diff --git a/README.md b/README.md
index dbc6c72f..2992273e 100644
--- a/README.md
+++ b/README.md
@@ -14,7 +14,7 @@
The library is:
- Very easy to use
- Cross-platform (Windows + MacOS + Linux)
-- Features up to 115+ unique VM detection techniques [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#flag-table)]
+- Features up to 115 unique VM detection techniques [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#flag-table)]
- Features the most cutting-edge techniques
- Able to detect 65+ VM brands including VMware, VirtualBox, QEMU, Hyper-V, and much more [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#brand-table)]
- Able to beat VM hardeners
@@ -239,7 +239,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
> I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL projects, and I have no choice but to use the same license for legal reasons.
>
-> This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open source. It should be noted that the MIT version removes 7 techniques out of 116 (as of 2.0 version), and the lesser the number of techniques, the less accurate the overall result might be.
+> This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open source. It should be noted that the MIT version removes 7 techniques out of 115 (as of 2.0 version), and the lesser the number of techniques, the less accurate the overall result might be.
diff --git a/docs/documentation.md b/docs/documentation.md
index 026866c8..4d03aadf 100644
--- a/docs/documentation.md
+++ b/docs/documentation.md
@@ -465,7 +465,6 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
| `VM::IOREG_GREP` | Check for VM-strings in ioreg commands for MacOS | MacOS | 100% | | | | |
| `VM::MAC_SIP` | Check if System Integrity Protection is disabled (likely a VM if it is) | MacOS | 40% | | | | |
| `VM::HKLM_REGISTRIES` | Check HKLM registries for specific VM strings | Windows | 25% | | | | |
-| `VM::QEMU_GA` | Check for "qemu-ga" process | Linux | 10% | | | | |
| `VM::VPC_INVALID` | Check for official VPC method | Windows | 75% | | | 32-bit | |
| `VM::SIDT` | Check for sidt instruction method | Windows | 25% | | | | |
| `VM::SGDT` | Check for sgdt instruction method | Windows | 30% | | | 32-bit | |
@@ -514,7 +513,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
| `VM::ANYRUN_DIRECTORY` | Check for any.run directory and handle the status code | Windows | 35% | | | | | Removed from the lib, only available in the CLI |
| `VM::DRIVER_NAMES` | Check for VM-specific names for drivers | Windows | 100% | | | | |
| `VM::VM_SIDT` | Check for unknown IDT base address | Windows | 100% | | | | |
-| `VM::HDD_SERIAL` | Check for serial numbers of virtual disks | Windows | 100% | | | | |
+| `VM::DISK_SERIAL` | Check for serial numbers of virtual disks | Windows | 100% | | | | |
| `VM::PORT_CONNECTORS` | Check for physical connection ports | Windows | 25% | | | | This technique is known to false flag on devices like Surface Pro |
| `VM::GPU_CAPABILITIES` | Check for GPU capabilities related to VMs | Windows | 100% | Admin | | | Admin only needed for some heuristics |
| `VM::GPU_VM_STRINGS` | Check for specific GPU string signatures related to VMs | Windows | 100% | | | | If GPU_CAPABILITIES also flags, the overall score will be 50 instead of 100 |
diff --git a/src/README.md b/src/README.md
index 66fa8130..08e253db 100644
--- a/src/README.md
+++ b/src/README.md
@@ -2,7 +2,7 @@
|------|---------|
| `cli.cpp` | Entire CLI tool code |
| `vmaware.hpp` | Official and original library header in GPL-3.0, most likely what you're looking for. |
-| `vmaware_MIT.hpp` | Same as above but in MIT. But this removes 7 techniques out of 116 |
+| `vmaware_MIT.hpp` | Same as above but in MIT. But this removes 7 techniques out of 115 |
diff --git a/src/cli.cpp b/src/cli.cpp
index 81d31fa1..a08a5711 100644
