updated VM::PCI_VM_DEVICE_ID and removed VM::PCI_VM

Author: kernelwernel

docs/documentation.md

@@ -441,7 +441,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::CPU_BRAND` | Check if CPU brand model contains any VM-specific string snippets | 🐧🪟🍏 | 50% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2545) |
 | `VM::HYPERVISOR_BIT` | Check if hypervisor feature bit in CPUID eax bit 31 is enabled (always false for physical CPUs) | 🐧🪟🍏 | 100% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2601) |
 | `VM::HYPERVISOR_STR` | Check for hypervisor brand string length (would be around 2 characters in a host machine) | 🐧🪟🍏 | 75% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2622) |
-| `VM::TIMER` | Check for timing anomalies in the system | 🐧🪟🍏 | 45% |  |  |  | Unsafe to run under binary emulators | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8169 ) |
+| `VM::TIMER` | Check for timing anomalies in the system | 🐧🪟🍏 | 45% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L8169 ) |
 | `VM::THREADCOUNT` | Check if there are only 1 or 2 threads, which is a common pattern in VMs with default settings (nowadays physical CPUs should have at least 4 threads for modern CPUs) | 🐧🪟🍏 | 35% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2649) |
 | `VM::MAC` | Check if mac address starts with certain VM designated values | 🐧🪟 | 20% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2671) |
 | `VM::TEMPERATURE` | Check if thermal directory in linux is present, might not be present in VMs | 🐧 | 15% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L2804) |
@@ -544,6 +544,8 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::PCI_VM` | Check for PCIe bridge names for known VM keywords and brands | 🐧 | 100% |  |  |  | Disabled by default | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L10142) |
 | `VM::TPM` | Check if the system has a physical TPM by matching the TPM manufacturer against known physical TPM chip vendors | 🪟 | 50% |  |  |  |  | [link](https://github.com/kernelwernel/VMAware/blob/fb66db9fdd7894edebe5eeade4b0148a08bd5514/src/vmaware.hpp#L10011)|
 | `VM::PCI_VM_DEVICE_ID` | Check for PCI vendor and device IDs that are VM-specific | 🐧 | 90% |  |  |  |  |  |
+| `VM::QEMU_PASSTHROUGH` | Check for QEMU's hot-plug signature | 🪟 | 100% |  |  |  |  |  |
+
 <!-- ADD TECHNIQUE DETAILS HERE -->
 
 <br>

src/cli.cpp

@@ -468,6 +468,7 @@ bool is_unsupported(VM::enum_flags flag) {
             case VM::FIRMWARE:
             case VM::UNKNOWN_MANUFACTURER:
             case VM::TPM:
+            case VM::QEMU_PASSTHROUGH:
             // ADD WINDOWS FLAG
             return false;
             default: return true;
@@ -974,6 +975,8 @@ void general() {
     checker(VM::NSJAIL_PID, "nsjail PID");
     checker(VM::TPM, "TPM manufacturer");
     checker(VM::PCI_VM_DEVICE_ID, "PCI vendor/device ID");
+    checker(VM::QEMU_PASSTHROUGH, "QEMU passthrough");
+
     // ADD NEW TECHNIQUE CHECKER HERE
 
     std::printf("\n");

src/vmaware.hpp

@@ -27,14 +27,14 @@
  *
  *
  * ============================== SECTIONS ==================================
- * - enums for publicly accessible techniques  => line 555
- * - struct for internal cpu operations        => line 741
- * - struct for internal memoization           => line 1212
- * - struct for internal utility functions     => line 1340
- * - struct for internal core components       => line 10291
- * - start of VM detection technique list      => line 2427
- * - start of public VM detection functions    => line 10948
- * - start of externally defined variables     => line 11892
+ * - enums for publicly accessible techniques  => line 557
+ * - struct for internal cpu operations        => line 743
+ * - struct for internal memoization           => line 1209
+ * - struct for internal utility functions     => line 1337
+ * - struct for internal core components       => line 10102
+ * - start of VM detection technique list      => line 2450
+ * - start of public VM detection functions    => line 10759
+ * - start of externally defined variables     => line 11710
  *
  *
  * ============================== EXAMPLE ===================================
@@ -366,6 +366,9 @@
 #include <wrl/client.h>
 #include <tbs.h>
 #include <mutex>
+#include <initguid.h>
+#include <devpkey.h>
+#include <devguid.h>
 
