Skip to content

Commit

Permalink
Merge pull request #151 from kernelwernel/dev
Browse files Browse the repository at this point in the history 
Dev
  • Loading branch information
@kernelwernel
kernelwernel authored Oct 8, 2024
2 parents a650788 + 8edc0ae commit 8a077fb
Show file tree
Hide file tree
Showing 9 changed files with 269 additions and 88 deletions.
8 changes: 8 additions & 0 deletions .github/PULL_REQUEST_TEMPLATE.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# What does this PR do?
- [ ] Add a new technique
- [ ] Add a new feature
- [ ] Fix bugs
- [ ] Refactoring code
- [ ] Other

# Briefly explain what this PR does:
2 changes: 1 addition & 1 deletion .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,5 +57,5 @@ cmake-build-*/
*copy.hpp
personal_todo.md
notes.txt
auxiliary/tests.cpp
auxiliary/test_template.cpp
release_notes.md
12 changes: 6 additions & 6 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<br>
<img align="center" src="https://img.shields.io/github/actions/workflow/status/kernelwernel/VMAware/cmake-multi-platform.yml">
<img align="center" src="https://img.shields.io/github/downloads/kernelwernel/VMAware/total">
<img align="center" src="https://img.shields.io/github/license/kernelwernel/VMAware">
<img align="center" src="https://img.shields.io/github/license/a0rtega/pafish">
<img align="center" src="https://img.shields.io/github/license/kernelwernel/Tourneys-bot">
</p>

Expand Down Expand Up @@ -111,7 +111,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
<summary>Who is this library for and what are the use cases?</summary>
<br>

> It's designed for security researchers, VM engineers, gamer developers, and pretty much anybody who needs a practical and rock-solid VM detection mechanism in their project. For example, the library is suitable if you're making a VM and you're testing the effectiveness of concealing itself, if you're a game developer/proprietary software developer, the library is useful to thwart against reverse engineers. If you're a malware analyst and you want to check the concealment capability of your VM, this would be the perfect tool to benchmark how well-concealed your VM is against malware. Additionally, software could optimize performance or resource usage based on the detected environment, and some applications might want to restrict usage in VMs to prevent unauthorized distribution or testing.
> It's designed for security researchers, VM engineers, gamer developers, and pretty much anybody who needs a practical and rock-solid VM detection mechanism in their project. For example, the library is suitable if you're making a VM and you're testing the effectiveness of concealing itself. If you're a game developer/proprietary software developer, the library is useful to thwart against reverse engineers. If you're a malware analyst and you want to check the concealment capability of your VM, this would be the perfect tool to benchmark how well-concealed your VM is against malware. Additionally, software could optimize performance or resource usage based on the detected environment, and some applications might want to restrict usage in VMs to prevent unauthorized distribution or testing.
</details>

Expand Down Expand Up @@ -141,7 +141,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
> Hyper-V has an obscure feature where if it's enabled in the host system, the CPU hardware values makes it look like the whole system is running inside Hyper-V, which isn't true. This makes it a challenge to determine whether the hardware values the library is collecting is either a real Hyper-V VM, or just the artifacts of what Hyper-V has left as a consequence of having it enabled in the host system. The reason why this is a problem is because the library might falsely conclude that your the host system is running in Hyper-V, which is a false positive. This is where the **Hyper-X** mechanism comes into play to distinguish between these two. This was designed by <a href="https://github.com/NotRequiem">Requiem</a>
<p align="center">
<img src="assets/Hyper-X_version_2.png" align="center" title="Hyper-X">
<img src="assets/Hyper-X_version_3.png" align="center" title="Hyper-X">
<br>
</details>

Expand All @@ -163,10 +163,10 @@ You can view the full docs [here](docs/documentation.md). All the details such a
</details>

<details>
<summary>Why GPL 3.0 and MIT?</summary>
<summary>Why GPL-3.0 and MIT?</summary>
<br>

> I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL 3.0 projects, and I have no choice but to use the same license for legal reasons. This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open-source. It should be noted that the MIT version removes <b>12</b> techniques out of 114 (as of 1.8 version), and the lesser the number of mechanisms, the less accurate the overall result might be.
> I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL 3.0 projects, and I have no choice but to use the same license for legal reasons. This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open-source. It should be noted that the MIT version removes <b>12</b> techniques out of 116 (as of 1.9 version), and the lesser the number of techniques, the less accurate the overall result might be.
</details>

Expand Down Expand Up @@ -222,4 +222,4 @@ And if you found this project useful, a star would be appreciated :)
## Legal 📜
I am not responsible nor liable for any damage you cause through any malicious usage of this project.