--- a/src/cli.cpp
+++ b/src/cli.cpp
@@ -353,9 +353,9 @@ bool is_unsupported(VM::enum_flags flag) {
case VM::SIDT5:
case VM::DISK_SIZE:
case VM::VBOX_DEFAULT:
+ case VM::VM_PROCESSES:
case VM::LINUX_USER_HOST:
case VM::BOCHS_CPU:
- case VM::QEMU_GA:
case VM::SIDT:
case VM::VMWARE_IOMEM:
case VM::VMWARE_IOPORTS:
@@ -451,7 +451,7 @@ bool is_unsupported(VM::enum_flags flag) {
case VM::KGT_SIGNATURE:
case VM::DRIVER_NAMES:
case VM::VM_SIDT:
- case VM::HDD_SERIAL:
+ case VM::DISK_SERIAL:
case VM::PORT_CONNECTORS:
case VM::GPU_VM_STRINGS:
case VM::GPU_CAPABILITIES:
@@ -907,7 +907,6 @@ void general() {
checker(VM::KVM_DIRS, "KVM directories");
checker(VM::HKLM_REGISTRIES, "registry values");
checker(VM::AUDIO, "audio device");
- checker(VM::QEMU_GA, "qemu-ga process");
checker(VM::QEMU_DIR, "QEMU directories");
checker(VM::VPC_INVALID, "VPC invalid instructions");
checker(VM::SIDT, "SIDT");
@@ -957,7 +956,7 @@ void general() {
checker(anyrun_directory, "ANY.RUN directory");
checker(VM::DRIVER_NAMES, "driver names");
checker(VM::VM_SIDT, "VM SIDT");
- checker(VM::HDD_SERIAL, "HDD serial number");
+ checker(VM::DISK_SERIAL, "disk serial number");
checker(VM::PORT_CONNECTORS, "physical connection ports");
checker(VM::GPU_CAPABILITIES, "GPU capabilities");
checker(VM::GPU_VM_STRINGS, "GPU strings");
diff --git a/src/vmaware.hpp b/src/vmaware.hpp
index 8cb6259c..c9ff7b20 100644
--- a/src/vmaware.hpp
+++ b/src/vmaware.hpp
@@ -589,7 +589,6 @@ struct VM {
IOREG_GREP,
MAC_SIP,
HKLM_REGISTRIES,
- QEMU_GA,
VPC_INVALID,
SIDT,
SGDT,
@@ -636,7 +635,7 @@ struct VM {
WSL_PROC,
DRIVER_NAMES,
VM_SIDT,
- HDD_SERIAL,
+ DISK_SERIAL,
PORT_CONNECTORS,
GPU_VM_STRINGS,
GPU_CAPABILITIES,
@@ -1743,7 +1742,7 @@ struct VM {
#endif
}
- // get available memory space
+ // Get available memory space
[[nodiscard]] static u64 get_memory_space() {
#if (WINDOWS)
MEMORYSTATUSEX statex = { 0 };
@@ -3655,9 +3654,7 @@ struct VM {
* @implements VM::VM_PROCESSES
*/
[[nodiscard]] static bool vm_processes() {
- #if (!WINDOWS)
- return false;
- #else
+#if (WINDOWS)
const auto runningProcesses = util::get_running_process_names();
if (runningProcesses.count("joeboxserver.exe") || runningProcesses.count("joeboxcontrol.exe")) {
@@ -3670,7 +3667,7 @@ struct VM {
return core::add(brands::PARALLELS);
}
- if (runningProcesses.count("vboxservice.exe") || runningProcesses.count("vboxtray.exe")) {
+ if (runningProcesses.count("vboxservice.exe") || runningProcesses.count("vboxtray.exe") || runningProcesses.count("VBoxControl.exe")) {
debug("VM_PROCESSES: Detected VBox process.");
return core::add(brands::VBOX);
}
@@ -3694,13 +3691,23 @@ struct VM {
if (runningProcesses.count("vdagent.exe") ||
runningProcesses.count("vdservice.exe") ||
- runningProcesses.count("qemuwmi.exe")) {
+ runningProcesses.count("qemuwmi.exe") ||
+ runningProcesses.count("looking-glass-host.exe")) {
debug("VM_PROCESSES: Detected QEMU process.");
return core::add(brands::QEMU);
}
+ if (runningProcesses.count("VDDSysTray.exe")) {
+ return true;
+ }
+
+#elif (LINUX)
+ if (util::is_proc_running("qemu_ga")) {
+ debug("VM_PROCESSES: Detected QEMU guest agent process.");
+ return core::add(brands::QEMU);
+ }
+#endif
return false;
- #endif
}
@@ -4332,26 +4339,6 @@ struct VM {
}
- /**
- * @brief Check for "qemu-ga" process
- * @category Linux
- * @implements VM::QEMU_GA
- */
- [[nodiscard]] static bool qemu_ga() {
-#if (!LINUX)
- return false;
-#else
- constexpr const char* process = "qemu-ga";
-
- if (util::is_proc_running(process)) {
- return core::add(brands::QEMU);
- }
-
- return false;
-#endif
- }
-
-
/**
* @brief Check for official VPC method
* @category Windows, x86
@@ -7398,9 +7385,9 @@ struct VM {
* @category Windows
* @author Requiem (https://github.com/NotRequiem)
* @note VMware can't be flagged without also flagging legitimate devices
- * @implements VM::HDD_SERIAL