 #pragma comment(lib, "winmm.lib")
 #pragma comment(lib, "setupapi.lib")
@@ -657,6 +660,7 @@ struct VM {
         NSJAIL_PID,
         TPM,
         PCI_VM_DEVICE_ID,
+        QEMU_PASSTHROUGH,
         // ADD NEW TECHNIQUE ENUM NAME HERE
 
         // special flags, different to settings
@@ -1968,6 +1972,36 @@ struct VM {
             return std::string();
         }
 
+
+        [[nodiscard]] static bool is_running_under_translator() {
+            #if (WINDOWS)
+            u8 ver = get_windows_version();
+            if (ver == 10 || ver == 11) {
+                USHORT procMachine = 0, nativeMachine = 0;
+                if (IsWow64Process2(GetCurrentProcess(), &procMachine, &nativeMachine)) {
+                    if (nativeMachine == IMAGE_FILE_MACHINE_ARM64 &&
+                        (procMachine == IMAGE_FILE_MACHINE_AMD64 ||
+                            procMachine == IMAGE_FILE_MACHINE_I386))
+                    {
+                        return true;
+                    }
+                }
+            }
+#endif
+
+            if (cpu::is_leaf_supported(cpu::leaf::hypervisor)) {
+                std::string vendor = cpu::cpu_manufacturer(cpu::leaf::hypervisor);
+                if (vendor == "VirtualApple" ||   // Apple Rosetta
+                    vendor == "PowerVM Lx86")     // IBM PowerVM Lx86
+                {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
+
         /**
          * @brief Checks whether the system is running in a Hyper-V virtual machine or if the host system has Hyper-V enabled
          * @note Hyper-V's presence on a host system can set certain hypervisor-related CPU flags that may appear similar to those in a virtualized environment, which can make it challenging to differentiate between an actual Hyper-V virtual machine (VM) and a host system with Hyper-V enabled.
@@ -3650,11 +3684,6 @@ struct VM {
 /* GPL */         SP_DEVINFO_DATA DeviceInfoData{};
 /* GPL */         DWORD i;
 /* GPL */ 
-/* GPL */         constexpr GUID GUID_DEVCLASS_DISKDRIVE = {
-/* GPL */             0x4d36e967L, 0xe325, 0x11ce,
-/* GPL */             { 0xbf, 0xc1, 0x08, 0x00, 0x2b, 0xe1, 0x03, 0x18 }
-/* GPL */         };
-/* GPL */ 
 /* GPL */         hDevInfo = SetupDiGetClassDevs((LPGUID)&GUID_DEVCLASS_DISKDRIVE,
 /* GPL */             0,
 /* GPL */             0,
@@ -7497,6 +7526,11 @@ struct VM {
             return false;
         }
 
+        if (util::is_running_under_translator()) {
+            debug("Running inside binary translation layer.");
+            return false;
+        }
+
         // to minimize context switching/scheduling
     #if (WINDOWS)
         const HANDLE hThread = GetCurrentThread();
@@ -7537,7 +7571,7 @@ struct VM {
         // 1. TSC Synchronization Check Across Cores
         // Try reading the invariant TSC on two different cores to attempt to detect vCPU timers being shared
         constexpr u8 tscIterations = 10;
-        constexpr u16 tscSyncDiffThreshold = 5000;
+        constexpr u16 tscSyncDiffThreshold = 500;
 
         bool tscSyncDetected = false;
         tscSyncDetected = [&]() noexcept -> bool {
@@ -9947,6 +9981,69 @@ struct VM {
 #endif
     }
 
