feat: improved VM::CPU_HEURISTIC checks

Author: Requiem

src/vmaware.hpp

@@ -4173,7 +4173,7 @@ struct VM {
         return false;
     #else
         if (util::is_running_under_translator()) {
-            debug("TIMER: Running inside a binary translation layer.");
+            debug("TIMER: Running inside a binary translation layer");
             return false;
         }
         u16 cycleThreshold = 1500;
@@ -4294,7 +4294,7 @@ struct VM {
             };
 
             auto xor_lambda = []() -> u64 {
-                volatile u64 a = 0xDEADBEEFDEADBEEFull;
+                volatile u64 a = 0xDEADBEEFDEADBEEFull; // can be replaced by NOPs
                 volatile u64 b = 0x1234567890ABCDEFull;
                 u64 v = a ^ b;
                 g_sink ^= v;
@@ -4308,7 +4308,7 @@ struct VM {
             volatile fn_t xor_ptr = +xor_lambda;
 
             ULONG64 beforeqit = 0;
-            QueryInterruptTime(&beforeqit);
+            QueryInterruptTime(&beforeqit); // the kernel routine that backs up this api runs at CLOCK_LEVEL(13), only preempted by IPI, POWER_LEVEL and NMIs
             const ULONG64 beforetsc = __rdtsc();
 
             volatile u64 dummy = 0;
@@ -4346,7 +4346,7 @@ struct VM {
             }
 
             if (difference > 10) {
-                return true; // both ratios will always differ under a RDTSC trap since the hypervisor can't account for the XOR loop
+                return true; // both ratios will always differ if a RDTSC trap is present, since the hypervisor can't account for the XOR/NOP loop
             }
             // TLB flushes or side channel cache attacks are not even tried due to how ineffective they are against stealthy hypervisors
         #endif
@@ -9379,39 +9379,102 @@ struct VM {
 
 
     /**
-     * @brief Check if the CPU is capable of running certain instructions successfully
+     * @brief Check whether the CPU is genuine and its reported instruction capabilities are not masked
      * @category Windows
      * @implements VM::CPU_HEURISTIC
      */
     [[nodiscard]] static bool cpu_heuristic() {
-        if (util::is_running_under_translator()) return false;
-
-        // 1) Check for commonly disabled instructions on patches      
-        bool ok = true;
+    #if (x86)
+        if (util::is_running_under_translator()) {
+            debug("CPU_HEURISTIC: Running inside a binary translation layer");
+            return false;
+        }
 
+        // 1) Check for commonly disabled instructions on patches and VMs    
         u32 a = 0, b = 0, c = 0, d = 0;
         cpu::cpuid(a, b, c, d, 1u);
 
         constexpr u32 AES_NI_BIT = 1u << 25;
-        if ((c & AES_NI_BIT) == 0) {
-            ok = false;
+        const bool aes_support = (c & AES_NI_BIT) != 0;
+
+        alignas(16) unsigned char plaintext[16] = {
+            0x00,0x11,0x22,0x33, 0x44,0x55,0x66,0x77,
+            0x88,0x99,0xAA,0xBB, 0xCC,0xDD,0xEE,0xFF
+        };
+        alignas(16) unsigned char key[16] = {
+            0x0F,0x0E,0x0D,0x0C, 0x0B,0x0A,0x09,0x08,
+            0x07,0x06,0x05,0x04, 0x03,0x02,0x01,0x00
+        };
+        alignas(16) unsigned char out[16] = { 0 };
+        __try {
+            __m128i block = _mm_loadu_si128(reinterpret_cast<const __m128i*>(plaintext));
+            __m128i key_vec = _mm_loadu_si128(reinterpret_cast<const __m128i*>(key));
+
+            __m128i tmp = _mm_xor_si128(block, key_vec);
+            tmp = _mm_aesenc_si128(tmp, key_vec);
+
+            _mm_storeu_si128(reinterpret_cast<__m128i*>(out), tmp);
+            if (!aes_support) {
+                debug("CPU_HEURISTIC: Hypervisor detected hiding AES capabilities");
+                return true;
+            }
         }
+        __except (GetExceptionCode() == EXCEPTION_ILLEGAL_INSTRUCTION
+            ? EXCEPTION_EXECUTE_HANDLER
+            : EXCEPTION_CONTINUE_SEARCH) {
+            if (aes_support) {
+                debug("CPU_HEURISTIC: Hypervisor reports AES, but it is not handled correctly");
+                return true;
+            }
+        }     
 
-        if (!ok) {
-            debug("CPU_HEURISTIC: CPU does not report AES");
+        const bool avx_support = ((c >> 28) & 1u) != 0;
+        const bool xsave_support = ((c >> 26) & 1u) != 0;
+
+        if (avx_support && !xsave_support) {
+            debug("CPU_HEURISTIC: YMM state not correct for a baremetal machine");
             return true;
         }
 