+ * @implements VM::DISK_SERIAL
*/
- [[nodiscard]] static bool hdd_serial_number() {
+ [[nodiscard]] static bool disk_serial_number() {
#if (!WINDOWS)
return false;
#else
@@ -7849,10 +7836,12 @@ struct VM {
* @implements VM::TIMER
*/
#if defined(MSVC)
-#pragma optimize("", off)
-#elif defined(__GNUC__)
-#pragma GCC push_options
-#pragma GCC optimize("O0")
+ #pragma optimize("", off)
+#elif defined(CLANG)
+ #pragma clang optimize off
+#elif defined(GCC)
+ #pragma GCC push_options
+ #pragma GCC optimize("O0")
#endif
[[nodiscard]]
#if (LINUX)
@@ -7862,17 +7851,21 @@ struct VM {
#if (ARM || !x86)
return false;
#else
- constexpr u8 classicIterations = 10; // Number of iterations for the classic RDTSC check
- constexpr u16 classicThreshold = 20000u; // Cycle threshold per iteration for classic RDTSC check
- constexpr u8 requiredClassicSpikes = classicIterations / 2; // At least 50% of iterations must spike
+ if (util::hyper_x() == HYPERV_ARTIFACT_VM) {
+ return false;
+ }
+
+ constexpr u8 rdtscIterations = 10; // Number of iterations for the classic RDTSC check
+ constexpr u16 rdtscThreshold = 6000; // Cycle threshold per iteration for classic RDTSC check
+ constexpr u8 requiredClassicSpikes = rdtscIterations / 2; // At least 50% of iterations must spike
constexpr u16 spammerIterations = 1000; // Iterations for the multi-CPU/spammer check
- constexpr u16 spammerAvgThreshold = 20000u; // Average cycle threshold for the spammer check
+ constexpr u16 spammerAvgThreshold = 1500; // Average cycle threshold for the spammer check
#if (WINDOWS)
- constexpr u16 qpcRatioThreshold = 3000; // QPC ratio threshold
+ constexpr u16 qpcRatioThreshold = 70; // QPC ratio threshold
constexpr u8 tscIterations = 10; // Number of iterations for the TSC synchronization check
- constexpr u16 tscSyncDiffThreshold = 500; // TSC difference threshold
+ constexpr u16 tscSyncDiffThreshold = 5000; // TSC difference threshold
#endif
// to minimize context switching/scheduling
@@ -7903,7 +7896,7 @@ struct VM {
#else
sched_setscheduler(0, oldPolicy, &oldParam);
#endif
- };
+ };
// --- 1. Classic Timing Check (rdtsc + cpuid + rdtsc) ---
#ifdef __VMAWARE_DEBUG__
@@ -7920,8 +7913,10 @@ struct VM {
#endif
#if (WINDOWS)
+ bool notaligned = false;
flushBuffer = (char*)_aligned_malloc(kBufferSize, kAlignment);
if (!flushBuffer) {
+ notaligned = true;
flushBuffer = new (std::nothrow) char[kBufferSize];
}
#elif (LINUX || APPLE)
@@ -7937,7 +7932,7 @@ struct VM {
constexpr size_t segmentsCount = 8; // basically 1/8 of the buffer per iteration
constexpr size_t segmentSize = kBufferSize / segmentsCount;
int spikeCount = 0;
- for (int i = 0; i < classicIterations; i++) {
+ for (int i = 0; i < rdtscIterations; i++) {
u64 start = __rdtsc();
#if (WINDOWS)
int cpu_info[4];
@@ -7953,7 +7948,7 @@ struct VM {
#ifdef __VMAWARE_DEBUG__
totalCycles += cycles;
#endif
- if (cycles >= classicThreshold) {
+ if (cycles >= rdtscThreshold) {
spikeCount++;
}
// Instead of flushing the entire buffer every iteration (which would decrease performance a lot),
@@ -7963,25 +7958,30 @@ struct VM {
size_t offsetEnd = offsetStart + segmentSize;
// this detection works better when inducing cache flushing without thread sleeps
- for (size_t j = offsetStart; j < offsetEnd; j += 64) {
- flushBuffer[j] = static_cast(j);
+ if (flushBuffer) {
+ for (size_t j = offsetStart; j < offsetEnd; j += 64) {
+ flushBuffer[j] = static_cast(j);
#if defined(x86) && (defined(GCC) || defined(CLANG) || defined(MSVC))
- COMPILER_BARRIER();
- // _mm_clflushopt not available on some systems
- _mm_clflush(reinterpret_cast(&flushBuffer[j]));
+ COMPILER_BARRIER();
+ // _mm_clflushopt not available on some systems
+ _mm_clflush(reinterpret_cast(&flushBuffer[j]));
#endif
+ }
}
}
#if (WINDOWS)
- _aligned_free((void*)flushBuffer);
+ if (notaligned)
+ delete[] flushBuffer;