License: GPL-3.0
License: GPL-3.0/MIT
5 changes: 3 additions & 2 deletions TODO.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,16 +43,17 @@
- [ ] make a medium post about it
- [ ] test the VM::modify_score() function
- [ ] check if bios date in /sys/class/dmi/id/ could be useful under QEMU
- [ ] make the cli demo in the readme for the 1.9 version
- [X] make the cli demo in the readme for the 1.9 version
- [X] fix the percentage thing for the disabled techniques
- [X] adopt the firmware technique from the vmprotect source code leak
- [ ] update the Hyper-X graph with the cpu manufacturer part
- [ ] add a .so, .dll, and .dylib shared object files in the release
- [X] make a struct version as an alternative
- [X] add the license style like in ffmpeg https://github.com/FFmpeg/FFmpeg/tree/master?tab=License-1-ov-file
- [ ] fix the issue of VM::QEMU_USB being ultra slow
- [X] make a MIT transformer python script from GPL to MIT
- [ ] /sys/class/dmi/id/product_name check this in qemu
- [ ] update sourceforge
- [X] fix the VM::vmaware struct


# Distant plans
Expand Down
153 changes: 153 additions & 0 deletions assets/Hyper-X_version_3.drawio
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
<mxfile host="app.diagrams.net" agent="Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0" version="24.7.17">
<diagram name="Page-1" id="zGf0Ftu6_07F7baFzf_Y">
<mxGraphModel dx="1167" dy="860" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="850" pageHeight="1100" math="0" shadow="0">
<root>
<mxCell id="0" />
<mxCell id="1" parent="0" />
<mxCell id="x2cThCooTCoZfJnJUzE6-1" value="" style="rounded=1;whiteSpace=wrap;html=1;" parent="1" vertex="1">
<mxGeometry x="50" y="80" width="710" height="600" as="geometry" />
</mxCell>
<mxCell id="x2cThCooTCoZfJnJUzE6-2" value="START" style="rounded=0;whiteSpace=wrap;html=1;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1">
<mxGeometry x="110" y="180" width="120" height="60" as="geometry" />
</mxCell>
<mxCell id="x2cThCooTCoZfJnJUzE6-3" value="&lt;div&gt;Run the VM::HYPERVISOR_STR&lt;/div&gt;&lt;div&gt;technique, fetch eax.&lt;br&gt;&lt;/div&gt;" style="rounded=1;whiteSpace=wrap;html=1;" parent="1" vertex="1">
<mxGeometry x="100" y="277.5" width="140" height="85" as="geometry" />
</mxCell>
<mxCell id="x2cThCooTCoZfJnJUzE6-8" value="Hyper-X mechanism (v3)" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=34;fontStyle=1" parent="1" vertex="1">
<mxGeometry x="205" y="120" width="400" height="30" as="geometry" />
</mxCell>
<mxCell id="x2cThCooTCoZfJnJUzE6-10" value="Not Hyper-V, continue as normal" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#f8cecc;strokeColor=#b85450;" parent="1" vertex="1">
<mxGeometry x="125" y="540" width="90" height="90" as="geometry" />
</mxCell>
<mxCell id="x2cThCooTCoZfJnJUzE6-23" value="Does the SMBIOS show any strings related to Hyper-V?&lt;br&gt;(VM::MSSMBIOS)" style="rounded=1;whiteSpace=wrap;html=1;" parent="1" vertex="1">
<mxGeometry x="330" y="460" width="150" height="80" as="geometry" />
</mxCell>
<mxCell id="x2cThCooTCoZfJnJUzE6-24" value="Does the motherboard match with Hyper-V&lt;br&gt;or VirtualPC?&lt;br&gt;(VM::VPC_BOARD)" style="rounded=1;whiteSpace=wrap;html=1;" parent="1" vertex="1">
<mxGeometry x="330" y="362.5" width="150" height="80" as="geometry" />
</mxCell>
<mxCell id="x2cThCooTCoZfJnJUzE6-32" value="&lt;font style=&quot;font-size: 11px;&quot;&gt;Hyper-V detected, this is in fact a VM&lt;/font&gt;" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#d5e8d4;strokeColor=#82b366;" parent="1" vertex="1">
<mxGeometry x="585" y="535" width="100" height="100" as="geometry" />
</mxCell>
<mxCell id="x2cThCooTCoZfJnJUzE6-33" value="Hyper-V host artifacts detected, this is NOT a VM" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;fillColor=#f8cecc;strokeColor=#b85450;" parent="1" vertex="1">
<mxGeometry x="585" y="260" width="100" height="100" as="geometry" />
</mxCell>
<mxCell id="x2cThCooTCoZfJnJUzE6-38" value="" style="endArrow=classic;html=1;rounded=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;" parent="1" source="mEdIK6QNIQfA6IXG1Q04-20" target="x2cThCooTCoZfJnJUzE6-32" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="1245" y="440" as="sourcePoint" />
