kernelwernel
diff --git a/‎CMakeLists.txt‎
Lines changed: 4 additions & 2 deletions b/‎CMakeLists.txt‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎README.md‎
Lines changed: 7 additions & 3 deletions b/‎README.md‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎TODO.md‎
Lines changed: 2 additions & 2 deletions b/‎TODO.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎assets/demo.png‎
19.6 KB b/‎assets/demo.png‎
19.6 KB
diff --git a/‎docs/documentation.md‎
Lines changed: 3 additions & 3 deletions b/‎docs/documentation.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎papers/0003921.pdf‎
635 KB b/‎papers/0003921.pdf‎
635 KB
diff --git a/‎papers/ThwartingVMDetection_Liston_Skoudis.pdf‎
645 KB b/‎papers/ThwartingVMDetection_Liston_Skoudis.pdf‎
645 KB
diff --git a/‎papers/www.s21sec.com_vmware-eng.pdf‎
211 KB b/‎papers/www.s21sec.com_vmware-eng.pdf‎
211 KB
diff --git a/‎src/cli.cpp‎
Lines changed: 84 additions & 49 deletions b/‎src/cli.cpp‎
Lines changed: 84 additions & 49 deletions
@@ -91,10 +91,12 @@ add_test(executable, "${BUILD_DIR}/${TARGET}")
 # release stuff
 if (NOT MSVC)
     if(CMAKE_BUILD_TYPE MATCHES "Release")
-        install(TARGETS ${TARGET} DESTINATION ${CMAKE_SOURCE_DIR})
+        install(TARGETS ${TARGET} DESTINATION /usr/local/bin)
         install(FILES "src/vmaware.hpp" DESTINATION /usr/include)
+    else()
+        install(TARGETS ${TARGET} DESTINATION ${CMAKE_SOURCE_DIR})
     endif()
 elseif(MSVC)
     set(CMAKE_INSTALL_PREFIX "C:\\Program Files\\YourApplication")
     install(TARGETS ${TARGET} DESTINATION .)
-endif()
+endif()
@@ -15,10 +15,10 @@ The library is:
 - Very easy to use, with only 5 functions in its public interface
 - Very flexible, with total fine-grained control over which techniques get executed
 - Cross-platform (Windows + MacOS + Linux)
-- Compatible with ARM architecture
+- Compatible with ARM architecture and 32-bit Windows
 - Header-only
 - Available with C++11 and above
-- Features up to 70+ unique techniques
+- Features up to 80+ unique techniques
 - Able to detect VMware, VirtualBox, QEMU, KVM, Parallels, and [much more](https://github.com/kernelwernel/VMAware/blob/v0.2/docs/documentation.md#vmbrand)
 - Able to detect semi-VM technologies like hypervisors, docker, and wine
 - Able to guess the VM brand
@@ -115,7 +115,7 @@ You can view the full docs [here](docs/documentation.md). Trust me, it's not too
 > Yes. There are some techniques that are trivially spoofable, and there's nothing the library can do about it whether it's a deliberate false negative or even a false positive. This is a problem that every VM detection project is facing, which is why the library is trying to test every technique possible to get the best result based on the environment it's running under. 
 
 - Can I use this for malware?
-> This project is not soliciting the development of malware for obvious reasons. Even if you intend to use it for concealment purposes, it'll most likely be flagged by antiviruses anyway and nothing is obfuscated to begin with. Good luck manually obfuscating 5000 lines of C++ code lmfao
+> This project is not soliciting the development of malware for obvious reasons. Even if you intend to use it for concealment purposes, it'll most likely be flagged by antiviruses anyway and nothing is obfuscated to begin with. Good luck manually obfuscating 6000 lines of C++ code lmfao
 
 - Why GPL 3.0 and MIT? 
 > I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL 3.0 projects, and I have no choice but to use the same license for legal reasons. This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open-source. It should be noted that the MIT version removes **8** techniques, and the lesser the number of mechanisms, the less accurate the overall result might be.
@@ -147,6 +147,10 @@ And if you found this project useful, a star would be appreciated :)
 - [Vladyslav Miachkov](https://github.com/fameowner99)
 - [(Offensive Security) Danny Quist](chamuco@gmail.com)
 - [(Offensive Security) Val Smith](mvalsmith@metasploit.com)
+- Tom Liston + Ed Skoudis
+- [Tobias Klein](https://www.trapkit.de/index.html)
+- [(S21sec) Alfredo Omella](https://www.s21sec.com/)
+- [(eEye Digital Security) Derek Soeder]()
 