+ else
+ _aligned_free((void*)flushBuffer);
#else
free((void*)flushBuffer);
#endif
#ifdef __VMAWARE_DEBUG__
- const double averageCycles = static_cast(totalCycles) / classicIterations;
+ const double averageCycles = static_cast(totalCycles) / rdtscIterations;
debug("TIMER: RDTSC check - Average cycles: ", averageCycles,
- " (Threshold per sample: ", classicThreshold,
+ " (Threshold per sample: ", rdtscThreshold,
") - Spike count: ", spikeCount);
#endif
@@ -8189,9 +8189,11 @@ struct VM {
#endif
}
#if defined(MSVC)
-#pragma optimize("", on)
-#elif defined(__GNUC__)
-#pragma GCC pop_options
+ #pragma optimize("", on)
+#elif defined(CLANG)
+ #pragma clang optimize on
+#elif defined(GCC)
+ #pragma GCC pop_options
#endif
@@ -11290,7 +11292,6 @@ struct VM {
case IOREG_GREP: return "IOREG_GREP";
case MAC_SIP: return "MAC_SIP";
case HKLM_REGISTRIES: return "HKLM_REGISTRIES";
- case QEMU_GA: return "QEMU_GA";
case VPC_INVALID: return "VPC_INVALID";
case SIDT: return "SIDT";
case SGDT: return "SGDT";
@@ -11337,7 +11338,7 @@ struct VM {
case WSL_PROC: return "WSL_PROC";
case DRIVER_NAMES: return "DRIVER_NAMES";
case VM_SIDT: return "VM_SIDT";
- case HDD_SERIAL: return "HDD_SERIAL";
+ case DISK_SERIAL: return "DISK_SERIAL";
case PORT_CONNECTORS: return "PORT_CONNECTORS";
case GPU_VM_STRINGS: return "GPU_STRINGS";
case GPU_CAPABILITIES: return "GPU_CAPABILITIES";
@@ -11850,7 +11851,6 @@ std::pair VM::core::technique_list[] = {
std::make_pair(VM::IOREG_GREP, VM::core::technique(100, VM::ioreg_grep)),
std::make_pair(VM::MAC_SIP, VM::core::technique(40, VM::mac_sip)),
std::make_pair(VM::HKLM_REGISTRIES, VM::core::technique(25, VM::hklm_registries)),
- std::make_pair(VM::QEMU_GA, VM::core::technique(10, VM::qemu_ga)),
std::make_pair(VM::VPC_INVALID, VM::core::technique(75, VM::vpc_invalid)),
std::make_pair(VM::SIDT, VM::core::technique(25, VM::sidt)),
std::make_pair(VM::SGDT, VM::core::technique(30, VM::sgdt)),
@@ -11898,7 +11898,7 @@ std::pair VM::core::technique_list[] = {
std::make_pair(VM::WSL_PROC, VM::core::technique(30, VM::wsl_proc_subdir)),
std::make_pair(VM::DRIVER_NAMES, VM::core::technique(100, VM::driver_names)),
std::make_pair(VM::VM_SIDT, VM::core::technique(100, VM::vm_sidt)),
- std::make_pair(VM::HDD_SERIAL, VM::core::technique(100, VM::hdd_serial_number)),
+ std::make_pair(VM::DISK_SERIAL, VM::core::technique(100, VM::disk_serial_number)),
std::make_pair(VM::PORT_CONNECTORS, VM::core::technique(25, VM::port_connectors)),
std::make_pair(VM::GPU_VM_STRINGS, VM::core::technique(100, VM::gpu_vm_strings)),
std::make_pair(VM::GPU_CAPABILITIES, VM::core::technique(100, VM::gpu_capabilities)),
diff --git a/src/vmaware_MIT.hpp b/src/vmaware_MIT.hpp
index 6d64187e..311161a3 100644
--- a/src/vmaware_MIT.hpp
+++ b/src/vmaware_MIT.hpp
@@ -604,7 +604,6 @@ struct VM {
IOREG_GREP,
MAC_SIP,
HKLM_REGISTRIES,
- QEMU_GA,
VPC_INVALID,
SIDT,
SGDT,
@@ -651,7 +650,7 @@ struct VM {
WSL_PROC,
DRIVER_NAMES,
VM_SIDT,
- HDD_SERIAL,
+ DISK_SERIAL,
PORT_CONNECTORS,
GPU_VM_STRINGS,
GPU_CAPABILITIES,
@@ -3434,15 +3433,13 @@ struct VM {
}
- /**
- * @brief Check for any VM processes that are active
- * @category Windows
- * @implements VM::VM_PROCESSES
- */
+ /**
+ * @brief Check for any VM processes that are active
+ * @category Windows
+ * @implements VM::VM_PROCESSES
+ */
[[nodiscard]] static bool vm_processes() {
-#if (!WINDOWS)
- return false;
-#else
+#if (WINDOWS)
const auto runningProcesses = util::get_running_process_names();
if (runningProcesses.count("joeboxserver.exe") || runningProcesses.count("joeboxcontrol.exe")) {
@@ -3455,7 +3452,7 @@ struct VM {
return core::add(brands::PARALLELS);
}
- if (runningProcesses.count("vboxservice.exe") || runningProcesses.count("vboxtray.exe")) {
+ if (runningProcesses.count("vboxservice.exe") || runningProcesses.count("vboxtray.exe") || runningProcesses.count("VBoxControl.exe")) {
