Merge pull request #289 from kernelwernel/dev

feat: Improved VM::TIMER and VM::FILES

Author: NotRequiem

README.md

@@ -180,10 +180,11 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 <br>
 
 > There's already loads of projects that have the same goal such as 
-<a href="https://github.com/CheckPointSW/InviZzzible">InviZzzible</a>, <a href="https://github.com/a0rtega/pafish">pafish</a> and <a href="https://github.com/LordNoteworthy/al-khaser">Al-Khaser</a>. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. 
-> Pafish and InviZzzible have been abandoned for years, while Al-Khaser does receive updates and has a wide scope of detection that includes anti-debuggers, anti-injection, and so on, but the VM detections are not sophisticated enough to be practically applied to real-world scenarios while not providing enough VM detection techniques. An additional issue is that they are all GPL projects. 
+<a href="https://github.com/CheckPointSW/InviZzzible">InviZzzible</a>, <a href="https://github.com/a0rtega/pafish">pafish</a> and <a href="https://github.com/LordNoteworthy/al-khaser">Al-Khaser</a>. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. Additionally, the VM detections in all those projects are often not sophisticated enough to be practically applied to real-world scenarios while not providing enough VM detection techniques. An additional issue is that they are all GPL projects. 
+>
+> Pafish and InviZzzible have been abandoned for years. Although Al-Khaser **DOES** receive occasional updates and has a wide scope of detection that VMAware doesn't provide (anti-debugging, anti-injection, and so on), it still falls short due to the previously mentioned problems above.
 > 
-> I wanted the core detection techniques to be accessible programmatically in a cross-platform way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection framework on steroids with maximum flexibility.
+> While those projects have been useful to VMAware, we wanted to make them far better. My goal was to make the detection techniques to be accessible programmatically in a cross-platform and flexible way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection framework on steroids that focuses on practical and realistic real-world usability.
 
 </details>
 
@@ -200,7 +201,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 <summary>Wouldn't it make it inferior for having it open source?</summary>
 <br>
 
-> The only downside to VMAware is that it's fully open source, which makes the job of bypassers easier compared to having it closed source. However, I'd argue that's a worthy tradeoff by having as many VM detection techniques in an open and interactive way rather than trying to obfuscate it. Having it open source means we can have valuable community feedback to strengthen the library more effectively and accurately through discussions, collaborations, and competition against anti-anti-vm projects and malware analysis tools which try to hide it's a VM. All of this combined further advances the forefront innovations in the field of VM detections much more productively, compared to having it closed source. 
+> The only downside to VMAware is that it's fully open source, which makes the job of bypassers easier compared to having it closed source. However, I'd argue that's a worthy tradeoff by having as many VM detection techniques in an open and interactive way rather than trying to obfuscate it. Having it open source means we can have valuable community feedback to strengthen the library more effectively and accurately through discussions, collaborations, and competition against anti-anti-vm projects and malware analysis tools which try to hide it's a VM. All of this combined has further advanced the forefront innovations in the field of VM detections much more productively, compared to having it closed source.
 >
 > In other words, it's about quality, feedback, and openness over security through obfuscation.
 
@@ -289,6 +290,7 @@ And if you found this project useful, a star would be appreciated :)
 - [Georgii Gennadev (D00Movenok)](https://github.com/D00Movenok)
 - [utoshu](https://github.com/utoshu)
 - [Jyd](https://github.com/jyd519)
+- [git-eternal](https://github.com/git-eternal)
 
 <br>
 

docs/documentation.md

@@ -594,7 +594,6 @@ This is the table of all the brands the lib supports.
 | NoirVisor | `VM::brands::NOIRVISOR` | Hypervisor (type 1) |  |
 | Qihoo 360 Sandbox | `VM::brands::QIHOO` | Sandbox |  |
 | nsjail | `VM::brands::NSJAIL` | Process isolator |  |
-| Xen with nsjail (for Compiler Explorer) | `VM::brands::COMPILER_EXPLORER` | Type 1 hypervisor with process isolator |  |
 
 <br>
 
@@ -639,6 +638,7 @@ This is the table of all the brands the lib supports.
 |    | --verbose | add more information to the output  |
 |    | --compact | ignore the unsupported techniques from the CLI output and thus make it more compact |
 |    | --mit | ignore the GPL techniques and run only the MIT-supported ones |
+|    | --enums | display the technique enum name used by the lib |
 > [!NOTE]
 > If you want a general result with the default settings, do not put any arguments. This is the intended way to use the CLI tool.
 >

src/cli.cpp

@@ -83,6 +83,7 @@ enum arg_enum : u8 {
     VERBOSE,
     COMPACT,
     MIT,
+    ENUMS,
     NULL_ARG
 };
 
