Merge pull request #642 from NotRequiem/main

NotRequiem · web-flow · commit ee2aa1786905 · 2026-02-26T20:40:13.000+01:00
updated core, boot logo and power capabilities checks
diff --git a/src/cli.cpp b/src/cli.cpp
@@ -941,7 +941,7 @@ static void general(
     checker(VM::IOREG_GREP, "IO registry grep");
     checker(VM::MAC_SIP, "MacOS SIP");
     checker(VM::AUDIO, "audio devices");
-    checker(VM::DEVICE_HANDLES, "device handles");
+    checker(VM::HANDLES, "device handles");
     checker(VM::VPC_INVALID, "VPC invalid instructions");
     checker(VM::SYSTEM_REGISTERS, "Task segment and descriptor tables");
     checker(VM::VMWARE_IOMEM, "/proc/iomem file");
@@ -986,7 +986,7 @@ static void general(
     checker(VM::FIRMWARE, "firmware");
     checker(VM::FILE_ACCESS_HISTORY, "low file access count");
     checker(VM::NSJAIL_PID, "nsjail PID");
-    checker(VM::PCI_DEVICES, "PCI vendor/device ID");
+    checker(VM::DEVICES, "PCI vendor/device ID");
     checker(VM::ACPI_SIGNATURE, "ACPI device signatures");
     checker(VM::TRAP, "hypervisor interception");
     checker(VM::UD, "undefined exceptions");
diff --git a/src/vmaware.hpp b/src/vmaware.hpp
@@ -555,7 +555,7 @@ struct VM {
         DISK_SERIAL,
         IVSHMEM,
         DRIVERS,
-        DEVICE_HANDLES,
+        HANDLES,
         VIRTUAL_PROCESSORS,
         HYPERVISOR_QUERY,
         AUDIO,
@@ -586,7 +586,7 @@ struct VM {
         // Linux and Windows
         SYSTEM_REGISTERS,
         FIRMWARE,
-        PCI_DEVICES,
+        DEVICES,
         AZURE,
         
         // Linux
@@ -6817,7 +6817,7 @@ struct VM {
      * @brief Check for PCI vendor and device IDs that are VM-specific
      * @link https://www.pcilookup.com/?ven=&dev=&action=submit
      * @category Linux, Windows
-     * @implements VM::PCI_DEVICES
+     * @implements VM::DEVICES
      */
     [[nodiscard]] static bool pci_devices() {
         struct pci_device { u16 vendor_id; u32 device_id; };
@@ -7090,7 +7090,7 @@ struct VM {
                 case 0x1af41045: case 0x1af41048: case 0x1af41049: case 0x1af41050:
                 case 0x1af41052: case 0x1af41053: case 0x1af4105a: case 0x1af41100:
                 case 0x1af41110: case 0x1af41b36:
-                    debug("PCI_DEVICES: Detected Red Hat + Virtio device -> ", std::hex, id32);
+                    debug("DEVICES: Detected Red Hat + Virtio device -> 0x", std::hex, id32);
                     return true;
 
                 // VMware
@@ -7101,47 +7101,47 @@ struct VM {
                 case 0x0e0f0001: case 0x0e0f0002: case 0x0e0f0003: case 0x0e0f0004: 
                 case 0x0e0f0005: case 0x0e0f0006: case 0x0e0f000a: case 0x0e0f8001: 
                 case 0x0e0f8002: case 0x0e0f8003: case 0x0e0ff80a:
-                    debug("PCI_DEVICES: Detected VMWARE device -> ", std::hex, id32);
+                    debug("DEVICES: Detected VMWARE device -> 0x", std::hex, id32);
                     return core::add(brands::VMWARE);
 
                 // Red Hat + QEMU
                 case 0x1b360001: case 0x1b360002: case 0x1b360003: case 0x1b360004:
                 case 0x1b360005: case 0x1b360008: case 0x1b360009: case 0x1b36000b:
                 case 0x1b36000c: case 0x1b36000d: case 0x1b360010: case 0x1b360011:
                 case 0x1b360013: case 0x1b360100:
-                    debug("PCI_DEVICES: Detected Red Hat + QEMU device -> ", std::hex, id32);
+                    debug("DEVICES: Detected Red Hat + QEMU device -> 0x", std::hex, id32);
                     return core::add(brands::QEMU);
 