debug("VM_PROCESSES: Detected VBox process.");
return core::add(brands::VBOX);
}
@@ -3479,13 +3476,23 @@ struct VM {
if (runningProcesses.count("vdagent.exe") ||
runningProcesses.count("vdservice.exe") ||
- runningProcesses.count("qemuwmi.exe")) {
+ runningProcesses.count("qemuwmi.exe") ||
+ runningProcesses.count("looking-glass-host.exe")) {
debug("VM_PROCESSES: Detected QEMU process.");
return core::add(brands::QEMU);
}
- return false;
+ if (runningProcesses.count("VDDSysTray.exe")) {
+ return true;
+ }
+
+#elif (LINUX)
+ if (util::is_proc_running("qemu_ga")) {
+ debug("VM_PROCESSES: Detected QEMU guest agent process.");
+ return core::add(brands::QEMU);
+ }
#endif
+ return false;
}
@@ -4117,26 +4124,6 @@ struct VM {
}
- /**
- * @brief Check for "qemu-ga" process
- * @category Linux
- * @implements VM::QEMU_GA
- */
- [[nodiscard]] static bool qemu_ga() {
-#if (!LINUX)
- return false;
-#else
- constexpr const char* process = "qemu-ga";
-
- if (util::is_proc_running(process)) {
- return core::add(brands::QEMU);
- }
-
- return false;
-#endif
- }
-
-
/**
* @brief Check for official VPC method
* @category Windows, x86
@@ -7183,9 +7170,9 @@ struct VM {
* @category Windows
* @author Requiem (https://github.com/NotRequiem)
* @note VMware can't be flagged without also flagging legitimate devices
- * @implements VM::HDD_SERIAL
+ * @implements VM::DISK_SERIAL
*/
- [[nodiscard]] static bool hdd_serial_number() {
+ [[nodiscard]] static bool disk_serial_number() {
#if (!WINDOWS)
return false;
#else
@@ -7635,7 +7622,9 @@ struct VM {
*/
#if defined(MSVC)
#pragma optimize("", off)
-#elif defined(__GNUC__)
+#elif defined(CLANG)
+#pragma clang optimize off
+#elif defined(GCC)
#pragma GCC push_options
#pragma GCC optimize("O0")
#endif
@@ -7647,17 +7636,21 @@ struct VM {
#if (ARM || !x86)
return false;
#else
- constexpr u8 classicIterations = 10; // Number of iterations for the classic RDTSC check
- constexpr u16 classicThreshold = 20000u; // Cycle threshold per iteration for classic RDTSC check
- constexpr u8 requiredClassicSpikes = classicIterations / 2; // At least 50% of iterations must spike
+ if (util::hyper_x() == HYPERV_ARTIFACT_VM) {
+ return false;
+ }
+
+ constexpr u8 rdtscIterations = 10; // Number of iterations for the classic RDTSC check
+ constexpr u16 rdtscThreshold = 6000; // Cycle threshold per iteration for classic RDTSC check
+ constexpr u8 requiredClassicSpikes = rdtscIterations / 2; // At least 50% of iterations must spike
constexpr u16 spammerIterations = 1000; // Iterations for the multi-CPU/spammer check
- constexpr u16 spammerAvgThreshold = 20000u; // Average cycle threshold for the spammer check
+ constexpr u16 spammerAvgThreshold = 1500; // Average cycle threshold for the spammer check
#if (WINDOWS)
- constexpr u16 qpcRatioThreshold = 3000; // QPC ratio threshold
+ constexpr u16 qpcRatioThreshold = 70; // QPC ratio threshold
constexpr u8 tscIterations = 10; // Number of iterations for the TSC synchronization check
- constexpr u16 tscSyncDiffThreshold = 500; // TSC difference threshold
+ constexpr u16 tscSyncDiffThreshold = 5000; // TSC difference threshold
#endif
// to minimize context switching/scheduling
@@ -7705,8 +7698,10 @@ struct VM {
#endif
#if (WINDOWS)
+ bool notaligned = false;
flushBuffer = (char*)_aligned_malloc(kBufferSize, kAlignment);
if (!flushBuffer) {
+ notaligned = true;
flushBuffer = new (std::nothrow) char[kBufferSize];
}
#elif (LINUX || APPLE)
@@ -7722,7 +7717,7 @@ struct VM {
constexpr size_t segmentsCount = 8; // basically 1/8 of the buffer per iteration
constexpr size_t segmentSize = kBufferSize / segmentsCount;
int spikeCount = 0;
- for (int i = 0; i < classicIterations; i++) {
+ for (int i = 0; i < rdtscIterations; i++) {
u64 start = __rdtsc();
#if (WINDOWS)
int cpu_info[4];
@@ -7738,7 +7733,7 @@ struct VM {
