Merge pull request #104 from kernelwernel/dev

Dev

Author: kernelwernel

docs/documentation.md

@@ -407,7 +407,6 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::HYPERV_CPUID` | Check for Hyper-V specific CPUID results in ecx |  | 35% |  |  |  |
 | `VM::CUCKOO_DIR` | Check for Cuckoo specific directory | Windows | 15% |  |  |  |
 | `VM::CUCKOO_PIPE` | Check for Cuckoo specific piping mechanism | Windows | 20% |  |  |  |
-| `VM::USB_DRIVE` | Check for absence of USB drives | Windows | 5% |  |  |  |
 | `VM::HYPERV_HOSTNAME` | Check for default Azure hostname format (Azure uses Hyper-V as their base VM brand) | Windows, Linux | 50% |  |  |  |
 | `VM::GENERAL_HOSTNAME` | Check for general hostnames that match with certain VM brands | Windows, Linux | 20% |  |  |  |
 | `VM::SCREEN_RESOLUTION` | Check for pre-set screen resolutions commonly found in VMs | Windows | 10% |  |  |  |
@@ -423,7 +422,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::NO_MEMO` | This will disable memoization, meaning the result will not be fetched through a previous computation of the `VM::detect()` function. Use this if you're only using a single function from the `VM` struct for a performance boost. |
 | `VM::EXTREME` | This will disregard the weights/biases in the scoring system. It will essentially treat any technique that found a hit as a VM detection no matter how low that technique's certainty is, so if a single technique is positive then it will return true. | 
 | `VM::DEFAULT` | This represents a range of flags which are enabled if no default argument is provided. |
-| `VM::ENABLE_HYPERV_HOST` | Windows 11 (and 10 if enabled manually) may have Hyper-V as a default virtualisation solution for any host program even if the OS is running as host. There isn't a way to detect whether the host program is ran in default virtualisation mode, or manually intended virtualisation, which is one of the main hurdles of the library to overcome. This is a Hyper-V specific problem, and the library will discard any Hyper-V brand suspicions as not running in a VM by default. But if this flag is enabled then it will still count it regardless of the risk that it might be Hyper-V's default host virtualisation for every host program. So basically this flag means that "I'm aware this program might be running in a default virtualised environment on host, but I'll still count this as running in a VM anyway whether it's default virtualisation or manually intended virtualisation". |
+| `VM::ENABLE_HYPERV_HOST` | Windows 11 (and 10 if enabled manually) may have Hyper-V as a default virtualisation solution for any host program even if the OS is running as host. There isn't a way to detect whether the host program is ran in default virtualisation mode, or manually intended virtualisation. This is a Hyper-V specific problem, and the library will use heuristical methods to discard Hyper-V's host virtualiser as not running in a VM by default. But if this flag is enabled then it will still count it regardless of the risk that it might be Hyper-V's default host virtualisation for every host program. So basically this flag means that "I'm aware this program might be running in a default virtualised environment on host, but I'll still count this as running in a VM anyway whether it's default virtualisation or manually intended virtualisation". |
 | `VM::WIN_HYPERV_DEFAULT` | ⚠️ **DEPRECATED** ⚠️ Same as above, but deprecated as of 1.5 release. |
 | `VM::MULTIPLE` | This is specific to `VM::brand()`. This will basically return a `std::string` message of what brands could be involved. For example, it could return "`VMware or VirtualBox`" instead of having a single brand string output. This has no effect if applied to any other functions than `VM::brand()`. |   
 | `VM::HIGH_THRESHOLD` | This is specific to `VM::detect()` and `VM::percentage()`, which will set the threshold bar to confidently detect a VM by 3.5x higher. |

src/cli.cpp

@@ -36,8 +36,8 @@
     #include <windows.h>
 #endif
 
-constexpr const char* ver = "1.5";
-constexpr const char* date = "June 2024";
+constexpr const char* ver = "1.6";
+constexpr const char* date = "July 2024";
 