 <br>
 
 
@@ -1,4 +1,3 @@
-- [ ] revise sidt check
 - [ ] analyse the UUID check technique's efficiency
 - [X] fix c++11 debug function param error
 - [X] completely remove std::system() grep commands
@@ -20,7 +19,8 @@
 - [X] add a python script to automatically set the lines of the seperate sections in the header
 - [ ] add C++20 concepts for the VM::add_custom() function
 - [ ] check for valid monitor technique
-
+- [ ] fix the is_admin code for windows
+- [ ] test it on compiler explorer with windows 32-bit settings
 
 # Distant plans
 - add ARM support
 
@@ -98,8 +98,7 @@ This will essentially return the VM brand as a `std::string`. The exact possible
 - `Anubis`
 - `JoeBox`
 - `Thread Expert`
-- `CW Sandbox`
-- `SunBelt`
+- `CWSandbox`
 - `Comodo`
 - `Bochs`
 
@@ -262,7 +261,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::VM_PROCESSES` | Check for any VM processes that are active | Windows | 30% |  |  |
 | `VM::LINUX_USER_HOST` | Check for default VM username and hostname for linux | Linux | 35% |  |  |
 | `VM::VBOX_WINDOW_CLASS` | Check for the window class for VirtualBox | Windows | 10% |  | GPL |
-| `VM::WMIC` | Check top-level default window level | Windows | 20% |  |   |
+| `VM::WMIC` | Check top-level default window level | Windows | 20% |  |  |
 | `VM::GAMARUE` | Check for Gamarue ransomware technique which compares VM-specific Window product IDs | Windows | 40% |  |  |
 | `VM::VMID_0X4` | Check if the CPU manufacturer ID matches that of a VM brand with leaf 0x40000000 | Yes | 100% |  |  |
 | `VM::PARALLELS_VM` | Check for indications of Parallels VM | Windows | 50% |  |  |
@@ -297,6 +296,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::OFFSEC_SIDT` | Check for Offensive Security SIDT method | Windows | 60% |  |  |
 | `VM::OFFSEC_SGDT` | Check for Offensive Security SGDT method | Windows | 60% |  |  |
 | `VM::OFFSEC_SLDT` | Check for Offensive Security SLDT method | Windows | 20% |  |  |
+| `VM::VPC_SIDT` | Check for VPC range for SIDT | Windows | 15% |  |  |
 | `VM::HYPERV_BOARD` | Check for Hyper-V string in motherboard | Windows | 45% |  |  |
 | `VM::VM_FILES_EXTRA` | Check for VPC and Parallels files | Windows | 70% |  |  |
 
 
@@ -62,11 +62,12 @@ R"(Usage:
 
 Options:
  -h | --help        prints this help menu
- -v | --version     print version and other stuff
+ -v | --version     print cli version and other details
  -d | --detect      returns the result as a boolean (1 = VM, 0 = baremetal)
  -s | --stdout      returns either 0 or 1 to STDOUT without any text output (0 = VM, 1 = baremetal)
  -b | --brand       returns the VM brand string (consult documentation for full output list)
  -p | --percent     returns the VM percentage between 0 and 100
+ -c | --conclusion  returns the conclusion message string
 )";
 }
 
@@ -79,6 +80,68 @@ void version(void) {
     "Developed and maintained by kernelwernel, see https://github.com/kernelwernel\n";
 }
 
+const char* color(const std::uint8_t score) {
+    if (score == 0) {
+        return red;
+    } else if (score <= 12) {
+        return red;
+    } else if (score <= 25) {
+        return red_orange;
+    } else if (score < 50) {
+        return red_orange;
+    } else if (score <= 62) {
+        return orange;
+    } else if (score <= 75) {
+        return green_orange;
+    } else if (score < 100) {
+        return green;
+    } else if (score == 100) {
+        return green;
+    }
+
+    return "";
+}
+
+std::string message(const std::uint8_t score, const std::string &brand) {
+    constexpr const char* baremetal = "Running in baremetal";
+    constexpr const char* very_unlikely = "Very unlikely a VM";
+    constexpr const char* unlikely = "Unlikely a VM";
+
+    std::string potentially = "Potentially a VM";
+    std::string might = "Might be a VM";
+    std::string likely = "Likely a VM";
+    std::string very_likely = "Very likely a VM";
+    std::string inside_vm = "Running inside a VM";
+
+    if (brand != "Unknown") {
+        potentially = "Potentially a " + brand + " VM";
+        might = "Might be a " + brand + " VM";
+        likely = "Likely a " + brand + " VM";
+        very_likely = "Very likely a " + brand + " VM";
+        inside_vm = "Running inside a " + brand + " VM";
+    }
+    
+    if (score == 0) {
+        return baremetal;
+    } else if (score <= 12) {
+        return very_unlikely;
+    } else if (score <= 25) {
+        return unlikely;
+    } else if (score < 50) {
+        return potentially;
+    } else if (score <= 62) {
+        return might;
+    } else if (score <= 75) {
+        return likely;
+    } else if (score < 100) {
+        return very_likely;
+    } else if (score == 100) {
+        return inside_vm;
+    }
+
+    return "Unknown error";
+}
+
 int main(int argc, char* argv[]) {
 #if (MSVC)
     win_ansi_enabler_t ansi_enabler;
@@ -177,16 +240,27 @@ int main(int argc, char* argv[]) {
         checker(VM::OFFSEC_SIDT, "Offensive Security SIDT");
         checker(VM::OFFSEC_SGDT, "Offensive Security SGDT");
         checker(VM::OFFSEC_SLDT, "Offensive Security SLDT");
+        checker(VM::VPC_SIDT, "VirtualPC SIDT");
         checker(VM::HYPERV_BOARD, "Hyper-V motherboard");
         checker(VM::VM_FILES_EXTRA, "Extra VM files");
+        checker(VM::VMWARE_IOMEM, "/proc/iomem file");
+        checker(VM::VMWARE_IOPORTS, "/proc/ioports file");
+        checker(VM::VMWARE_SCSI, "/proc/scsi/scsi file");
+        checker(VM::VMWARE_DMESG, "VMware dmesg");
+        checker(VM::VMWARE_EMULATION, "VMware emulation mode");
+        checker(VM::VMWARE_STR, "STR instruction");
+        checker(VM::VMWARE_BACKDOOR, "VMware IO port backdoor");
+        checker(VM::SMSW, "SMSW instruction");
+        checker(VM::VMWARE_PORT_MEM, "VMware port memory");
+
         std::printf("\n");
 