#ifdef __VMAWARE_DEBUG__
totalCycles += cycles;
#endif
- if (cycles >= classicThreshold) {
+ if (cycles >= rdtscThreshold) {
spikeCount++;
}
// Instead of flushing the entire buffer every iteration (which would decrease performance a lot),
@@ -7748,17 +7743,22 @@ struct VM {
size_t offsetEnd = offsetStart + segmentSize;
// this detection works better when inducing cache flushing without thread sleeps
- for (size_t j = offsetStart; j < offsetEnd; j += 64) {
- flushBuffer[j] = static_cast(j);
+ if (flushBuffer) {
+ for (size_t j = offsetStart; j < offsetEnd; j += 64) {
+ flushBuffer[j] = static_cast(j);
#if defined(x86) && (defined(GCC) || defined(CLANG) || defined(MSVC))
- COMPILER_BARRIER();
- // _mm_clflushopt not available on some systems
- _mm_clflush(reinterpret_cast(&flushBuffer[j]));
+ COMPILER_BARRIER();
+ // _mm_clflushopt not available on some systems
+ _mm_clflush(reinterpret_cast(&flushBuffer[j]));
#endif
+ }
}
}
#if (WINDOWS)
- _aligned_free((void*)flushBuffer);
+ if (notaligned)
+ delete[] flushBuffer;
+ else
+ _aligned_free((void*)flushBuffer);
#else
free((void*)flushBuffer);
#endif
@@ -7974,9 +7974,11 @@ struct VM {
#endif
}
#if defined(MSVC)
-#pragma optimize("", on)
-#elif defined(__GNUC__)
-#pragma GCC pop_options
+ #pragma optimize("", on)
+#elif defined(CLANG)
+ #pragma clang optimize on
+#elif defined(GCC)
+ #pragma GCC pop_options
#endif
@@ -11035,112 +11037,111 @@ struct VM {
*/
[[nodiscard]] static std::string flag_to_string(const enum_flags flag) {
switch (flag) {
- case VMID: return "VMID";
- case CPU_BRAND: return "CPU_BRAND";
- case HYPERVISOR_BIT: return "HYPERVISOR_BIT";
- case HYPERVISOR_STR: return "HYPERVISOR_STR";
- case TIMER: return "TIMER";
- case THREADCOUNT: return "THREADCOUNT";
- case MAC: return "MAC";
- case TEMPERATURE: return "TEMPERATURE";
- case SYSTEMD: return "SYSTEMD";
- case CVENDOR: return "CVENDOR";
- case CTYPE: return "CTYPE";
- case DOCKERENV: return "DOCKERENV";
- case DMIDECODE: return "DMIDECODE";
- case DMESG: return "DMESG";
- case HWMON: return "HWMON";
- case SIDT5: return "SIDT5";
- case DLL: return "DLL";
- case REGISTRY: return "REGISTRY";
- case VM_FILES: return "VM_FILES";
- case HWMODEL: return "HWMODEL";
- case DISK_SIZE: return "DISK_SIZE";
- case VBOX_DEFAULT: return "VBOX_DEFAULT";
- case VBOX_NETWORK: return "VBOX_NETWORK";
- case VM_PROCESSES: return "VM_PROCESSES";
- case LINUX_USER_HOST: return "LINUX_USER_HOST";
- case GAMARUE: return "GAMARUE";
- case BOCHS_CPU: return "BOCHS_CPU";
- case MSSMBIOS: return "MSSMBIOS";
- case MAC_MEMSIZE: return "MAC_MEMSIZE";
- case MAC_IOKIT: return "MAC_IOKIT";
- case IOREG_GREP: return "IOREG_GREP";
- case MAC_SIP: return "MAC_SIP";
- case HKLM_REGISTRIES: return "HKLM_REGISTRIES";
- case QEMU_GA: return "QEMU_GA";
- case VPC_INVALID: return "VPC_INVALID";
- case SIDT: return "SIDT";
- case SGDT: return "SGDT";
- case SLDT: return "SLDT";
- case OFFSEC_SIDT: return "OFFSEC_SIDT";
- case OFFSEC_SGDT: return "OFFSEC_SGDT";
- case OFFSEC_SLDT: return "OFFSEC_SLDT";
- case VPC_SIDT: return "VPC_SIDT";
- case VMWARE_IOMEM: return "VMWARE_IOMEM";
- case VMWARE_IOPORTS: return "VMWARE_IOPORTS";
- case VMWARE_SCSI: return "VMWARE_SCSI";
- case VMWARE_DMESG: return "VMWARE_DMESG";
- case VMWARE_STR: return "VMWARE_STR";
- case VMWARE_BACKDOOR: return "VMWARE_BACKDOOR";
- case VMWARE_PORT_MEM: return "VMWARE_PORT_MEM";
- case SMSW: return "SMSW";
- case MUTEX: return "MUTEX";
- case ODD_CPU_THREADS: return "ODD_CPU_THREADS";
- case INTEL_THREAD_MISMATCH: return "INTEL_THREAD_MISMATCH";
- case XEON_THREAD_MISMATCH: return "XEON_THREAD_MISMATCH";
- case NETTITUDE_VM_MEMORY: return "NETTITUDE_VM_MEMORY";
- case CUCKOO_DIR: return "CUCKOO_DIR";
- case CUCKOO_PIPE: return "CUCKOO_PIPE";
- case HYPERV_HOSTNAME: return "HYPERV_HOSTNAME";
- case GENERAL_HOSTNAME: return "GENERAL_HOSTNAME";
