Merge pull request #414 from kernelwernel/dev

NotRequiem · web-flow · commit f394147b992d · 2025-06-01T14:46:15.000+02:00
Fixed firmware checks on Linux
diff --git a/README.md b/README.md
@@ -77,7 +77,7 @@ This project also provides a tiny, but handy CLI tool utilising the full potenti
 
 <img src="assets/demo.jpg" title="cli">
 
-Try it out on [Compiler Explorer](https://godbolt.org/z/4sKa1sqrW)!
+<!-- Try it out on [Compiler Explorer](https://godbolt.org/z/4sKa1sqrW)!-->
 
 <br>
 
@@ -171,11 +171,11 @@ If you want to learn about the architecture and design of the library, head over
 <br>
 
 > There's already loads of projects that have the same goal such as 
-<a href="https://github.com/CheckPointSW/InviZzzible">InviZzzible</a>, <a href="https://github.com/a0rtega/pafish">pafish</a> and <a href="https://github.com/LordNoteworthy/al-khaser">Al-Khaser</a>. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. Additionally, the VM detections in all those projects are often not sophisticated enough to be practically applied to real-world scenarios while not providing enough VM detection techniques. An additional issue is that they are all GPL projects. 
+<a href="https://github.com/CheckPointSW/InviZzzible">InviZzzible</a>, <a href="https://github.com/a0rtega/pafish">pafish</a> and <a href="https://github.com/LordNoteworthy/al-khaser">Al-Khaser</a>. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. Additionally, the VM detections in all those projects are often not sophisticated enough to be practically applied to real-world scenarios while not providing enough VM detection techniques. An additional hurdle is that they are all GPL projects, so using them for proprietary projects (which would be the main audience for such a functionality), is out of the question. 
 >
 > Pafish and InviZzzible have been abandoned for years. Although Al-Khaser does receive occasional updates and has a wide scope of detections that VMAware doesn't provide (anti-debugging, anti-injection, and so on), it still falls short due to the previously mentioned problems above.
 > 
-> While those projects have been useful to VMAware as a baseline, we wanted to make them far better. My goal was to make the detection techniques to be accessible programmatically in a cross-platform and flexible way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection framework on steroids that focuses on practical and realistic usability for any scenario.
+> While those projects have been useful to VMAware to some extent, we wanted to make them far better. My goal was to make the detection techniques to be accessible programmatically in a cross-platform and flexible way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection framework on steroids that focuses on practical and realistic usability for any scenario.
 
 </details>
 
@@ -196,7 +196,7 @@ If you want to learn about the architecture and design of the library, head over
 > 
 > All of this combined has further advanced the forefront innovations in the field of VM detections much more productively, compared to having it closed source. This is what made the project the best VM detection framework out there, and bypassing it has shown to be an immense challenge due to the sheer number of sophisticated and never-before-seen techniques we employ that other VM detectors don't use whether open or closed source (to our knowledge).
 >
-> In other words, it's about better quality AND quantity, better feedback, and better openness over security through obfuscation.
+> In other words, it's about better quality AND quantity, better feedback, and better openness over security through obfuscation. It's the same reason why OpenSSH, OpenSSL, the Linux kernel, and other security-based software projects are relatively secure because of how there's more people helping to make it better compared to people trying to probe the source code with malicious intent. VMAware has this philosophy, and if you know anything about security, you should be familiar with the phrase: "Security through obfuscation is NOT security".
 
 </details>
 
diff --git a/assets/demo.jpg b/assets/demo.jpg
diff --git a/src/vmaware.hpp b/src/vmaware.hpp
@@ -5864,32 +5864,30 @@ struct VM {
             return false;
         #elif (LINUX)
             // Author: dmfrpro
-            if (!util::is_admin()) {
-                return false;
-            }
-
             DIR* dir = opendir("/sys/firmware/acpi/tables/");
             if (!dir) {
                 debug("FIRMWARE: could not open ACPI tables directory");
                 return false;
             }
 
-            // Same targets as the Windows branch but without "WAET"
             constexpr const char* targets[] = {
-                "Parallels Software International","Parallels(R)","innotek",
-                "Oracle","VirtualBox","vbox","VBOX","VS2005R2",
+                "Parallels Software International","Parallels(R)",
+                "innotek","Oracle","VirtualBox","vbox","VBOX","VS2005R2",
                 "VMware, Inc.","VMware","VMWARE",
                 "S3 Corp.","Virtual Machine","QEMU","pc-q35","BOCHS","BXPC"
             };
 
             struct dirent* entry;
             while ((entry = readdir(dir)) != nullptr) {
                 // Skip "." and ".."
-                if (strcmp(entry->d_name, ".") == 0 || strcmp(entry->d_name, "..") == 0)
+                if (strcmp(entry->d_name, ".") == 0 ||
+                    strcmp(entry->d_name, "..") == 0)
                     continue;
 
                 char path[PATH_MAX];
-                snprintf(path, sizeof(path), "/sys/firmware/acpi/tables/%s", entry->d_name);
+                snprintf(path, sizeof(path),
+                    "/sys/firmware/acpi/tables/%s",
+                    entry->d_name);
 
                 int fd = open(path, O_RDONLY);
                 if (fd == -1) {
@@ -5898,17 +5896,11 @@ struct VM {
                 }
 