@@ -163,7 +164,7 @@ R"(Usage:
  --verbose          add more information to the output
  --compact          ignore the unsupported techniques from the CLI output
  --mit              ignore the GPL techniques and run only the MIT-supported ones
-
+ --enums            display the technique enum name used by the lib
 )";
     std::exit(0);
 }
@@ -273,7 +274,6 @@ Neko Project II
 NoirVisor
 Qihoo 360 Sandbox
 nsjail
-Xen with nsjail (for Compiler Explorer)
 )";
 
     std::exit(0);
@@ -657,7 +657,6 @@ std::string vm_description(const std::string& vm_brand) {
         { VM::brands::NOIRVISOR, "NoirVisor is a hardware-accelerated hypervisor with support to complex functions and purposes. It is designed to support processors based on x86 architecture with hardware-accelerated virtualization feature. For example, Intel processors supporting Intel VT-x or AMD processors supporting AMD-V meet the requirement. It was made by Zero-Tang." },
         { VM::brands::QIHOO, "360 sandbox is a part of 360 Total Security. Similar to other sandbox software, it provides a virtualized environment where potentially malicious or untrusted programs can run without affecting the actual system. Qihoo 360 Sandbox is commonly used for testing unknown applications, analyzing malware behavior, and protecting users from zero-day threats." },
         { VM::brands::NSJAIL, "nsjail is a process isolation tool for Linux. It utilizes Linux namespace subsystem, resource limits, and the seccomp-bpf syscall filters of the Linux kernel. It can be used for isolating networking services, CTF challenges, and containing invasive syscall-level OS fuzzers." },
-        { VM::brands::COMPILER_EXPLORER, "Compiler Explorer is an interactive web compiler that supports numerous languages. The backend uses nsjail for their executor to isolate processes, while an additional hypervisor layer is used called Xen."},
         { VM::brands::NULL_BRAND, "Indicates no detectable virtualization brand. This result may occur on bare-metal systems, unsupported/obscure hypervisors, or when anti-detection techniques (e.g., VM escaping) are employed by the guest environment." }
     };
 
@@ -767,13 +766,19 @@ void checker(const VM::enum_flags flag, const char* message) {
         supported_count++;
     }
 
+    std::string enum_name = "";
+
+    if (arg_bitset.test(ENUMS)) {
+        enum_name = grey + " [VM::" + VM::flag_to_string(flag) + "]" + ansi_exit;
+    }
+
 #if (LINUX)
     if (are_perms_required(flag)) {
         if (arg_bitset.test(COMPACT)) {
             return;
         }
 
-        std::cout << no_perms << " Skipped " << message << "\n";
+        std::cout << no_perms << " Skipped " << message << enum_name << "\n";
 
         no_perms_count++;
 
@@ -788,15 +793,16 @@ void checker(const VM::enum_flags flag, const char* message) {
         if (arg_bitset.test(COMPACT)) {
             return;
         }
-        std::cout << disabled << " Skipped " << message << "\n";
+        std::cout << disabled << " Skipped " << message << enum_name << "\n";
         disabled_count++;
         return;
     }
 
+
     if (VM::check(flag)) {
-        std::cout << detected << bold << " Checking " << message << "..." << ansi_exit << "\n";
+        std::cout << detected << bold << " Checking " << message << "..." << enum_name << ansi_exit << "\n";
     } else {
-        std::cout << not_detected << " Checking " << message << "...\n";
+        std::cout << not_detected << " Checking " << message << "..." << enum_name << ansi_exit << "\n";
     }
 }
 
@@ -1196,7 +1202,7 @@ int main(int argc, char* argv[]) {
         std::exit(0);
     }
 
-    static constexpr std::array<std::pair<const char*, arg_enum>, 30> table {{
+    static constexpr std::array<std::pair<const char*, arg_enum>, 31> table {{
         { "-h", HELP },
         { "-v", VERSION },
         { "-a", ALL },
@@ -1226,6 +1232,7 @@ int main(int argc, char* argv[]) {
         { "--verbose", VERBOSE },
         { "--compact", COMPACT },
         { "--mit", MIT },
+        { "--enums", ENUMS },
         { "--no-color", NO_ANSI }
     }};