- case SCREEN_RESOLUTION: return "SCREEN_RESOLUTION";
- case DEVICE_STRING: return "DEVICE_STRING";
- case BLUESTACKS_FOLDERS: return "BLUESTACKS_FOLDERS";
- case CPUID_SIGNATURE: return "CPUID_SIGNATURE";
- case KVM_BITMASK: return "KVM_BITMASK";
- case KGT_SIGNATURE: return "KGT_SIGNATURE";
- case QEMU_VIRTUAL_DMI: return "QEMU_VIRTUAL_DMI";
- case QEMU_USB: return "QEMU_USB";
- case HYPERVISOR_DIR: return "HYPERVISOR_DIR";
- case UML_CPU: return "UML_CPU";
- case KMSG: return "KMSG";
- case VM_PROCS: return "VM_PROCS";
- case VBOX_MODULE: return "VBOX_MODULE";
- case SYSINFO_PROC: return "SYSINFO_PROC";
- case DEVICE_TREE: return "DEVICE_TREE";
- case DMI_SCAN: return "DMI_SCAN";
- case SMBIOS_VM_BIT: return "SMBIOS_VM_BIT";
- case PODMAN_FILE: return "PODMAN_FILE";
- case WSL_PROC: return "WSL_PROC";
- case DRIVER_NAMES: return "DRIVER_NAMES";
- case VM_SIDT: return "VM_SIDT";
- case HDD_SERIAL: return "HDD_SERIAL";
- case PORT_CONNECTORS: return "PORT_CONNECTORS";
- case GPU_VM_STRINGS: return "GPU_STRINGS";
- case GPU_CAPABILITIES: return "GPU_CAPABILITIES";
- case VM_DEVICES: return "VM_DEVICES";
- case PROCESSOR_NUMBER: return "PROCESSOR_NUMBER";
- case NUMBER_OF_CORES: return "NUMBER_OF_CORES";
- case ACPI_TEMPERATURE: return "ACPI_TEMPERATURE";
- case SYS_QEMU: return "SYS_QEMU";
- case LSHW_QEMU: return "LSHW_QEMU";
- case VIRTUAL_PROCESSORS: return "VIRTUAL_PROCESSORS";
- case HYPERV_QUERY: return "HYPERV_QUERY";
- case BAD_POOLS: return "BAD_POOLS";
- case AMD_SEV: return "AMD_SEV";
- case AMD_THREAD_MISMATCH: return "AMD_THREAD_MISMATCH";
- case NATIVE_VHD: return "NATIVE_VHD";
- case VIRTUAL_REGISTRY: return "VIRTUAL_REGISTRY";
- case FIRMWARE: return "FIRMWARE";
- case FILE_ACCESS_HISTORY: return "FILE_ACCESS_HISTORY";
- case AUDIO: return "AUDIO";
- case UNKNOWN_MANUFACTURER: return "UNKNOWN_MANUFACTURER";
- case OSXSAVE: return "OSXSAVE";
- case NSJAIL_PID: return "NSJAIL_PID";
- case PCI_VM: return "PCI_VM";
- // ADD NEW CASE HERE FOR NEW TECHNIQUE
- default: return "Unknown flag";
+ case VMID: return "VMID";
+ case CPU_BRAND: return "CPU_BRAND";
+ case HYPERVISOR_BIT: return "HYPERVISOR_BIT";
+ case HYPERVISOR_STR: return "HYPERVISOR_STR";
+ case TIMER: return "TIMER";
+ case THREADCOUNT: return "THREADCOUNT";
+ case MAC: return "MAC";
+ case TEMPERATURE: return "TEMPERATURE";
+ case SYSTEMD: return "SYSTEMD";
+ case CVENDOR: return "CVENDOR";
+ case CTYPE: return "CTYPE";
+ case DOCKERENV: return "DOCKERENV";
+ case DMIDECODE: return "DMIDECODE";
+ case DMESG: return "DMESG";
+ case HWMON: return "HWMON";
+ case SIDT5: return "SIDT5";
+ case DLL: return "DLL";
+ case REGISTRY: return "REGISTRY";
+ case VM_FILES: return "VM_FILES";
+ case HWMODEL: return "HWMODEL";
+ case DISK_SIZE: return "DISK_SIZE";
+ case VBOX_DEFAULT: return "VBOX_DEFAULT";
+ case VBOX_NETWORK: return "VBOX_NETWORK";
+ case VM_PROCESSES: return "VM_PROCESSES";
+ case LINUX_USER_HOST: return "LINUX_USER_HOST";
+ case GAMARUE: return "GAMARUE";
+ case BOCHS_CPU: return "BOCHS_CPU";
+ case MSSMBIOS: return "MSSMBIOS";
+ case MAC_MEMSIZE: return "MAC_MEMSIZE";
+ case MAC_IOKIT: return "MAC_IOKIT";
+ case IOREG_GREP: return "IOREG_GREP";
+ case MAC_SIP: return "MAC_SIP";
+ case HKLM_REGISTRIES: return "HKLM_REGISTRIES";
+ case VPC_INVALID: return "VPC_INVALID";
+ case SIDT: return "SIDT";
+ case SGDT: return "SGDT";
+ case SLDT: return "SLDT";
+ case OFFSEC_SIDT: return "OFFSEC_SIDT";
+ case OFFSEC_SGDT: return "OFFSEC_SGDT";
+ case OFFSEC_SLDT: return "OFFSEC_SLDT";
+ case VPC_SIDT: return "VPC_SIDT";
+ case VMWARE_IOMEM: return "VMWARE_IOMEM";
+ case VMWARE_IOPORTS: return "VMWARE_IOPORTS";
+ case VMWARE_SCSI: return "VMWARE_SCSI";
+ case VMWARE_DMESG: return "VMWARE_DMESG";
+ case VMWARE_STR: return "VMWARE_STR";
+ case VMWARE_BACKDOOR: return "VMWARE_BACKDOOR";