+
+    /**
+     * @brief Check for QEMU's hot-plug signature
+     * @category Windows
+     * @author Requiem (https://github.com/NotRequiem)
+     * @implements VM::QEMU_PASSTHROUGH
+     */
+    [[nodiscard]] static bool qemu_passthrough()
+    {
+#if (!WINDOWS)
+        return false;
+#else
+        // QEMU passthrough location paths
+        static const std::wregex busRegex(L"PCIROOT\\(0\\)#PCI\\(0202\\)");
+        static const std::wregex acpiSlotRegex(L"#ACPI\\(S[0-9]{2}_\\)");
+
+        HDEVINFO hDevInfo = SetupDiGetClassDevsW(
+            &GUID_DEVCLASS_DISPLAY,
+            nullptr,
+            nullptr,
+            DIGCF_PRESENT);
+        if (hDevInfo == INVALID_HANDLE_VALUE)
+            return false;
+
+        SP_DEVINFO_DATA devInfo = {};
+        devInfo.cbSize = sizeof(devInfo);
+        const DEVPROPKEY key = DEVPKEY_Device_LocationPaths;
+
+        for (DWORD idx = 0; SetupDiEnumDeviceInfo(hDevInfo, idx, &devInfo); ++idx)
+        {
+            DEVPROPTYPE propType = 0;
+            DWORD requiredSize = 0;
+
+            SetupDiGetDevicePropertyW(
+                hDevInfo, &devInfo, &key, &propType,
+                nullptr, 0, &requiredSize, 0);
+
+            if (GetLastError() != ERROR_INSUFFICIENT_BUFFER || requiredSize == 0)
+                continue;
+
+            std::vector<BYTE> buffer(requiredSize);
+            if (!SetupDiGetDevicePropertyW(
+                hDevInfo, &devInfo, &key, &propType,
+                buffer.data(), requiredSize, &requiredSize, 0))
+                continue;
+
+            const wchar_t* ptr = reinterpret_cast<const wchar_t*>(buffer.data());
+            while (*ptr) {
+                std::wstring path(ptr);
+                if (std::regex_search(path, busRegex) ||
+                    std::regex_search(path, acpiSlotRegex))
+                {
+                    SetupDiDestroyDeviceInfoList(hDevInfo);
+                    return true;
+                }
+                ptr += path.size() + 1;
+            }
+        }
+
+        SetupDiDestroyDeviceInfoList(hDevInfo);
+        return false;
+#endif
+    }
     // ADD NEW TECHNIQUE FUNCTION HERE
 
 
@@ -11240,8 +11337,8 @@ struct VM {
             case UNKNOWN_MANUFACTURER: return "UNKNOWN_MANUFACTURER";
             case NSJAIL_PID: return "NSJAIL_PID";
             case TPM: return "TPM";
-
             case PCI_VM_DEVICE_ID: return "PCI_VM_DEVICE_ID";
+            case QEMU_PASSTHROUGH: return "QEMU_PASSTHROUGH";
             // ADD NEW CASE HERE FOR NEW TECHNIQUE
             default: return "Unknown flag";
         }
@@ -11809,6 +11906,8 @@ std::pair<VM::enum_flags, VM::core::technique> VM::core::technique_list[] = {
     std::make_pair(VM::NSJAIL_PID, VM::core::technique(75, VM::nsjail_proc_id)),
     std::make_pair(VM::TPM, VM::core::technique(50, VM::tpm)),
     std::make_pair(VM::PCI_VM_DEVICE_ID, VM::core::technique(90, VM::pci_vm_device_id)),
+    std::make_pair(VM::QEMU_PASSTHROUGH, VM::core::technique(90, VM::qemu_passthrough)),
+
     // ADD NEW TECHNIQUE STRUCTURE HERE
 };