From ab31960f099fddc34dad9c57a439b7778553d9d5 Mon Sep 17 00:00:00 2001 From: Requiem Date: Tue, 13 May 2025 16:58:53 +0200 Subject: [PATCH 1/3] sync with dev --- src/vmaware.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/vmaware.hpp b/src/vmaware.hpp index 2dd2b246..cb8972bc 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -1984,7 +1984,7 @@ struct VM { return true; } - // Otherwise map to your enums: + // Otherwise map to our enums: switch (v.size) { case 4: // "qemu" or "vbox" return core::add(v.data[0] == 'q' From 4b0a51aed6eb9cb2ec3035f75bd8dd6870073b6c Mon Sep 17 00:00:00 2001 From: Requiem Date: Wed, 14 May 2025 01:21:53 +0200 Subject: [PATCH 2/3] added qemu drivers/disk serials --- docs/documentation.md | 1 - src/cli.cpp | 4 -- src/vmaware.hpp | 96 +++++++++++++++++-------------------------- 3 files changed, 37 insertions(+), 64 deletions(-) diff --git a/docs/documentation.md b/docs/documentation.md index 10ee4b4b..93a611ef 100755 --- a/docs/documentation.md +++ b/docs/documentation.md @@ -495,7 +495,6 @@ VMAware provides a convenient way to not only check for VMs, but also have the f | `VM::DEVICE_STRING` | Check if bogus device string would be accepted | 🪟 | 25% | | | | | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6821) | | `VM::BLUESTACKS_FOLDERS` | Check for the presence of BlueStacks-specific folders | 🐧 | 5% | | | | | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6842) | | `VM::CPUID_SIGNATURE` | Check for signatures in leaf 0x40000001 in CPUID | 🐧🪟🍏 | 95% | | | | | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6865) | -| `VM::KVM_BITMASK` | Check for KVM CPUID bitmask range for reserved values | 🐧🪟🍏 | 40% | | | | | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6893) | | `VM::KGT_SIGNATURE` | Check for Intel KGT (Trusty branch) hypervisor signature in CPUID | 🐧🪟🍏 | 80% | | | | | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6931) | | `VM::QEMU_VIRTUAL_DMI` | Check for presence of QEMU in the /sys/devices/virtual/dmi/id directory | 🐧 | 40% | | | | | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6956) | | `VM::QEMU_USB` | Check for presence of QEMU in the /sys/kernel/debug/usb/devices directory | 🐧 | 20% | | | | | [link](https://github.com/kernelwernel/VMAware/blob/8cb2491b1c7d2cb7300d1d698b7c64c953b4ae75/src/vmaware.hpp#L6986) | diff --git a/src/cli.cpp b/src/cli.cpp index c2f671eb..42ab0193 100755 --- a/src/cli.cpp +++ b/src/cli.cpp @@ -371,7 +371,6 @@ bool is_unsupported(VM::enum_flags flag) { case VM::GENERAL_HOSTNAME: case VM::BLUESTACKS_FOLDERS: case VM::CPUID_SIGNATURE: - case VM::KVM_BITMASK: case VM::KGT_SIGNATURE: case VM::QEMU_VIRTUAL_DMI: case VM::QEMU_USB: @@ -440,7 +439,6 @@ bool is_unsupported(VM::enum_flags flag) { case VM::SCREEN_RESOLUTION: case VM::DEVICE_STRING: case VM::CPUID_SIGNATURE: - case VM::KVM_BITMASK: case VM::KGT_SIGNATURE: case VM::DRIVER_NAMES: case VM::DISK_SERIAL: @@ -485,7 +483,6 @@ bool is_unsupported(VM::enum_flags flag) { case VM::INTEL_THREAD_MISMATCH: case VM::XEON_THREAD_MISMATCH: case VM::CPUID_SIGNATURE: - case VM::KVM_BITMASK: