Merge pull request #351 from dmfrpro/phantom

Phantom

Author: NotRequiem

docs/documentation.md

@@ -516,6 +516,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::DRIVER_NAMES` | Check for VM-specific names for drivers | 🪟 | 100% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7426) |
 | `VM::DISK_SERIAL` | Check for serial numbers of virtual disks | 🪟 | 100% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7581) |
 | `VM::PORT_CONNECTORS` | Check for physical connection ports | 🪟 | 25% |  |  |  | This technique is known to false flag on devices like Surface Pro | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7700) |
+| `VM::IVSHMEM` | Check for IVSHMEM device absense | 🪟 | 100% |  |  |  |  |
 | `VM::GPU_CAPABILITIES` | Check for GPU capabilities related to VMs | 🪟 | 100% | Admin |  |  | Admin only needed for some heuristics | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7785) |
 | `VM::GPU_VM_STRINGS` | Check for specific GPU string signatures related to VMs | 🪟 | 100% |  |  |  | If GPU_CAPABILITIES also flags, the score will have 50 added instead of 100 | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7730) |
 | `VM::VM_DEVICES` | Check for VM-specific devices | 🪟 | 50% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L7848) |
@@ -617,6 +618,7 @@ This is the table of all the brands the lib supports.
 | NoirVisor | `brands::NOIRVISOR` | Hypervisor (type 1) |  |
 | Qihoo 360 Sandbox | `brands::QIHOO` | Sandbox |  |
 | nsjail | `brands::NSJAIL` | Process isolator |  |
+| Hypervisor-Phantom | `brands::HYPERVISOR_PHANTOM` | Sandbox | See the [repository](https://github.com/Scrut1ny/Hypervisor-Phantom) |
 
 <br>
 

src/cli.cpp

@@ -276,6 +276,7 @@ Neko Project II
 NoirVisor
 Qihoo 360 Sandbox
 nsjail
+Hypervisor-Phantom
 )";
 
     std::exit(0);
@@ -449,6 +450,7 @@ bool is_unsupported(VM::enum_flags flag) {
             case VM::DRIVER_NAMES:
             case VM::DISK_SERIAL:
             case VM::PORT_CONNECTORS:
+            case VM::IVSHMEM:
             case VM::GPU_VM_STRINGS:
             case VM::GPU_CAPABILITIES:
             case VM::PROCESSOR_NUMBER:
@@ -652,6 +654,7 @@ std::string vm_description(const std::string& vm_brand) {
         { brands::NOIRVISOR, "NoirVisor is a hardware-accelerated hypervisor with support to complex functions and purposes. It is designed to support processors based on x86 architecture with hardware-accelerated virtualization feature. For example, Intel processors supporting Intel VT-x or AMD processors supporting AMD-V meet the requirement. It was made by Zero-Tang." },
         { brands::QIHOO, "360 sandbox is a part of 360 Total Security. Similar to other sandbox software, it provides a virtualized environment where potentially malicious or untrusted programs can run without affecting the actual system. Qihoo 360 Sandbox is commonly used for testing unknown applications, analyzing malware behavior, and protecting users from zero-day threats." },
         { brands::NSJAIL, "nsjail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel. It can be used for isolating networking services, CTF challenges, and containing invasive syscall-level OS fuzzers." },
+        { brands::HYPERVISOR_PHANTOM, "Hypervisor-Phantom is an automated setup solution designed to evade detection from advanced malware, enabling thorough analysis. It employs a highly customized version of QEMU/KVM, EDK2, and the Linux Kernel. This also spoofs many unique hypervisor identifiers, effectively disguising the environment. This setup enhances the accuracy and reliability of malware analysis by minimizing the risk of detection." },
         { brands::NULL_BRAND, "Indicates no detectable virtualization brand. This result may occur on bare-metal systems, unsupported/obscure hypervisors, or when anti-detection techniques (e.g., VM escaping) are employed by the guest environment." }
     };
 
@@ -949,6 +952,7 @@ void general() {
     checker(VM::DRIVER_NAMES, "driver names");
     checker(VM::DISK_SERIAL, "disk serial number");
     checker(VM::PORT_CONNECTORS, "physical connection ports");
+    checker(VM::IVSHMEM, "IVSHMEM device");
     checker(VM::GPU_CAPABILITIES, "GPU capabilities");
     checker(VM::GPU_VM_STRINGS, "GPU strings");
     checker(VM::PROCESSOR_NUMBER, "processor count");

src/vmaware.hpp

@@ -538,6 +538,7 @@ namespace brands {
     static constexpr const char* NOIRVISOR = "NoirVisor";
     static constexpr const char* QIHOO = "Qihoo 360 Sandbox";
     static constexpr const char* NSJAIL = "nsjail";
+    static constexpr const char* HYPERVISOR_PHANTOM = "Hypervisor-Phantom";
 }
 