                 // QEMU
                 case 0x06270001: case 0x1d1d1f1f: case 0x80865845: case 0x1d6b0200:
-                    debug("PCI_DEVICES: Detected QEMU device -> ", std::hex, id32);
+                    debug("DEVICES: Detected QEMU device -> 0x", std::hex, id32);
                     return core::add(brands::QEMU);
 
                 // vGPUs (NVIDIA + others)
                 case 0x10de0fe7: case 0x10de0ff7: case 0x10de118d: case 0x10de11b0:
                 case 0x1ec6020f:
-                    debug("PCI_DEVICES: Detected virtual gpu device -> ", std::hex, id32);
+                    debug("DEVICES: Detected virtual gpu device -> 0x", std::hex, id32);
                     return true;
 
                 // VirtualBox
                 case 0x80ee0021: case 0x80ee0022: case 0x80eebeef: case 0x80eecafe:
-                    debug("PCI_DEVICES: Detected VirtualBox device -> ", std::hex, id32);
+                    debug("DEVICES: Detected VirtualBox device -> 0x", std::hex, id32);
                     return core::add(brands::VBOX);
 
                 // Parallels
                 case 0x1ab84000: case 0x1ab84005: case 0x1ab84006:
-                    debug("PCI_DEVICES: Detected Parallels device -> ", std::hex, id32);
+                    debug("DEVICES: Detected Parallels device -> 0x", std::hex, id32);
                     return core::add(brands::PARALLELS);
 
                 // Xen
                 case 0x5853c000: case 0xfffd0101: case 0x5853c147:
                 case 0x5853c110: case 0x5853c200: case 0x58530001:
-                    debug("PCI_DEVICES: Detected Xen device -> ", std::hex, id32);
+                    debug("DEVICES: Detected Xen device -> 0x", std::hex, id32);
                     return core::add(brands::XEN);
 
                 // Connectix (VirtualPC)
                 case 0x29556e61:
-                    debug("PCI_DEVICES: Detected VirtualPC device -> ", std::hex, id32);
+                    debug("DEVICES: Detected VirtualPC device -> 0x", std::hex, id32);
                     return core::add(brands::VPC);
             }
 
@@ -7156,11 +7156,11 @@ struct VM {
                 case 0x0000000010131100ULL:
                 case 0x00000000106b1100ULL:
                 case 0x0000000010221100ULL:
-                    debug("PCI_DEVICES: Detected QEMU device -> ", std::hex, id64);
+                    debug("DEVICES: Detected QEMU device -> 0x", std::hex, id64);
                     return core::add(brands::QEMU);
     
                 case 0x0000000015ad0800ULL:  // Hypervisor ROM Interface
-                    debug("PCI_DEVICES: Detected Hypervisor ROM interface -> ", std::hex, id64);
+                    debug("DEVICES: Detected Hypervisor ROM interface -> 0x", std::hex, id64);
                     return core::add(brands::VMWARE);
             }
         }
@@ -7665,9 +7665,9 @@ struct VM {
         }
 
         // could check for HKLM\\SYSTEM\\CurrentControlSet\\Control\\Power\\PlatformAoAcOverride
-        const bool no_sleep_states = !s0_supported && !s1_supported && !s2_supported && !s3_supported;
+        const bool no_sleep_states = !s0_supported && !s1_supported && !s2_supported && !s3_supported && !s4_supported && !hiber_file_present;
         if (no_sleep_states) {
-            debug("POWER_CAPABILITIES: Detected !(S0||S1||S2||S3) pattern"); // can sometimes false flag baremetal devices
+            debug("POWER_CAPABILITIES: Detected !(S0||S1||S2||S3||S4||H) pattern");
             return true;
         }
 
@@ -8640,7 +8640,7 @@ struct VM {
     /**
      * @brief Check for vm-specific devices
      * @category Windows
-     * @implements VM::DEVICE_HANDLES
+     * @implements VM::HANDLES
      */
     [[nodiscard]] static bool device_handles() {
         const HMODULE ntdll = util::get_ntdll();
@@ -8721,17 +8721,17 @@ struct VM {
         }
 
         if (vbox) {
-            debug("DEVICE_HANDLES: Detected VBox related device handles");
+            debug("HANDLES: Detected VBox related device handles");
             return core::add(brands::VBOX);
         }
 
         if (vmware) {
-            debug("DEVICE_HANDLES: Detected VMware related device (HGFS)");
+            debug("HANDLES: Detected VMware related device (HGFS)");
             return core::add(brands::VMWARE);
         }
 
         if (cuckoo) {
-            debug("DEVICE_HANDLES: Detected Cuckoo related device (pipe)");
+            debug("HANDLES: Detected Cuckoo related device (pipe)");
             return core::add(brands::CUCKOO);
         }
 