case VM::KGT_SIGNATURE: case VM::AMD_SEV: case VM::AMD_THREAD_MISMATCH: @@ -903,7 +900,6 @@ void general() { checker(VM::DEVICE_STRING, "bogus device string"); checker(VM::BLUESTACKS_FOLDERS, "BlueStacks folders"); checker(VM::CPUID_SIGNATURE, "CPUID signatures"); - checker(VM::KVM_BITMASK, "KVM CPUID reserved bitmask"); checker(VM::KGT_SIGNATURE, "Intel KGT signature"); checker(VM::QEMU_VIRTUAL_DMI, "QEMU virtual DMI directory"); checker(VM::QEMU_USB, "QEMU USB"); diff --git a/src/vmaware.hpp b/src/vmaware.hpp index d566c3e7..c96383c1 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -592,7 +592,6 @@ struct VM { DEVICE_STRING, BLUESTACKS_FOLDERS, CPUID_SIGNATURE, - KVM_BITMASK, KGT_SIGNATURE, QEMU_VIRTUAL_DMI, QEMU_USB, @@ -837,7 +836,7 @@ struct VM { cpu::leaf::brand3 }}; - std::string b(48, '\n'); + std::string b(48, '\0'); union Regs { u32 i[4]; @@ -5618,43 +5617,6 @@ struct VM { } - /** - * @brief Check for KVM CPUID bitmask range for reserved values - * @category x86 - * @implements VM::KVM_BITMASK - */ - [[nodiscard]] static bool kvm_bitmask() { -#if (!x86) - return false; -#else - u32 eax, ebx, ecx, edx = 0; - cpu::cpuid(eax, ebx, ecx, edx, 0x40000000); - - // KVM brand and max leaf check - if (!( - (eax == 0x40000001) && - (ebx == 0x4b4d564b) && - (ecx == 0x564b4d56) && - (edx == 0x4d) - )) { - return false; - } - - cpu::cpuid(eax, ebx, ecx, edx, 0x40000001); - - if ( - (eax & (1 << 8)) && - (((eax >> 13) & 0b1111111111) == 0) && - ((eax >> 24) == 0) - ) { - return core::add(brands::KVM); - } - - return false; -#endif - } - - /** * @brief Check for Intel KGT (Trusty branch) hypervisor signature in CPUID * @link https://github.com/intel/ikgt-core/blob/7dfd4d1614d788ec43b02602cce7a272ef8d5931/vmm/vmexit/vmexit_cpuid.c @@ -6238,6 +6200,17 @@ struct VM { ntFreeVirtualMemory(hProcess, &allocatedMemory, ®ionSize, MEM_RELEASE); return core::add(brands::VMWARE); } + + if ( + strstr(driverPath, "vmstorfl") || + strstr(driverPath, "vmbkmcl") || + strstr(driverPath, "vms3cap") || + strstr(driverPath, "vmgencounter ") + ) { + debug("DRIVER_NAMES: Detected Hyper-V driver: ", driverPath); + ntFreeVirtualMemory(hProcess, &allocatedMemory, ®ionSize, MEM_RELEASE); + return core::add(brands::QEMU_KVM_HYPERV); + } } ntFreeVirtualMemory(hProcess, &allocatedMemory, ®ionSize, MEM_RELEASE); @@ -6274,8 +6247,8 @@ struct VM { }; static constexpr std::array hex_positions = { { - 2, 3, 4, 5, 6, 7, 8, 9, - 11,12,13,14,15,16,17,18 + 2, 3, 4, 5, 6, 7, 8, 9, + 11,12,13,14,15,16,17,18 } }; for (u8 idx : hex_positions) { @@ -6286,6 +6259,18 @@ struct VM { return str[10] == '-'; }; + auto is_qemu_serial = [](const char* str, u8 len) -> bool { + constexpr const char* prefix = "QM0000"; + constexpr size_t prefix_len = 6; + if (len < prefix_len) + return false; + for (size_t i = 0; i < prefix_len; ++i) { + if (str[i] != prefix[i]) + return false; + } + return true; + }; + for (u8 drive = 0; drive < MAX_PHYSICAL_DRIVES; drive++) { wchar_t path[32]; swprintf_s(path, L"\\\\.