 
@@ -637,6 +638,7 @@ struct VM {
         DRIVER_NAMES,
         DISK_SERIAL,
         PORT_CONNECTORS,
+        IVSHMEM,
         GPU_VM_STRINGS,
         GPU_CAPABILITIES,
         VM_DEVICES,
@@ -1261,6 +1263,7 @@ struct VM {
                 return (
                     !cache_keys.test(VMWARE_DMESG) && 
                     !cache_keys.test(PORT_CONNECTORS) && 
+                    !cache_keys.test(IVSHMEM) && 
                     !cache_keys.test(ACPI_TEMPERATURE)
                 );
             }
@@ -3730,14 +3733,14 @@ struct VM {
 
         if (runningProcesses.count("vdagent.exe") ||
             runningProcesses.count("vdservice.exe") ||
-            runningProcesses.count("qemuwmi.exe") || 
-            runningProcesses.count("looking-glass-host.exe")) {
+            runningProcesses.count("qemuwmi.exe")) {
             debug("VM_PROCESSES: Detected QEMU process.");
             return core::add(brands::QEMU);
         }
 
-        if (runningProcesses.count("VDDSysTray.exe")) {
-            return true;
+        if (runningProcesses.count("looking-glass-host.exe") ||
+            runningProcesses.count("VDDSysTray.exe")) {
+            return core::add(brands::HYPERVISOR_PHANTOM);
         }
 
 #elif (LINUX)
@@ -7399,6 +7402,33 @@ struct VM {
 #endif
     }
 
+    /**
+     * @brief Check for IVSHMEM device absense
+     * @category Windows
+     * @author dmfrpro (https://github.com/dmfrpro)
+     * @implements VM::IVSHMEM
+     */
+    [[nodiscard]] static bool ivshmem() {
+#if (!WINDOWS)
+        return false;
+#else
+        const GUID GUID_IVSHMEM_IFACE =
+        { 0xdf576976, 0x569d, 0x4672, {0x95, 0xa0, 0xf5, 0x7e, 0x4e, 0xa0, 0xb2, 0x10} };
+
+        HDEVINFO hDevInfo = SetupDiGetClassDevsW(&GUID_IVSHMEM_IFACE,
+            nullptr, nullptr, DIGCF_PRESENT | DIGCF_DEVICEINTERFACE);
+        if (hDevInfo == INVALID_HANDLE_VALUE) {
+            return true;
+        }
+
+        SP_DEVINFO_DATA devInfoData = { sizeof(SP_DEVINFO_DATA) };
+        // Check first device only
+        const bool hasIvshmemData = SetupDiEnumDeviceInfo(hDevInfo, 0, &devInfoData);
+
+        SetupDiDestroyDeviceInfoList(hDevInfo);
+        return hasIvshmemData ? core::add(brands::HYPERVISOR_PHANTOM) : false;
+#endif
+    }
 
     /**
      * @brief Check for specific GPU string signatures related to VMs
@@ -9285,8 +9315,8 @@ struct VM {
         constexpr const char* targets[] = {
             "Parallels Software International", "Parallels(R)", "innotek",
             "Oracle", "VirtualBox", "vbox", "VBOX", "VS2005R2", "VMware, Inc.",
-            "VMware", "VMWARE", "S3 Corp.", "Virtual Machine", "QEMU", "FWCF",
-            "WAET", "BOCHS", "BXPC"
+            "VMware", "VMWARE", "S3 Corp.", "Virtual Machine", "QEMU", "WAET",
+            "BOCHS", "BXPC"
         };
 
         auto check_firmware_table = [&](DWORD signature, ULONG tableID) -> bool {
@@ -9347,8 +9377,7 @@ struct VM {
                             strcmp(target, "VMware") == 0 ||
                             strcmp(target, "VMWARE") == 0)
                             brand = brands::VMWARE;
-                        else if (strcmp(target, "QEMU") == 0 ||
-                            strcmp(target, "FWCF") == 0)
+                        else if (strcmp(target, "QEMU") == 0)
                             brand = brands::QEMU;
                         else if (strcmp(target, "BOCHS") == 0 ||
                             strcmp(target, "BXPC") == 0)
@@ -9496,8 +9525,8 @@ struct VM {
         constexpr const char* targets[] = {
             "Parallels Software International", "Parallels(R)", "innotek",
             "Oracle", "VirtualBox", "vbox", "VBOX", "VS2005R2", "VMware, Inc.",
-            "VMware", "VMWARE", "S3 Corp.", "Virtual Machine", "QEMU", "FWCF",
-            "BOCHS", "BXPC"
+            "VMware", "VMWARE", "S3 Corp.", "Virtual Machine", "QEMU", "BOCHS",
+            "BXPC"
         };
 