                 struct stat statbuf;
-                if (fstat(fd, &statbuf) != 0) {
+                if (fstat(fd, &statbuf) != 0 || S_ISDIR(statbuf.st_mode)) {
                     debug("FIRMWARE: skipped ", entry->d_name);
                     close(fd);
                     continue;
                 }
-                if (S_ISDIR(statbuf.st_mode)) {
-                    debug("FIRMWARE: skipped directory ", entry->d_name);
-                    close(fd);
-                    continue;
-                }
-
                 long file_size = statbuf.st_size;
                 if (file_size <= 0) {
                     debug("FIRMWARE: file empty or error ", entry->d_name);
@@ -5922,13 +5914,20 @@ struct VM {
                     close(fd);
                     continue;
                 }
+
+                ssize_t n = read(fd, buffer, file_size);
                 close(fd);
+                if (n != file_size) {
+                    debug("FIRMWARE: could not read full table ", entry->d_name);
+                    free(buffer);
+                    continue;
+                }
 
                 for (const char* target : targets) {
                     size_t targetLen = strlen(target);
-                    if (targetLen == 0 || file_size < static_cast<long>(targetLen))
+                    if ((long)targetLen > file_size)
                         continue;
-                    for (long j = 0; j <= file_size - static_cast<long>(targetLen); ++j) {
+                    for (long j = 0; j <= file_size - (long)targetLen; ++j) {
                         if (memcmp(buffer + j, target, targetLen) == 0) {
                             const char* brand = nullptr;
                             if (strcmp(target, "Parallels Software International") == 0 ||
@@ -5947,13 +5946,14 @@ struct VM {
                                 strcmp(target, "VMWARE") == 0) {
                                 brand = brands::VMWARE;
                             }
-                            else if (strcmp(target, "QEMU")) {
+                            else if (strcmp(target, "QEMU") == 0) {
                                 brand = brands::QEMU;
                             }
                             else if (strcmp(target, "BOCHS") == 0 ||
                                 strcmp(target, "BXPC") == 0) {
                                 brand = brands::BOCHS;
                             }
+
                             free(buffer);
                             closedir(dir);
                             if (brand)

Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,7 @@ This project also provides a tiny, but handy CLI tool utilising the full potenti`
`77`	`77`
`78`	`78`	`<img src="assets/demo.jpg" title="cli">`
`79`	`79`
`80`		`-Try it out on [Compiler Explorer](https://godbolt.org/z/4sKa1sqrW)!`
	`80`	`+<!-- Try it out on [Compiler Explorer](https://godbolt.org/z/4sKa1sqrW)!-->`
`81`	`81`
`82`	`82`	`<br>`
`83`	`83`
`@@ -171,11 +171,11 @@ If you want to learn about the architecture and design of the library, head over`
`171`	`171`	`<br>`
`172`	`172`
`173`	`173`	`> There's already loads of projects that have the same goal such as`
`174`		-<a href="https://github.com/CheckPointSW/InviZzzible">InviZzzible</a>, <a href="https://github.com/a0rtega/pafish">pafish</a> and <a href="https://github.com/LordNoteworthy/al-khaser">Al-Khaser</a>. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. Additionally, the VM detections in all those projects are often not sophisticated enough to be practically applied to real-world scenarios while not providing enough VM detection techniques. An additional issue is that they are all GPL projects.
	`174`	+<a href="https://github.com/CheckPointSW/InviZzzible">InviZzzible</a>, <a href="https://github.com/a0rtega/pafish">pafish</a> and <a href="https://github.com/LordNoteworthy/al-khaser">Al-Khaser</a>. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. Additionally, the VM detections in all those projects are often not sophisticated enough to be practically applied to real-world scenarios while not providing enough VM detection techniques. An additional hurdle is that they are all GPL projects, so using them for proprietary projects (which would be the main audience for such a functionality), is out of the question.
`175`	`175`	`>`
`176`	`176`	`> Pafish and InviZzzible have been abandoned for years. Although Al-Khaser does receive occasional updates and has a wide scope of detections that VMAware doesn't provide (anti-debugging, anti-injection, and so on), it still falls short due to the previously mentioned problems above.`
`177`	`177`	`>`
`178`		`-> While those projects have been useful to VMAware as a baseline, we wanted to make them far better. My goal was to make the detection techniques to be accessible programmatically in a cross-platform and flexible way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection framework on steroids that focuses on practical and realistic usability for any scenario.`
	`178`	`+> While those projects have been useful to VMAware to some extent, we wanted to make them far better. My goal was to make the detection techniques to be accessible programmatically in a cross-platform and flexible way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection framework on steroids that focuses on practical and realistic usability for any scenario.`
`179`	`179`
`180`	`180`	`</details>`
`181`	`181`
`@@ -196,7 +196,7 @@ If you want to learn about the architecture and design of the library, head over`
`196`	`196`	`>`
`197`	`197`	`> All of this combined has further advanced the forefront innovations in the field of VM detections much more productively, compared to having it closed source. This is what made the project the best VM detection framework out there, and bypassing it has shown to be an immense challenge due to the sheer number of sophisticated and never-before-seen techniques we employ that other VM detectors don't use whether open or closed source (to our knowledge).`
`198`	`198`	`>`
`199`		`-> In other words, it's about better quality AND quantity, better feedback, and better openness over security through obfuscation.`
	`199`	+> In other words, it's about better quality AND quantity, better feedback, and better openness over security through obfuscation. It's the same reason why OpenSSH, OpenSSL, the Linux kernel, and other security-based software projects are relatively secure because of how there's more people helping to make it better compared to people trying to probe the source code with malicious intent. VMAware has this philosophy, and if you know anything about security, you should be familiar with the phrase: "Security through obfuscation is NOT security".
`200`	`200`
`201`	`201`	`</details>`
`202`	`202`