+ case VMWARE_PORT_MEM: return "VMWARE_PORT_MEM";
+ case SMSW: return "SMSW";
+ case MUTEX: return "MUTEX";
+ case ODD_CPU_THREADS: return "ODD_CPU_THREADS";
+ case INTEL_THREAD_MISMATCH: return "INTEL_THREAD_MISMATCH";
+ case XEON_THREAD_MISMATCH: return "XEON_THREAD_MISMATCH";
+ case NETTITUDE_VM_MEMORY: return "NETTITUDE_VM_MEMORY";
+ case CUCKOO_DIR: return "CUCKOO_DIR";
+ case CUCKOO_PIPE: return "CUCKOO_PIPE";
+ case HYPERV_HOSTNAME: return "HYPERV_HOSTNAME";
+ case GENERAL_HOSTNAME: return "GENERAL_HOSTNAME";
+ case SCREEN_RESOLUTION: return "SCREEN_RESOLUTION";
+ case DEVICE_STRING: return "DEVICE_STRING";
+ case BLUESTACKS_FOLDERS: return "BLUESTACKS_FOLDERS";
+ case CPUID_SIGNATURE: return "CPUID_SIGNATURE";
+ case KVM_BITMASK: return "KVM_BITMASK";
+ case KGT_SIGNATURE: return "KGT_SIGNATURE";
+ case QEMU_VIRTUAL_DMI: return "QEMU_VIRTUAL_DMI";
+ case QEMU_USB: return "QEMU_USB";
+ case HYPERVISOR_DIR: return "HYPERVISOR_DIR";
+ case UML_CPU: return "UML_CPU";
+ case KMSG: return "KMSG";
+ case VM_PROCS: return "VM_PROCS";
+ case VBOX_MODULE: return "VBOX_MODULE";
+ case SYSINFO_PROC: return "SYSINFO_PROC";
+ case DEVICE_TREE: return "DEVICE_TREE";
+ case DMI_SCAN: return "DMI_SCAN";
+ case SMBIOS_VM_BIT: return "SMBIOS_VM_BIT";
+ case PODMAN_FILE: return "PODMAN_FILE";
+ case WSL_PROC: return "WSL_PROC";
+ case DRIVER_NAMES: return "DRIVER_NAMES";
+ case VM_SIDT: return "VM_SIDT";
+ case DISK_SERIAL: return "DISK_SERIAL";
+ case PORT_CONNECTORS: return "PORT_CONNECTORS";
+ case GPU_VM_STRINGS: return "GPU_STRINGS";
+ case GPU_CAPABILITIES: return "GPU_CAPABILITIES";
+ case VM_DEVICES: return "VM_DEVICES";
+ case PROCESSOR_NUMBER: return "PROCESSOR_NUMBER";
+ case NUMBER_OF_CORES: return "NUMBER_OF_CORES";
+ case ACPI_TEMPERATURE: return "ACPI_TEMPERATURE";
+ case SYS_QEMU: return "SYS_QEMU";
+ case LSHW_QEMU: return "LSHW_QEMU";
+ case VIRTUAL_PROCESSORS: return "VIRTUAL_PROCESSORS";
+ case HYPERV_QUERY: return "HYPERV_QUERY";
+ case BAD_POOLS: return "BAD_POOLS";
+ case AMD_SEV: return "AMD_SEV";
+ case AMD_THREAD_MISMATCH: return "AMD_THREAD_MISMATCH";
+ case NATIVE_VHD: return "NATIVE_VHD";
+ case VIRTUAL_REGISTRY: return "VIRTUAL_REGISTRY";
+ case FIRMWARE: return "FIRMWARE";
+ case FILE_ACCESS_HISTORY: return "FILE_ACCESS_HISTORY";
+ case AUDIO: return "AUDIO";
+ case UNKNOWN_MANUFACTURER: return "UNKNOWN_MANUFACTURER";
+ case OSXSAVE: return "OSXSAVE";
+ case NSJAIL_PID: return "NSJAIL_PID";
+ case PCI_VM: return "PCI_VM";
+ // ADD NEW CASE HERE FOR NEW TECHNIQUE
+ default: return "Unknown flag";
}
}
@@ -11621,7 +11622,6 @@ std::pair VM::core::technique_list[] = {
std::make_pair(VM::IOREG_GREP, VM::core::technique(100, VM::ioreg_grep)),
std::make_pair(VM::MAC_SIP, VM::core::technique(40, VM::mac_sip)),
std::make_pair(VM::HKLM_REGISTRIES, VM::core::technique(25, VM::hklm_registries)),
- std::make_pair(VM::QEMU_GA, VM::core::technique(10, VM::qemu_ga)),
std::make_pair(VM::VPC_INVALID, VM::core::technique(75, VM::vpc_invalid)),
std::make_pair(VM::SIDT, VM::core::technique(25, VM::sidt)),
std::make_pair(VM::SGDT, VM::core::technique(30, VM::sgdt)),
@@ -11669,7 +11669,7 @@ std::pair VM::core::technique_list[] = {
std::make_pair(VM::WSL_PROC, VM::core::technique(30, VM::wsl_proc_subdir)),
std::make_pair(VM::DRIVER_NAMES, VM::core::technique(100, VM::driver_names)),
std::make_pair(VM::VM_SIDT, VM::core::technique(100, VM::vm_sidt)),
- std::make_pair(VM::HDD_SERIAL, VM::core::technique(100, VM::hdd_serial_number)),
+ std::make_pair(VM::DISK_SERIAL, VM::core::technique(100, VM::disk_serial_number)),
std::make_pair(VM::PORT_CONNECTORS, VM::core::technique(25, VM::port_connectors)),
std::make_pair(VM::GPU_VM_STRINGS, VM::core::technique(100, VM::gpu_vm_strings)),
std::make_pair(VM::GPU_CAPABILITIES, VM::core::technique(100, VM::gpu_capabilities)),