<mxPoint x="740" y="390" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="x2cThCooTCoZfJnJUzE6-40" value="" style="endArrow=classic;html=1;rounded=0;entryX=0.5;entryY=1;entryDx=0;entryDy=0;exitX=0.5;exitY=0;exitDx=0;exitDy=0;" parent="1" source="mEdIK6QNIQfA6IXG1Q04-20" target="x2cThCooTCoZfJnJUzE6-33" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="1245" y="350" as="sourcePoint" />
<mxPoint x="740" y="390" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="4PM8ViUepl_GfYZcxHRn-10" value="Does the CPU match with the VMProtect technique for Hyper-V root partition detection?" style="rounded=1;whiteSpace=wrap;html=1;" parent="1" vertex="1">
<mxGeometry x="330" y="260" width="150" height="80" as="geometry" />
</mxCell>
<mxCell id="4PM8ViUepl_GfYZcxHRn-22" value="" style="endArrow=classic;html=1;rounded=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" parent="1" source="x2cThCooTCoZfJnJUzE6-2" target="x2cThCooTCoZfJnJUzE6-3" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="380" y="500" as="sourcePoint" />
<mxPoint x="170" y="265" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="mEdIK6QNIQfA6IXG1Q04-6" value="Does eax have the &lt;br&gt;value of 11 or 12?" style="rhombus;whiteSpace=wrap;html=1;" parent="1" vertex="1">
<mxGeometry x="85" y="400" width="170" height="100" as="geometry" />
</mxCell>
<mxCell id="mEdIK6QNIQfA6IXG1Q04-7" value="" style="endArrow=classic;html=1;rounded=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" parent="1" source="x2cThCooTCoZfJnJUzE6-3" target="mEdIK6QNIQfA6IXG1Q04-6" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="380" y="500" as="sourcePoint" />
<mxPoint x="430" y="450" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="mEdIK6QNIQfA6IXG1Q04-16" value="Do the Windows event logs show any indication of Hyper-V?&lt;br&gt;(VM::EVENT_LOGS)" style="rounded=1;whiteSpace=wrap;html=1;" parent="1" vertex="1">
<mxGeometry x="330" y="560" width="150" height="80" as="geometry" />
</mxCell>
<mxCell id="mEdIK6QNIQfA6IXG1Q04-20" value="Are at least one &lt;br&gt;of these true?" style="rhombus;whiteSpace=wrap;html=1;" parent="1" vertex="1">
<mxGeometry x="550" y="400" width="170" height="100" as="geometry" />
</mxCell>
<mxCell id="mEdIK6QNIQfA6IXG1Q04-29" value="No" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" parent="1" vertex="1">
<mxGeometry x="165" y="502" width="60" height="30" as="geometry" />
</mxCell>
<mxCell id="mEdIK6QNIQfA6IXG1Q04-30" value="No" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" parent="1" vertex="1">
<mxGeometry x="625" y="370.5" width="60" height="30" as="geometry" />
</mxCell>
<mxCell id="mEdIK6QNIQfA6IXG1Q04-32" value="Yes" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" parent="1" vertex="1">
<mxGeometry x="625" y="502" width="60" height="30" as="geometry" />
</mxCell>
<mxCell id="mEdIK6QNIQfA6IXG1Q04-33" value="Yes" style="text;html=1;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;" parent="1" vertex="1">
<mxGeometry x="240" y="420" width="60" height="30" as="geometry" />
</mxCell>
<mxCell id="mEdIK6QNIQfA6IXG1Q04-37" value="" style="endArrow=classic;html=1;rounded=0;exitX=0.5;exitY=1;exitDx=0;exitDy=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" parent="1" source="mEdIK6QNIQfA6IXG1Q04-6" target="x2cThCooTCoZfJnJUzE6-10" edge="1">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="410" y="490" as="sourcePoint" />
<mxPoint x="460" y="440" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="3IsLGjAELvZnN1pZ9IzM-2" value="" style="endArrow=classic;html=1;rounded=0;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="mEdIK6QNIQfA6IXG1Q04-6" target="4PM8ViUepl_GfYZcxHRn-10">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="500" y="410" as="sourcePoint" />
<mxPoint x="550" y="360" as="targetPoint" />
<Array as="points">
<mxPoint x="290" y="450" />
