|
94 | 94 | * |
95 | 95 | * Firstly, the lib is completely static, meaning that there's no need for struct |
96 | 96 | * constructors to be initialized (unless you're using the VM::vmaware struct). |
97 | | - * The main focus of the lib is the tables: |
| 97 | + * The main focus of the lib are the tables: |
98 | 98 | * - the TECHNIQUE table stores all the VM detection technique information in a std::map |
99 | 99 | * |
100 | 100 | * - the BRAND table stores every VM brand as a std::map as well, but as a scoreboard. |
|
114 | 114 | * the standard structure for how VM techniques are organised, functionalities |
115 | 115 | * to run all the techniques in the technique table, functionalities to run |
116 | 116 | * custom-made techniques by the user, and an argument handler based on the |
117 | | - * arguments input by the user. |
| 117 | + * argument input by the user. |
118 | 118 | * |
119 | 119 | * - cpu module: |
120 | 120 | * As the name suggests, this contains functionalities for the CPU. There are |
|
151 | 151 | * 2. After the bitset has been generated, this information is then |
152 | 152 | * passed to the core module of the lib. It analyses the bitset, |
153 | 153 | * and runs every VM detection technique that has been selected, |
154 | | - * while ignoring the ones that weren't selected (by default most |
155 | | - * of them are already selected anyway). The function that does |
156 | | - * this mechanism is core::run_all() |
| 154 | + * while ignoring the ones that weren't (by default most of them |
| 155 | + * are already selected anyway). The function that does this |
| 156 | + * mechanism is core::run_all() |
157 | 157 | * |
158 | 158 | * 3. While the core::run_all() function is being run, it checks if |
159 | 159 | * each technique has already been memoized or not. If it has, |
160 | | - * retrieves the result from the cache and moves to the next technique. |
161 | | - * If it hasn't, runs the technique and caches the result in the |
| 160 | + * retrieve the result from the cache and move to the next technique. |
| 161 | + * If it hasn't, run the technique and cache the result in the |
162 | 162 | * cache table. |
163 | 163 | * |
164 | 164 | * 4. After every technique has been executed, this generates a |
165 | 165 | * uint16_t score. Every technique has a score value between 0 to |
166 | 166 | * 100, and if a VM is detected then this score is accumulated to |
167 | | - * a total score. If the total is above 150, that means it's a VM[1]. |
| 167 | + * a total. If the total is above 150, that means it's a VM[1]. |
168 | 168 | * |
169 | 169 | * |
170 | 170 | * There are other functions such as VM::brand(), which returns a std::string of the most |
|
176 | 176 | * important is because a lot of techniques increment a point for its |
177 | 177 | * respected brand that was detected. For example, if the VM::QEMU_USB |
178 | 178 | * technique has detected a VM, it'll add a score to the QEMU brand in |
179 | | - * the scoreboard. If no technique have been run, then there's no way to |
| 179 | + * the scoreboard. If no technique were run, then there's no way to |
180 | 180 | * populate the scoreboard with any points. After every VM detection |
181 | 181 | * technique has been invoked/retrieved, the brand scoreboard is now |
182 | 182 | * ready to be analysed. |
183 | 183 | * |
184 | | - * 3. Create a filter for the scoreboard, where every brand that have a score |
| 184 | + * 3. Create a filter for the scoreboard, where every brand that has a score |
185 | 185 | * of 0 are erased for abstraction purposes. Now the scoreboard is only |
186 | 186 | * populated with relevant brands where they all have at least a single |
187 | 187 | * point. These are the contenders for which brand will be outputted. |
| 188 | + * Think of it as fetching candidates with potential while discarding |
| 189 | + * those that don't. |
188 | 190 | * |
189 | 191 | * 4. Merge certain brand combinations together. For example, Azure's cloud |
190 | 192 | * is based on Hyper-V, but Hyper-V may have a higher score due to the |
|
199 | 201 | * output of the VM::brand() function. |
200 | 202 | * |
201 | 203 | * 6. The result is then cached in the memo module, so if another function |
202 | | - * invokes VM:brand() again, "the result is retrieved from the cache |
| 204 | + * invokes VM::brand() again, the result is retrieved from the cache |
203 | 205 | * without needing to run all of the previous steps again. |
204 | 206 | * |
205 | 207 | * (NOTE: it's a bit more complicated than this, but that's the gist of how this function works) |
|
212 | 214 | * the threshold becomes 300 instead of 150. |
213 | 215 | */ |
214 | 216 |
|
| 217 | + |
215 | 218 | #pragma once |
216 | 219 |
|
217 | 220 | #ifndef __VMAWARE_DEBUG__ |
@@ -8825,7 +8828,7 @@ struct VM { |
8825 | 8828 |
|
8826 | 8829 |
|
8827 | 8830 | /** |
8828 | | - * @brief Check for known VM objects |
| 8831 | + * @brief Check for any signs of VMs in Windows kernel object entities |
8829 | 8832 | * @category Windows |
8830 | 8833 | * @implements VM::OBJECTS |
8831 | 8834 | */ |
|
0 commit comments