 constexpr const char* bold = "\033[1m";
 constexpr const char* ansi_exit = "\x1B[0m";
@@ -145,7 +145,7 @@ std::string message(const std::uint8_t score, const std::string &brand) {
         very_likely = "Very likely a " + brand + " VM";
         inside_vm = "Running inside a " + brand + " VM";
     }
-    
+
     if      (score == 0)   { return baremetal; } 
     else if (score <= 12)  { return very_unlikely; } 
     else if (score <= 25)  { return unlikely; } 
@@ -311,7 +311,6 @@ void general(const bool enable_hyperv = true) {
 
     std::cout << "VM confirmation: " << (is_detected ? green : red) << std::boolalpha << is_detected << std::noboolalpha << ansi_exit << "\n";
 
-
     const char* count_color = "";
 
     switch (detected_count) {

src/vmaware.hpp

@@ -4,7 +4,7 @@
  * ██║   ██║██╔████╔██║███████║██║ █╗ ██║███████║██████╔╝█████╗
  * ╚██╗ ██╔╝██║╚██╔╝██║██╔══██║██║███╗██║██╔══██║██╔══██╗██╔══╝
  *  ╚████╔╝ ██║ ╚═╝ ██║██║  ██║╚███╔███╔╝██║  ██║██║  ██║███████╗
- *   ╚═══╝  ╚═╝     ╚═╝╚═╝  ╚═╝ ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝ 1.5 (June 2024)
+ *   ╚═══╝  ╚═╝     ╚═╝╚═╝  ╚═╝ ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝ 1.6 (July 2024)
  *
  *  C++ VM detection library
  *
@@ -22,14 +22,14 @@
  *
  *
  * ================================ SECTIONS ==================================
- * - enums for publicly accessible techniques  => line 293
- * - struct for internal cpu operations        => line 488
- * - struct for internal memoization           => line 859
- * - struct for internal utility functions     => line 949
- * - struct for internal core components       => line 7337
- * - start of internal VM detection techniques => line 1727
- * - start of public VM detection functions    => line 7693
- * - start of externally defined variables     => line 8038
+ * - enums for publicly accessible techniques  => line 302
+ * - struct for internal cpu operations        => line 519
+ * - struct for internal memoization           => line 891
+ * - struct for internal utility functions     => line 996
+ * - struct for internal core components       => line 7781
+ * - start of internal VM detection techniques => line 1815
+ * - start of public VM detection functions    => line 8277
+ * - start of externally defined variables     => line 8672
  *
  *
  * ================================ EXAMPLE ==================================
@@ -8096,6 +8096,7 @@ struct VM {
 
                 core_debug("HYPERV_HOST_CHECK: technique_check = ", no_possible_brand);
 
+                // by the end of this, if it doesn't find it possible to have Hyper-V then that assumes the result has been tampered somehow
                 return (no_possible_brand);
             };
 
@@ -8365,12 +8366,6 @@ struct VM {
 
 #define brands core::brand_scoreboard
 
-        // this gets annoying really fast 
-        //#ifdef __VMAWARE_DEBUG__
-        //    for (const auto p : brands) {
-        //        core_debug("scoreboard: ", (int)p.second, " : ", p.first);
-        //    }
-        //#endif
 
         // check if it's already cached and return that instead
         if (core::is_disabled(flags, NO_MEMO)) {
@@ -8506,6 +8501,13 @@ struct VM {
             }
         }
 
+        // this gets annoying really fast 
+        #ifdef __VMAWARE_DEBUG__
+            for (const auto p : brands) {
+                core_debug("scoreboard: ", (int)p.second, " : ", p.first);
+            }
+        #endif
+
         return current_brand;
     }
 
@@ -8895,4 +8897,4 @@ const std::map<VM::u8, VM::core::technique> VM::core::technique_table = {
     // __TABLE_LABEL, add your technique above
     // { VM::FUNCTION, { POINTS, FUNCTION_POINTER }}
     // ^ template 
-};
+};