-        // 2. Test if the CPU model is spoofed
+        const bool rdrand_support = ((c >> 30) & 1u) != 0;
+        __try {
+            unsigned int v = 0;
+        #if (MSVC && !CLANG)
+            if (_rdrand32_step(&v) && !rdrand_support) {
+                debug("CPU_HEURISTIC: Hypervisor detected hiding RDRAND capabilities");
+                return true;
+            }
+        #else 
+            unsigned char ok = 0;
+            asm volatile("rdrand %0\n\tsetc %1" : "=r"(v), "=qm"(ok) : : "cc");
+            if (ok && !rdrand_support) {
+                debug("CPU_HEURISTIC: Hypervisor detected hiding RDRAND capabilities");
+                return true;
+            }
+        #endif      
+        }
+        __except (GetExceptionCode() == EXCEPTION_ILLEGAL_INSTRUCTION
+            ? EXCEPTION_EXECUTE_HANDLER
+            : EXCEPTION_CONTINUE_SEARCH) {
+            if (rdrand_support) {
+                debug("CPU_HEURISTIC: Hypervisor reports RDRAND, but it is not handled correctly");
+                return true;
+            }
+        }        
+
+        // 2. Test if the CPU vendor is spoofed (for example, a CPU reports being AMD in CPUID, but it is Intel)
         /*
-            For this task, we want a vendor-only instruction that:
-            1. Is compatible enough, meaning both old and new CPUs of this vendor have it
-            2. Is enabled by default, without needing BIOS/OS changes
-            3. Never switches to kernel-mode, so that is harder to intercept
-            4. Is not deprecated
+            For this task, we want a instruction that:
+            1. It is vendor-only, meaning that other CPU vendors never implemented the same instruction on their microcode
+                -> Note: Even if an instruction is vendor-only, it may be treated as a NOP by other CPU vendors, we don't want this
+            2. Is compatible enough, meaning both old and new CPUs of this vendor have it
+            3. Is enabled by default, without needing BIOS/OS changes
+            4. Never switches to kernel-mode, so that is harder to intercept
+            5. Is not deprecated today
+            6. Its side-effects can be measured from CPL3 (user-mode)
 
             On Intel, most options are unreliable:
-            SGX are deprecated and disabled by default, MPX is deprecated and treated as NOP even in AMD CPUs, AVX-512 is not found in all processors (and amd integrated part of this set), etc
+            SGX are deprecated and disabled by default, MPX is deprecated and treated as NOP even in AMD CPUs, AVX-512 is not found in all processors (and AMD integrated part of this set), etc
             On AMD, 3dNow! could be an option, but since its being deprecated, CLZERO fits this criteria better
 
             So for example, if the CPU reports being Intel, and succesfully runs CLZERO without a NOP, then it's not an Intel CPU.
@@ -9440,7 +9503,8 @@ struct VM {
         const bool claimed_intel = cpu::is_intel();
 
         if (!claimed_amd && !claimed_intel) {
-            return false;
+            debug("CPU_HEURISTIC: x86 CPU vendor was not recognized as either Intel or AMD");
+            return false; // Zhaoxin? VIA/Centaur?
         }
 
         bool spoofed = false;
@@ -9578,6 +9642,9 @@ struct VM {
         }
 
         return spoofed;
+    #else
+        return false;
+    #endif
     }
 
 
@@ -10962,8 +11029,6 @@ struct VM {
             return it->second;
         }
 
-        debug("VM::type(): No known brand found, something went terribly wrong here...");
-
         return "Unknown";
     }
 
@@ -11299,7 +11364,7 @@ std::pair<VM::enum_flags, VM::core::technique> VM::core::technique_list[] = {
         std::make_pair(VM::NVRAM, VM::core::technique(100, VM::nvram_vars)),
         std::make_pair(VM::CLOCK, VM::core::technique(100, VM::clock)),
         std::make_pair(VM::POWER_CAPABILITIES, VM::core::technique(45, VM::power_capabilities)),
-        std::make_pair(VM::CPU_HEURISTIC, VM::core::technique(100, VM::cpu_heuristic)),
+        std::make_pair(VM::CPU_HEURISTIC, VM::core::technique(90, VM::cpu_heuristic)),
         std::make_pair(VM::EDID, VM::core::technique(100, VM::edid)),
         std::make_pair(VM::BOOT_LOGO, VM::core::technique(100, VM::boot_logo)),
         std::make_pair(VM::GPU_CAPABILITIES, VM::core::technique(45, VM::gpu_capabilities)),