\\PhysicalDrive%u", drive); @@ -6327,9 +6312,7 @@ struct VM { if (!DeviceIoControl(hDevice, IOCTL_STORAGE_QUERY_PROPERTY, &query, sizeof(query), buffer, header.Size, &bytesReturned, nullptr)) { - if (buffer != stackBuf) { - LocalFree(buffer); - } + if (buffer != stackBuf) LocalFree(buffer); CloseHandle(hDevice); continue; } @@ -6347,13 +6330,7 @@ struct VM { constexpr size_t BUF_SZ = 256; char upperSerial[BUF_SZ] = { 0 }; - size_t copyLen; - if (serialLen < (BUF_SZ - 1)) { - copyLen = serialLen; - } - else { - copyLen = BUF_SZ - 1; - } + size_t copyLen = (serialLen < BUF_SZ - 1) ? serialLen : BUF_SZ - 1; for (size_t i = 0; i < copyLen; ++i) { char c = serial[i]; @@ -6361,19 +6338,22 @@ struct VM { } upperSerial[copyLen] = '\0'; + if (is_qemu_serial(upperSerial, static_cast(copyLen))) { + result = core::add(brands::QEMU); + if (buffer != stackBuf) LocalFree(buffer); + CloseHandle(hDevice); + return result; + } + if (is_vbox_serial(upperSerial, static_cast(copyLen))) { result = core::add(brands::VBOX); - if (buffer != stackBuf) { - LocalFree(buffer); - } + if (buffer != stackBuf) LocalFree(buffer); CloseHandle(hDevice); return result; } } - if (buffer != stackBuf) { - LocalFree(buffer); - } + if (buffer != stackBuf) LocalFree(buffer); CloseHandle(hDevice); } @@ -10518,7 +10498,6 @@ struct VM { case DEVICE_STRING: return "DEVICE_STRING"; case BLUESTACKS_FOLDERS: return "BLUESTACKS_FOLDERS"; case CPUID_SIGNATURE: return "CPUID_SIGNATURE"; - case KVM_BITMASK: return "KVM_BITMASK"; case KGT_SIGNATURE: return "KGT_SIGNATURE"; case QEMU_VIRTUAL_DMI: return "QEMU_VIRTUAL_DMI"; case QEMU_USB: return "QEMU_USB"; @@ -11090,7 +11069,6 @@ std::pair VM::core::technique_list[] = { std::make_pair(VM::DEVICE_STRING, VM::core::technique(25, VM::device_string)), std::make_pair(VM::BLUESTACKS_FOLDERS, VM::core::technique(5, VM::bluestacks)), std::make_pair(VM::CPUID_SIGNATURE, VM::core::technique(95, VM::cpuid_signature)), - std::make_pair(VM::KVM_BITMASK, VM::core::technique(40, VM::kvm_bitmask)), std::make_pair(VM::KGT_SIGNATURE, VM::core::technique(80, VM::intel_kgt_signature)), std::make_pair(VM::QEMU_VIRTUAL_DMI, VM::core::technique(40, VM::qemu_virtual_dmi)), std::make_pair(VM::QEMU_USB, VM::core::technique(20, VM::qemu_USB)), From e4d07add39fc59bf00b80b3aa3ac99322ffa23e5 Mon Sep 17 00:00:00 2001 From: Requiem Date: Wed, 14 May 2025 01:28:38 +0200 Subject: [PATCH 3/3] removed hyper-v driver checks --- src/vmaware.hpp | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/src/vmaware.hpp b/src/vmaware.hpp index c96383c1..3cd2d3e2 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -6200,17 +6200,6 @@ struct VM { ntFreeVirtualMemory(hProcess, &allocatedMemory, ®ionSize, MEM_RELEASE); return core::add(brands::VMWARE); } - - if ( - strstr(driverPath, "vmstorfl") || - strstr(driverPath, "vmbkmcl") || - strstr(driverPath, "vms3cap") || - strstr(driverPath, "vmgencounter ") - ) { - debug("DRIVER_NAMES: Detected Hyper-V driver: ", driverPath); - ntFreeVirtualMemory(hProcess, &allocatedMemory, ®ionSize, MEM_RELEASE); - return core::add(brands::QEMU_KVM_HYPERV); - } } ntFreeVirtualMemory(hProcess, &allocatedMemory, ®ionSize, MEM_RELEASE);