Merge pull request #70 from kernelwernel/dev

changes to contributors

Author: kernelwernel

.all-contributorsrc

@@ -0,0 +1,4 @@
+{
+  "projectName": "VMAware",
+  "projectOwner": "kernelwernel"
+}

README.md

@@ -72,7 +72,7 @@ This project also provides a tiny, but handy CLI tool utilising the full potenti
 <br>
 
 ## Installation 📥
-To install the library, download or copy paste the `vmaware.hpp` file in the [release section](https://github.com/kernelwernel/VMAware/releases/) to your project. No CMake or shared object linkages are necessary, it's literally that simple.
+To install the library, download or copy paste the `vmaware.hpp` file in the latest [release section](https://github.com/kernelwernel/VMAware/releases/latest) to your project. No CMake or shared object linkages are necessary, it's literally that simple.
 
 However, if you want the full project (globally accessible headers with <vmaware.hpp> and the CLI tool), follow these commands:
 ```bash
@@ -103,10 +103,10 @@ You can view the full docs [here](docs/documentation.md). Trust me, it's not too
 
 ## Q&A ❓
 - How does it work?
-> It utilises a comprehensive list of low-level and high-level anti-VM techniques that gets accounted in a scoring system. The scores for each technique are arbitrarily given, and a threshold must be met to detect if it's running in a VM.
+> It utilises a comprehensive list of low-level and high-level anti-VM techniques that gets accounted in a scoring system. The scores for each technique are arbitrarily given, and a certain threshold score must be met to detect if it's running in a VM.
 
 - Who is this library for?
-> It's designed for security researchers, VM engineers, and pretty much anybody who needs a practical and rock-solid VM detection mechanism in their project. For example, if you're making a VM and you're testing the effectiveness of concealing itself, or if you're a malware analyst and you want to check if your VM environment is good enough to avoid detection.
+> It's designed for security researchers, VM engineers, gamer developers, and pretty much anybody who needs a practical and rock-solid VM detection mechanism in their project. For example, if you're making a VM and you're testing the effectiveness of concealing itself, or if you're a malware analyst and you want to check if your VM environment is good enough to avoid detection. One of the major intentions is to thwart reverse engineers at probing your software in a VM for a legitimate software product (especially games).
 
 - Why another VM detection project?
 > There's already loads of projects that have the same goal such as [InviZzzible](https://github.com/CheckPointSW/InviZzzible), [pafish](https://github.com/a0rtega/pafish) and [Al-Khaser](https://github.com/LordNoteworthy/al-khaser). But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. I wanted the core detection techniques to be accessible programmatically in a cross-platform way for everybody to get something useful out of it rather than providing just a CLI tool like those projects.
@@ -115,10 +115,10 @@ You can view the full docs [here](docs/documentation.md). Trust me, it's not too
 > Yes. There are some techniques that are trivially spoofable, and there's nothing the library can do about it whether it's a deliberate false negative or even a false positive. This is a problem that every VM detection project is facing, which is why the library is trying to test every technique possible to get the best result based on the environment it's running under. 
 
 - Can I use this for malware?
-> This project is not soliciting the development of malware for obvious reasons. Even if you intend to use it for concealment purposes, it'll most likely be flagged by antiviruses anyway and nothing is obfuscated to begin with. Good luck manually obfuscating 6000 lines of C++ code lmfao
+> This project is not soliciting the development of malware for obvious reasons. Even if you intend to use it for concealment/evasion purposes, it'll most likely be flagged by antiviruses anyway and nothing is obfuscated to begin with. Good luck manually obfuscating 6000 lines of C++ code lmfao
 
 - Why GPL 3.0 and MIT? 
-> I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL 3.0 projects, and I have no choice but to use the same license for legal reasons. This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open-source. It should be noted that the MIT version removes **8** techniques, and the lesser the number of mechanisms, the less accurate the overall result might be.
+> I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL 3.0 projects, and I have no choice but to use the same license for legal reasons. This gave me an idea to make an MIT version without the GPL code, so that proprietary software can make use of this library without the legal open-source requirement. It should be noted that the MIT version removes **10** GPL techniques out of the total 80+ as of the 1.2 release, which may slightly impact the overall result to be inaccurate.
 
 - The tool has many false positives under a Windows 11 host, why?
 > This is because it is in fact running under a VM. More specifically, Hyper-V might be used by default for every program that's running in Windows 11. 
@@ -133,6 +133,23 @@ And if you found this project useful, a star would be appreciated :)
 <br>
 
 ## Credits and contributors ✒️
+
+<!-- ALL-CONTRIBUTORS-LIST:START - Do not remove or modify this section -->
+<!-- prettier-ignore-start -->
+<!-- markdownlint-disable -->
+
+<!-- markdownlint-restore -->
+<!-- prettier-ignore-end -->
+
+<!-- ALL-CONTRIBUTORS-LIST:END -->
+
+[![All Contributors](https://img.shields.io/github/all-contributors/projectOwner/projectName?color=ee8449&style=flat-square)](#contributors)
+
+- [Requiem](https://github.com/NotRequiem)
+- [Alex](https://github.com/greenozon)
+- [Marek Knápek](https://github.com/MarekKnapek)
+- [Vladyslav Miachkov](https://github.com/fameowner99)
+- [Alan Tse](https://github.com/alandtse)
 - [Check Point Research](https://research.checkpoint.com/)
 - [Unprotect Project](https://unprotect.it/)
 - [Al-Khaser](https://github.com/LordNoteworthy/al-khaser)
@@ -141,10 +158,6 @@ And if you found this project useful, a star would be appreciated :)
 - N. Rin, EP_X0FF
 - [Peter Ferrie, Symantec](https://github.com/peterferrie)
 - [Graham Sutherland, LRQA Nettitude](https://www.nettitude.com/uk/)
-- [Requiem](https://github.com/NotRequiem)
-- [Alex](https://github.com/greenozon)
-- [Marek Knápek](https://github.com/MarekKnapek)
-- [Vladyslav Miachkov](https://github.com/fameowner99)
 - [(Offensive Security) Danny Quist](chamuco@gmail.com)
 - [(Offensive Security) Val Smith](mvalsmith@metasploit.com)
 - Tom Liston + Ed Skoudis
@@ -155,6 +168,6 @@ And if you found this project useful, a star would be appreciated :)
 <br>
 
 ## Legal 📜
-I am not responsible nor liable for any damage you cause through any malicious usage of this project. 
+I am not responsible nor liable for any damage you cause through any malicious usage (especially through malware) of this project. 
 
-License: GPL-3.0
+License: GPL-3.0

docs/documentation.md

@@ -128,6 +128,22 @@ int main() {
 }
 ```
 
