  * - start of VM detection technique list      => line 4251
  * - start of public VM detection functions    => line 11551
- * - start of externally defined variables     => line 12534
+ * - start of externally defined variables     => line 12544
  *
  *
  * ============================== EXAMPLE ===================================
@@ -576,7 +576,7 @@ struct VM {
         UD,
         BLOCKSTEP,
         DBVM,
-        OBJECTS,
+        KERNEL_OBJECTS,
         NVRAM,
         SMBIOS_INTEGRITY,
         EDID,
@@ -9740,9 +9740,9 @@ struct VM {
     /**
      * @brief Check for any signs of VMs in Windows kernel object entities 
      * @category Windows
-     * @implements VM::OBJECTS
+     * @implements VM::KERNEL_OBJECTS
      */
-    [[nodiscard]] static bool objects() {
+    [[nodiscard]] static bool kernel_objects() {
         struct OBJECT_DIRECTORY_INFORMATION {
             UNICODE_STRING Name;
             UNICODE_STRING TypeName;
@@ -9907,12 +9907,12 @@ struct VM {
             // "VmGenerationCounter" and "VmGid" are created by the Hyper-V VM Bus provider
             if (objectName == L"VmGenerationCounter") {
                 pNtClose(hDir);
-                debug("OBJECTS: Detected VmGenerationCounter");
+                debug("KERNEL_OBJECTS: Detected VmGenerationCounter");
                 return core::add(brands::HYPERV);
             }
             if (objectName == L"VmGid") {
                 pNtClose(hDir);
-                debug("OBJECTS: Detected VmGid");
+                debug("KERNEL_OBJECTS: Detected VmGid");
                 return core::add(brands::HYPERV);
             }
         }
@@ -11910,13 +11910,21 @@ struct VM {
 
         u16 threshold = 150;
 
-        // if high threshold is set, the points 
+        // if high threshold is set, the bar
         // will be 300. If not, leave it as 150
         if (core::is_enabled(flags, HIGH_THRESHOLD)) {
             threshold = high_threshold_score;
         }
 
-        return (points >= threshold);
+        if (points >= threshold) {
+            return true;
+        }
+
+        // this is added as a last ditch attempt to detect a VM, 
+        // because if there are indications of hardening then logically 
+        // it should in fact be a VM. It's doubtful if this can actually 
+        // return true, but it's better than nothing
+        return (is_hardened());
     }
 
 
@@ -12114,7 +12122,7 @@ struct VM {
             case DBVM: return "DBVM";
             case BOOT_LOGO: return "BOOT_LOGO";
             case MAC_SYS: return "MAC_SYS";
-            case OBJECTS: return "OBJECTS";
+            case KERNEL_OBJECTS: return "KERNEL_OBJECTS";
             case NVRAM: return "NVRAM";
             case SMBIOS_INTEGRITY: return "SMBIOS_INTEGRITY";
             case EDID: return "EDID";
@@ -12726,7 +12734,7 @@ std::array<VM::core::technique, VM::enum_size + 1> VM::core::technique_table = [
             {VM::DRIVERS, {100, VM::drivers}},
             {VM::DEVICE_HANDLES, {100, VM::device_handles}},
             {VM::VIRTUAL_PROCESSORS, {100, VM::virtual_processors}},
-            {VM::OBJECTS, {100, VM::objects}},
+            {VM::KERNEL_OBJECTS, {100, VM::kernel_objects}},
             {VM::HYPERVISOR_QUERY, {100, VM::hypervisor_query}},
             {VM::AUDIO, {25, VM::audio}},
             {VM::DISPLAY, {25, VM::display}},