Skip to content

detection for TSC rewind and fix for WINE flags in ARM #636

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
NotRequiem merged 3 commits into from
Feb 23, 2026
Merged

detection for TSC rewind and fix for WINE flags in ARM #636

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c161ff1
fix: logical bug in VM::CLOCK
Feb 23, 2026
3b8edd8
Merge branch 'main' of https://github.com/NotRequiem/VMAware
Feb 23, 2026
ae3dfeb
fix: TSC rewinds and WINE flags on AR,
Feb 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/cli.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ struct SHA256 {
0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
};
u32 m[64];
u32 m[64]{};
for (u32 i = 0, j = 0; i < 16; ++i, j += 4) {
m[i] = (u32)buf[j] << 24 | (u32)buf[j + 1] << 16 | (u32)buf[j + 2] << 8 | (u32)buf[j + 3];
}
Expand Down Expand Up @@ -288,7 +288,7 @@ static std::string exe_path() {
#endif
}

std::string compute_self_sha256() {
static std::string compute_self_sha256() {
std::string path = exe_path();
if (path.empty()) return {};

Expand Down
52 changes: 29 additions & 23 deletions src/vmaware.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4695,7 +4695,7 @@
#endif
};

thread_local u32 aux = 0;

Check warning on line 4698 in src/vmaware.hpp

View workflow job for this annotation

GitHub Actions / Analyze (cpp, gcc-14, Ninja Multi-Config, Debug, ON) 

unused variable 'aux' [-Wunused-variable]
auto cpuid = [](unsigned int leaf) noexcept -> u64 {
#if (MSVC)
// make regs volatile so writes cannot be optimized out, if this isn't added and the code is compiled in release mode, cycles would be around 40 even under Hyper-V
Expand Down Expand Up @@ -4947,7 +4947,13 @@
for (unsigned i = 0; i < CPUID_ITER; ++i) {
// read rdtsc and accumulate delta
const u64 now = rdtsc();
acc += (now >= last) ? (now - last) : (u64)((u64)0 - last + now);

// If now < last, the hypervisor rewound the TSC or it's a very rare 64-bit overflow
// we do not increment acc to ensure ratio t2_delta / t1_delta drops below 0.95
if (now >= last) {
acc += (now - last);
}

last = now;

// store latency if buffer has space
Expand All @@ -4964,7 +4970,11 @@

// final rdtsc after detecting finish
const u64 final_now = rdtsc();
acc += (final_now >= last) ? (final_now - last) : (u64)((u64)0 - last + final_now);

if (final_now >= last) {
acc += (final_now - last);
}

last = final_now;

// publish results
Expand Down Expand Up @@ -5011,7 +5021,7 @@

if (cpuid_latency >= cycle_threshold) {
debug("TIMER: Detected a vmexit on CPUID");
return true;
return core::add(brands::NULL_BRAND, 100); // to prevent FPs due to kernel noise
}
else if (cpuid_latency <= 25) {
debug("TIMER: Detected a hypervisor downscaling CPUID latency");
Expand Down Expand Up @@ -6573,16 +6583,6 @@
debug("FIRMWARE: C2 and C3 latencies indicate VM");
return true;
}

if (buffer_len >= 276) {
u64 hypervisor_vid = 0;
memcpy(&hypervisor_vid, buffer + 268, 8);

if (hypervisor_vid != 0) {
debug("FIRMWARE: FACP 'Hypervisor Vendor Identity' field is occupied");
return true;
}
}
}

return false;
Expand Down Expand Up @@ -7513,6 +7513,10 @@
}
#endif

// ARM CPUs trigger this check
if (util::is_running_under_translator())
return false;

const HMODULE kernel32 = GetModuleHandleA("kernel32.dll");
const HMODULE ntdll = util::get_ntdll();
if (!kernel32 || !ntdll) {
Expand Down Expand Up @@ -11211,22 +11215,26 @@
if (util::get_manufacturer_model(&manufacturer, &model)) {
auto ci_contains = [](const char* hay, const char* needle) noexcept -> bool {
if (!hay || !needle || !*hay || !*needle) return false;
const unsigned char* h = reinterpret_cast<const unsigned char*>(hay);
const unsigned char* n = reinterpret_cast<const unsigned char*>(needle);
const size_t nlen = strlen(reinterpret_cast<const char*>(n));

const unsigned char* h =
reinterpret_cast<const unsigned char*>(hay);
const unsigned char* n =
reinterpret_cast<const unsigned char*>(needle);

for (; *h; ++h) {
size_t i = 0;
for (;; ++i) {
unsigned char hc = h[i];
unsigned char nc = n[i];
if (!nc) return false; // matched whole needle
if (!hc) break; // hay ended
// ascii lowercase

if (!nc) return true;
if (!hc) break;

if (hc >= 'A' && hc <= 'Z') hc += 32;
if (nc >= 'A' && nc <= 'Z') nc += 32;

if (hc != nc) break;
}
if (i == nlen) return false;
}
return false;
};
Expand Down Expand Up @@ -11355,8 +11363,6 @@
{ 0x4B564D00u, 0x4B564DFFu }
};

static thread_local bool g_msr_faulted = false;

auto try_read = [](u32 msr_index) -> bool {
#if (MSVC)
unsigned __int64 value = 0;
Expand All @@ -11369,7 +11375,7 @@
return false;
}
#elif (GCC || CLANG)
g_msr_faulted = false;
static thread_local bool g_msr_faulted = false;

auto veh_handler = [](PEXCEPTION_POINTERS info) -> LONG {
if (info->ExceptionRecord->ExceptionCode == EXCEPTION_PRIV_INSTRUCTION) {
Expand Down
Loading