+On rare occasions, there could be conflicting reports of multiple VM brands being detected, which could cause an inaccurate or buggy result. This is where `VM::MULTIPLE` comes in. This flag is specific to `VM::brand()`, and it will return a string with the format "`vm_brand1 or vm_brand2 [or vm_brand3 ...]`" ONLY IF it has found a collision between multiple VM brands. For example:
+
+```cpp
+#include "vmaware.hpp"
+#include <string>
+
+int main() {
+    const std::string result = VM::brand(VM::MULTIPLE);
+
+    // the output could be something like "VirtualBox or VMware"
+    // it could also be "Sandboxie or Wine or Anubis", there isn't
+    // a limit to how many VM brands can be included in the string.
+    std::cout << result << "\n";
+}
+```
+
 <br>
 
 ## `VM::check()`
@@ -315,4 +331,5 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::NO_MEMO` | This will disable memoization, meaning the result will not be fetched through a previous computation of the `VM::detect()` function. Use this if you're only using a single function from the `VM` struct for a performance boost.
 | `VM::EXTREME` | This will disregard the weights/biases and its scoring system. It will essentially treat any technique that found a hit as a VM detection no matter how low that technique's certainty is, so if a single technique is positive then it will return true. | 
 | `VM::DEFAULT` | This represents a range of flags which are enabled if no default argument is provided. The reason why this exists is to easily disable any bits manually (shown in the is_vm6 example in the `VM::detect()` section)
-| `VM::WIN_HYPERV_DEFAULT` | This will take into account that Windows 11 (and sometimes 10) may have Hyper-V as a default virtualisation software for any program even if the OS is running as host. Essentially, this flag will count any techniques prone to this issue as running in a VM, while having a higher threshold bar to detect it as one. |
+| `VM::WIN_HYPERV_DEFAULT` | This will take into account that Windows 11 (and sometimes 10) may have Hyper-V as a default virtualisation software for any program even if the OS is running as host. Essentially, this flag will count any techniques prone to this issue as running in a VM, while having a higher threshold bar to detect it as one. |
+| `VM::MULTIPLE` | This is exclusive for `VM::brand()`. It will output a string message of all the potential brands it has detected instead of only giving a single one, which may be buggy. 

src/vmaware.hpp

@@ -14,6 +14,7 @@
  *      - @Alex (https://github.com/greenozon)
  *      - @Marek Knápek (https://github.com/MarekKnapek)
  *      - @Vladyslav Miachkov (https://github.com/fameowner99)
+ *      - @Alan Tse (https://github.com/alandtse)
  *  - Repository: https://github.com/kernelwernel/VMAware
  *  - Docs: https://github.com/kernelwernel/VMAware/docs/documentation.md
  *  - Full credits: https://github.com/kernelwernel/VMAware#credits
@@ -4262,11 +4263,11 @@ struct VM {
         if (x1 || x2 || x3 || x4 || x5) {
             is_vm = true;
 #ifdef __VMAWARE_DEBUG__
-            if (x1) { debug("VBOX_MSSMBIOS: x1 = ", x1); }
-            if (x2) { debug("VBOX_MSSMBIOS: x2 = ", x2); }
-            if (x3) { debug("VBOX_MSSMBIOS: x3 = ", x3); }
-            if (x4) { debug("VBOX_MSSMBIOS: x4 = ", x4); }
-            if (x5) { debug("VBOX_MSSMBIOS: x5 = ", x5); }
+            if (x1) { debug("MSSMBIOS: x1 = ", x1); }
+            if (x2) { debug("MSSMBIOS: x2 = ", x2); }
+            if (x3) { debug("MSSMBIOS: x3 = ", x3); }
+            if (x4) { debug("MSSMBIOS: x4 = ", x4); }
+            if (x5) { debug("MSSMBIOS: x5 = ", x5); }
 #endif
         }
 
@@ -4275,6 +4276,9 @@ struct VM {
 
         if (is_vm) {
             if (x5) {
+                bool tmp = core::add(VBOX);
+                     tmp = core::add(HYPERV);
+                UNUSED(tmp);
                 return true;
             }
 
@@ -5837,7 +5841,7 @@ struct VM {
             std::vector<std::string> potential_brands;
 
             for (auto it = brands.cbegin(); it != brands.cend(); ++it) {
-                const u8 points = it->second;
+                const int points = it->second;
                 const std::string brand = it->first;
 
                 if (points > 0) {