@@ -9718,7 +9718,7 @@ struct VM {
         switch (hash) {
             case 0x110350C5: return core::add(brands::QEMU); // TianoCore EDK2
             case 0x87c39681: return core::add(brands::HYPERV);
-            case 0xf6829262: return core::add(brands::VBOX);
+            case 0x9502cb33: return core::add(brands::VBOX);
             default:         return false;
         }
     #else
@@ -10083,8 +10083,6 @@ struct VM {
             // ---------------------------------------------------------------------
             // Constants & Data
             // ---------------------------------------------------------------------
-            constexpr const char* vendor_list_ascii[] = { "msi","asrock","asus","asustek","gigabyte","giga-byte","micro-star","microstar" };
-            constexpr const wchar_t* vendor_list_wide[] = { L"msi",L"asrock",L"asus",L"asustek",L"gigabyte",L"giga-byte",L"micro-star",L"microstar" };
             constexpr const char redhat_sig_ascii[] = "red hat";
             constexpr const wchar_t redhat_sig_wide[] = L"red hat";
 
@@ -11998,6 +11996,14 @@ struct VM {
             }
         }
 
+        // remove "Unknown" if detected with other brands
+        if (active_count > 1) {
+            const int idx = find_index(brands::NULL_BRAND);
+            if (idx != -1) {
+                remove_at(idx);
+            }
+        }
+
         if (active_count > 1) {
             std::sort(active_brands.begin(), active_brands.begin() + static_cast<std::ptrdiff_t>(active_count), [](
                 const brand_element_t& a,
@@ -12246,7 +12252,7 @@ struct VM {
             case DISK_SERIAL: return "DISK_SERIAL";
             case IVSHMEM: return "IVSHMEM";
             case GPU_CAPABILITIES: return "GPU_CAPABILITIES";
-            case DEVICE_HANDLES: return "DEVICE_HANDLES";
+            case HANDLES: return "HANDLES";
             case QEMU_FW_CFG: return "QEMU_FW_CFG";
             case VIRTUAL_PROCESSORS: return "VIRTUAL_PROCESSORS";
             case HYPERVISOR_QUERY: return "HYPERVISOR_QUERY";
@@ -12256,7 +12262,7 @@ struct VM {
             case FILE_ACCESS_HISTORY: return "FILE_ACCESS_HISTORY";
             case AUDIO: return "AUDIO";
             case NSJAIL_PID: return "NSJAIL_PID";
-            case PCI_DEVICES: return "PCI_DEVICES";
+            case DEVICES: return "DEVICES";
             case ACPI_SIGNATURE: return "ACPI_SIGNATURE";
             case TRAP: return "TRAP";
             case UD: return "UNDEFINED_INSTRUCTION";
@@ -12613,7 +12619,7 @@ struct VM {
         }
 
         auto hardened_logic = []() -> bool {
-            // Helper to get the specific brand associated with a technique using the cache.
+            // Helper to get the specific brand associated with a technique using the cache
             auto detected_brand = [](const enum_flags flag) -> const char* {
                 if (!check(flag)) {
                     return brands::NULL_BRAND;
@@ -12887,7 +12893,7 @@ std::array<VM::core::technique, VM::enum_size + 1> VM::core::technique_table = [
             {VM::EDID, {100, VM::edid}},
             {VM::IVSHMEM, {100, VM::ivshmem}},
             {VM::DRIVERS, {100, VM::drivers}},
-            {VM::DEVICE_HANDLES, {100, VM::device_handles}},
+            {VM::HANDLES, {100, VM::device_handles}},
             {VM::VIRTUAL_PROCESSORS, {100, VM::virtual_processors}},
             {VM::KERNEL_OBJECTS, {100, VM::kernel_objects}},
             {VM::HYPERVISOR_QUERY, {100, VM::hypervisor_query}},
@@ -12911,7 +12917,7 @@ std::array<VM::core::technique, VM::enum_size + 1> VM::core::technique_table = [
 
         #if (LINUX || WINDOWS)
             {VM::FIRMWARE, {100, VM::firmware}},
-            {VM::PCI_DEVICES, {95, VM::pci_devices}},
+            {VM::DEVICES, {95, VM::pci_devices}},
             {VM::SYSTEM_REGISTERS, {50, VM::system_registers}},
             {VM::AZURE, {30, VM::azure}},
         #endif