         struct dirent* entry;
@@ -9565,8 +9594,7 @@ struct VM {
                             strcmp(target, "VMWARE") == 0) {
                             brand = brands::VMWARE;
                         }
-                        else if (strcmp(target, "QEMU") == 0 ||
-                            strcmp(target, "FWCF") == 0) {
+                        else if (strcmp(target, "QEMU")) {
                             brand = brands::QEMU;
                         }
                         else if (strcmp(target, "BOCHS") == 0 ||
@@ -11197,6 +11225,7 @@ struct VM {
             case DRIVER_NAMES: return "DRIVER_NAMES";
             case DISK_SERIAL: return "DISK_SERIAL";
             case PORT_CONNECTORS: return "PORT_CONNECTORS";
+            case IVSHMEM: return "IVSHMEM";
             case GPU_VM_STRINGS: return "GPU_STRINGS";
             case GPU_CAPABILITIES: return "GPU_CAPABILITIES";
             case VM_DEVICES: return "VM_DEVICES";
@@ -11382,6 +11411,7 @@ struct VM {
             { brands::COMODO, "Sandbox" },
             { brands::THREATEXPERT, "Sandbox" },
             { brands::QIHOO, "Sandbox" },
+            { brands::HYPERVISOR_PHANTOM, "Sandbox" },
 
             // misc
             { brands::BOCHS, "Emulator" },
@@ -11753,6 +11783,7 @@ std::pair<VM::enum_flags, VM::core::technique> VM::core::technique_list[] = {
     std::make_pair(VM::DRIVER_NAMES, VM::core::technique(100, VM::driver_names)),
     std::make_pair(VM::DISK_SERIAL, VM::core::technique(100, VM::disk_serial_number)),
     std::make_pair(VM::PORT_CONNECTORS, VM::core::technique(25, VM::port_connectors)),
+    std::make_pair(VM::IVSHMEM, VM::core::technique(100, VM::ivshmem)),
     std::make_pair(VM::GPU_VM_STRINGS, VM::core::technique(100, VM::gpu_vm_strings)),
     std::make_pair(VM::GPU_CAPABILITIES, VM::core::technique(100, VM::gpu_capabilities)),
     std::make_pair(VM::VM_DEVICES, VM::core::technique(50, VM::vm_devices)),

src/vmaware_MIT.hpp

@@ -560,6 +560,7 @@ namespace brands {
     static constexpr const char* NOIRVISOR = "NoirVisor";
     static constexpr const char* QIHOO = "Qihoo 360 Sandbox";
     static constexpr const char* NSJAIL = "nsjail";
+    static constexpr const char* HYPERVISOR_PHANTOM = "Hypervisor-Phantom";
 }
 
 
@@ -652,6 +653,7 @@ struct VM {
         DRIVER_NAMES,
         DISK_SERIAL,
         PORT_CONNECTORS,
+        IVSHMEM,
         GPU_VM_STRINGS,
         GPU_CAPABILITIES,
         VM_DEVICES,
@@ -3514,14 +3516,14 @@ struct VM {
 
         if (runningProcesses.count("vdagent.exe") ||
             runningProcesses.count("vdservice.exe") ||
-            runningProcesses.count("qemuwmi.exe") || 
-            runningProcesses.count("looking-glass-host.exe")) {
+            runningProcesses.count("qemuwmi.exe")) {
             debug("VM_PROCESSES: Detected QEMU process.");
             return core::add(brands::QEMU);
         }
 
-        if (runningProcesses.count("VDDSysTray.exe")) {
-            return true;
+        if (runningProcesses.count("looking-glass-host.exe") ||
+            runningProcesses.count("VDDSysTray.exe")) {
+            return core::add(brands::HYPERVISOR_PHANTOM);
         }
 
 #elif (LINUX)
@@ -7183,6 +7185,34 @@ struct VM {
 #endif
     }
 
+    /**
+     * @brief Check for IVSHMEM device absense
+     * @category Windows
+     * @author dmfrpro (https://github.com/dmfrpro)
+     * @implements VM::IVSHMEM
+     */
+    [[nodiscard]] static bool ivshmem() {
+#if (!WINDOWS)
+        return false;
+#else
+        const GUID GUID_IVSHMEM_IFACE =
+        { 0xdf576976, 0x569d, 0x4672, {0x95, 0xa0, 0xf5, 0x7e, 0x4e, 0xa0, 0xb2, 0x10} };
+
+        HDEVINFO hDevInfo = SetupDiGetClassDevsW(&GUID_IVSHMEM_IFACE,
+            nullptr, nullptr, DIGCF_PRESENT | DIGCF_DEVICEINTERFACE);
+        if (hDevInfo == INVALID_HANDLE_VALUE) {
+            return true;
+        }
+
+        SP_DEVINFO_DATA devInfoData = { sizeof(SP_DEVINFO_DATA) };
+        // Check first device only
+        const bool hasIvshmemData = SetupDiEnumDeviceInfo(hDevInfo, 0, &devInfoData);
+
+        SetupDiDestroyDeviceInfoList(hDevInfo);
+        return hasIvshmemData ? core::add(brands::HYPERVISOR_PHANTOM) : false;
+#endif
+    }
+
 