<mxPoint x="290" y="300" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="3IsLGjAELvZnN1pZ9IzM-3" value="" style="endArrow=classic;html=1;rounded=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" target="x2cThCooTCoZfJnJUzE6-24">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="290" y="403" as="sourcePoint" />
<mxPoint x="550" y="360" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="3IsLGjAELvZnN1pZ9IzM-5" value="" style="endArrow=classic;html=1;rounded=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" target="mEdIK6QNIQfA6IXG1Q04-16">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="290" y="450" as="sourcePoint" />
<mxPoint x="550" y="360" as="targetPoint" />
<Array as="points">
<mxPoint x="290" y="600" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="3IsLGjAELvZnN1pZ9IzM-6" value="" style="endArrow=classic;html=1;rounded=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" target="x2cThCooTCoZfJnJUzE6-23">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="290" y="500" as="sourcePoint" />
<mxPoint x="550" y="360" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="3IsLGjAELvZnN1pZ9IzM-7" value="" style="endArrow=classic;html=1;rounded=0;exitX=1;exitY=0.5;exitDx=0;exitDy=0;entryX=0;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" source="4PM8ViUepl_GfYZcxHRn-10" target="mEdIK6QNIQfA6IXG1Q04-20">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="500" y="410" as="sourcePoint" />
<mxPoint x="550" y="360" as="targetPoint" />
<Array as="points">
<mxPoint x="510" y="300" />
<mxPoint x="510" y="450" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="3IsLGjAELvZnN1pZ9IzM-8" value="" style="endArrow=none;html=1;rounded=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;" edge="1" parent="1" target="x2cThCooTCoZfJnJUzE6-24">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="510" y="403" as="sourcePoint" />
<mxPoint x="550" y="360" as="targetPoint" />
</mxGeometry>
</mxCell>
<mxCell id="3IsLGjAELvZnN1pZ9IzM-10" value="" style="endArrow=none;html=1;rounded=0;exitX=1;exitY=0.5;exitDx=0;exitDy=0;" edge="1" parent="1" source="mEdIK6QNIQfA6IXG1Q04-16">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="370" y="410" as="sourcePoint" />
<mxPoint x="510" y="450" as="targetPoint" />
<Array as="points">
<mxPoint x="510" y="600" />
</Array>
</mxGeometry>
</mxCell>
<mxCell id="3IsLGjAELvZnN1pZ9IzM-12" value="" style="endArrow=none;html=1;rounded=0;exitX=1;exitY=0.5;exitDx=0;exitDy=0;" edge="1" parent="1" source="x2cThCooTCoZfJnJUzE6-23">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="700" y="410" as="sourcePoint" />
<mxPoint x="510" y="500" as="targetPoint" />
</mxGeometry>
</mxCell>
</root>
</mxGraphModel>
</diagram>
</mxfile>
Binary file added assets/Hyper-X_version_3.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
7 changes: 7 additions & 0 deletions auxiliary/vmtest.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,5 +34,12 @@ int main(void) {
//const std::string test8 = VM::brand();
//const uint8_t test9 = VM::percentage(VM::SPOOFABLE);
//std::cout << (int)test9 << "\n";

VM::vmaware vm;

std::cout << "Is this a VM? = " << vm.is_vm << "\n";
std::cout << "How many techniques detected a VM? = " << static_cast<int>(vm.detected_count) << "\n";
std::cout << "What's the overview in a human-readable message? = " << vm.conclusion << "\n";

return 0;
}
8 changes: 4 additions & 4 deletions docs/documentation.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -344,17 +344,17 @@ This will return the "conclusion" message of what the overall result is as a `st
<br>
# vmaware struct
If you prefer having an object to store all the relevant information about the program's environment, you can use the `VM::vmaware` struct:
If you prefer having an object to store all the relevant information about the program's environment instead of calling static member functions, you can use the `VM::vmaware` struct:
```cpp
struct vmaware {
std::string brand;
std::string type;
std::string conclusion;
bool is_vm;
std::uint8_t percentage;
std::uint8_t detected_count;
std::uint8_t technique_count;
std::string brand;
std::string type;
std::string conclusion;
};
```

Expand Down
Loading

0 comments on commit 8a077fb

Please sign in to comment.