         const std::string brand = VM::brand();
 
         std::cout << "VM brand: " << (brand == "Unknown" ? red : green) << brand << ansi_exit << "\n";
 
         const char* percent_color = "";
-        std::uint8_t percent = VM::percentage();
+        const std::uint8_t percent = VM::percentage();
 
         if (percent == 0) {
             percent_color = red;
@@ -206,52 +280,8 @@ int main(int argc, char* argv[]) {
 
         std::cout << "VM confirmation: " << (is_detected ? green : red) << std::boolalpha << is_detected << std::noboolalpha << ansi_exit << "\n\n";
 
-        const char* conclusion_color = "";
-        std::string conclusion_message = "";
-
-        constexpr const char* baremetal = "Running in baremetal";
-        constexpr const char* very_unlikely = "Very unlikely a VM";
-        constexpr const char* unlikely = "Unlikely a VM";
-
-        std::string potentially = "Potentially a VM";
-        std::string might = "Might be a VM";
-        std::string likely = "Likely a VM";
-        std::string very_likely = "Very likely a VM";
-        std::string inside_vm = "Running inside a VM";
-
-        if (brand != "Unknown") {
-            potentially = "Potentially a " + brand + " VM";
-            might = "Might be a " + brand + " VM";
-            likely = "Likely a " + brand + " VM";
-            very_likely = "Very likely a " + brand + " VM";
-            inside_vm = "Running inside a " + brand + " VM";
-        }
-        
-        if (percent == 0) {
-            conclusion_color = red;
-            conclusion_message = baremetal;
-        } else if (percent <= 12) {
-            conclusion_color = red;
-            conclusion_message = very_unlikely;
-        } else if (percent <= 25) {
-            conclusion_color = red_orange;
-            conclusion_message = unlikely;
-        } else if (percent < 50) { // not <= on purpose
-            conclusion_color = red_orange;
-            conclusion_message = potentially;
-        } else if (percent <= 62) {
-            conclusion_color = orange;
-            conclusion_message = might;
-        } else if (percent <= 75) {
-            conclusion_color = green_orange;
-            conclusion_message = likely;
-        } else if (percent < 100) {
-            conclusion_color = green;
-            conclusion_message = very_likely;
-        } else if (percent == 100) {
-            conclusion_color = green;
-            conclusion_message = inside_vm;
-        }
+        const char* conclusion_color = color(percent);
+        std::string conclusion_message = message(percent, brand);
 
         std::cout 
             << bold 
@@ -282,11 +312,16 @@ int main(int argc, char* argv[]) {
             std::cout << VM::brand() << "\n";
             return 0;
         } else if (cmp(arg, "-p") || cmp(arg, "--percent")) {
-            std::cout << VM::percentage() << "\n";
+            std::cout << static_cast<std::uint32_t>(VM::percentage()) << "\n";
             return 0;
         } else if (cmp(arg, "-d") || cmp(arg, "--detect")) {
             std::cout << VM::detect() << "\n";
             return 0;
+        } else if (cmp(arg, "-c") || cmp(arg, "--conclusion")) {
+            const std::uint8_t percent = VM::percentage();
+            const std::string brand = VM::brand();
+            std::cout << message(percent, brand) << "\n";
+            return 0;
         } else {
             std::cerr << "Unknown argument provided, consult the help menu with --help\n";
             return 1;