     /**
      * @brief Check for specific GPU string signatures related to VMs
@@ -9069,8 +9099,8 @@ struct VM {
         constexpr const char* targets[] = {
             "Parallels Software International", "Parallels(R)", "innotek",
             "Oracle", "VirtualBox", "vbox", "VBOX", "VS2005R2", "VMware, Inc.",
-            "VMware", "VMWARE", "S3 Corp.", "Virtual Machine", "QEMU", "FWCF",
-            "WAET", "BOCHS", "BXPC"
+            "VMware", "VMWARE", "S3 Corp.", "Virtual Machine", "QEMU", "WAET",
+            "BOCHS", "BXPC"
         };
 
         auto check_firmware_table = [&](DWORD signature, ULONG tableID) -> bool {
@@ -9131,8 +9161,7 @@ struct VM {
                             strcmp(target, "VMware") == 0 ||
                             strcmp(target, "VMWARE") == 0)
                             brand = brands::VMWARE;
-                        else if (strcmp(target, "QEMU") == 0 ||
-                            strcmp(target, "FWCF") == 0)
+                        else if (strcmp(target, "QEMU") == 0)
                             brand = brands::QEMU;
                         else if (strcmp(target, "BOCHS") == 0 ||
                             strcmp(target, "BXPC") == 0)
@@ -9280,8 +9309,8 @@ struct VM {
         constexpr const char* targets[] = {
             "Parallels Software International", "Parallels(R)", "innotek",
             "Oracle", "VirtualBox", "vbox", "VBOX", "VS2005R2", "VMware, Inc.",
-            "VMware", "VMWARE", "S3 Corp.", "Virtual Machine", "QEMU", "FWCF",
-            "BOCHS", "BXPC"
+            "VMware", "VMWARE", "S3 Corp.", "Virtual Machine", "QEMU","BOCHS",
+            "BXPC"
         };
 
         struct dirent* entry;
@@ -9349,8 +9378,7 @@ struct VM {
                             strcmp(target, "VMWARE") == 0) {
                             brand = brands::VMWARE;
                         }
-                        else if (strcmp(target, "QEMU") == 0 ||
-                            strcmp(target, "FWCF") == 0) {
+                        else if (strcmp(target, "QEMU") == 0) {
                             brand = brands::QEMU;
                         }
                         else if (strcmp(target, "BOCHS") == 0 ||
@@ -10971,6 +10999,7 @@ struct VM {
             case DRIVER_NAMES: return "DRIVER_NAMES";
             case DISK_SERIAL: return "DISK_SERIAL";
             case PORT_CONNECTORS: return "PORT_CONNECTORS";
+            case IVSHMEM: return "IVSHMEM";
             case GPU_VM_STRINGS: return "GPU_STRINGS";
             case GPU_CAPABILITIES: return "GPU_CAPABILITIES";
             case VM_DEVICES: return "VM_DEVICES";
@@ -11155,6 +11184,7 @@ struct VM {
             { brands::COMODO, "Sandbox" },
             { brands::THREATEXPERT, "Sandbox" },
             { brands::QIHOO, "Sandbox" },
+            { brands::HYPERVISOR_PHANTOM, "Sandbox" },
 
             // misc
             { brands::BOCHS, "Emulator" },
@@ -11519,6 +11549,7 @@ std::pair<VM::enum_flags, VM::core::technique> VM::core::technique_list[] = {
     std::make_pair(VM::DRIVER_NAMES, VM::core::technique(100, VM::driver_names)),
     std::make_pair(VM::DISK_SERIAL, VM::core::technique(100, VM::disk_serial_number)),
     std::make_pair(VM::PORT_CONNECTORS, VM::core::technique(25, VM::port_connectors)),
+    std::make_pair(VM::IVSHMEM, VM::core::technique(100, VM::ivshmem)),
     std::make_pair(VM::GPU_VM_STRINGS, VM::core::technique(100, VM::gpu_vm_strings)),
     std::make_pair(VM::GPU_CAPABILITIES, VM::core::technique(100, VM::gpu_capabilities)),
     std::make_pair(VM::VM_DEVICES, VM::core::technique(50, VM::vm_devices)),