Merge pull request #143 from kernelwernel/dev

Dev
kernelwernel · Sep 11, 2024 · ed184ea · ed184ea
2 parents 1a98569 + e26bc2c
commit ed184ea
Show file tree

Hide file tree

Showing 5 changed files with 543 additions and 311 deletions.
diff --git a/README.md b/README.md
@@ -98,32 +98,86 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 <br>
 
 ## Q&A ❓
-- How does it work?
+
+<details>
+<summary>How does it work?</summary>
+<br>
+
 > It utilises a comprehensive list of low-level and high-level anti-VM techniques that gets accounted in a scoring system. The scores (0-100) for each technique are arbitrarily given, and every technique that has detected a VM will have their score added to a single accumulative point, where a threshold point number will decide whether it's actually running in a VM.
 
-- Who is this library for and what are the use cases?
+</details>
+
+<details>
+<summary>Who is this library for and what are the use cases?</summary>
+<br>
+
 > It's designed for security researchers, VM engineers, gamer developers, and pretty much anybody who needs a practical and rock-solid VM detection mechanism in their project. For example, the library is suitable if you're making a VM and you're testing the effectiveness of concealing itself, if you're a game developer/proprietary software developer, the library is useful to thwart against reverse engineers. If you're a malware analyst and you want to check the concealment capability of your VM, this would be the perfect tool to benchmark how well-concealed your VM is against malware. Additionally, software could optimize performance or resource usage based on the detected environment, and some applications might want to restrict usage in VMs to prevent unauthorized distribution or testing.
 
-- Why another VM detection project?
-> There's already loads of projects that have the same goal such as [InviZzzible](https://github.com/CheckPointSW/InviZzzible), [pafish](https://github.com/a0rtega/pafish) and [Al-Khaser](https://github.com/LordNoteworthy/al-khaser). But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. I wanted the core detection techniques to be accessible programmatically in a cross-platform way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection library and tool on steroids with maximum flexibility.
+</details>
+
+<details>
+<summary>Why another VM detection project?</summary>
+<br>
+
+> There's already loads of projects that have the same goal such as 
+<a href="https://github.com/CheckPointSW/InviZzzible">InviZzzible</a>, <a href="https://github.com/a0rtega/pafish">pafish</a> and <a href="https://github.com/LordNoteworthy/al-khaser">Al-Khaser</a>. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. I wanted the core detection techniques to be accessible programmatically in a cross-platform way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection library and tool on steroids with maximum flexibility.
 
-- How can the library distinguish between Hyper-V artifacts and an actual Hyper-V VM in the system?
-> Hyper-V has an obscure feature where if it's enabled in the host system, the CPU hardware values makes it look like the whole system is running inside Hyper-V, which isn't true. This makes it a challenge to determine whether the hardware values the library is collecting is either a real Hyper-V VM, or just the artifacts of what Hyper-V has left as a consequence of having it enabled in the host system. The reason why this is a problem is because the library might falsely conclude that your the host system is running in Hyper-V, which is a false positive. This is where the **Hyper-X** mechanism comes into play to distinguish between these two. This was designed by [Requiem](https://github.com/NotRequiem)
-> <p align="center">
-> <img src="assets/Hyper-X.png" align="center" title="Hyper-X">
-> <br>
+</details>
 
-- Is it possible to spoof the result?
-> Yes. There are some techniques that are trivially spoofable, and there's nothing the library can do about it whether it's a deliberate false positive or even a false negative. This is a problem that every VM detection project is facing, which is why the library is trying to test every technique possible to get the best result based on the environment it's running under. 
 
-- What about using this for malware?
+<details>
+<summary>How does it compare to paid VM detection libraries? Wouldn't it make it inferior for having it open source?</summary>
+<br>
+
+> There are a few paid software to protect the licensing of other software against against reverse engineers or software cracking, such as <a href="https://docs.sentinel.thalesgroup.com/home.htm">Thales' Sentinel RMS</a> and <a href="https://vmpsoft.com/">VMProtect</a>. Although these are not meant to ONLY be VM detection libraries, they are limited in their capabilities in different ways. Sentinel RMS' VM detection does not have as many VM brands (not to mention the pricing is only meant for corporations, not individuals), and VMProtect has a <a href="https://cyber.wtf/2023/02/09/defeating-vmprotects-latest-tricks/">very limited number of detection techniques</a>, where some of them don't require a lot of effort to bypass with only a few configurations to the VM (the detection mechanism has also been <a href="https://github.com/jmpoep/vmprotect-3.5.1/blob/d8fcb7c0ffd4fb45a8cfbd770c8b117d7dbe52b5/runtime/loader.cc#L2464">leaked</a>, so there's no benefit of having it closed source now). Speaking of which, the only downside to VMAware is that it's fully open source, which makes the job of bypassers easier compared to having it closed source. However, I'd argue that's a worthy tradeoff by having as many VM detection techniques in an open and interactive way, including having valuable community feedback to make the library more effective and accurate.
+
+</details>
+
+
+<details>
+<summary>How can the library distinguish between Hyper-V artifacts and an actual Hyper-V VM in the system?</summary>
+<br>
+
+> Hyper-V has an obscure feature where if it's enabled in the host system, the CPU hardware values makes it look like the whole system is running inside Hyper-V, which isn't true. This makes it a challenge to determine whether the hardware values the library is collecting is either a real Hyper-V VM, or just the artifacts of what Hyper-V has left as a consequence of having it enabled in the host system. The reason why this is a problem is because the library might falsely conclude that your the host system is running in Hyper-V, which is a false positive. This is where the **Hyper-X** mechanism comes into play to distinguish between these two. This was designed by <a href="https://github.com/NotRequiem">Requiem</a>
+
+<p align="center">
+<img src="assets/Hyper-X.png" align="center" title="Hyper-X">
+<br>
+</details>
+
+
+<details>
+<summary>Is it possible to spoof the result?</summary>
+<br>
+
+> Yes. There are some techniques that are trivially spoofable, and there's nothing the library can do about it whether it's a deliberate false positive or even a false negative. This is a problem that every VM detection project is facing whether closed or open source, which is why the library is trying to test every technique possible to get the best result based on the environment it's running under. Remember, EVERYTHING is technically spoofable.
+
+</details>
+
+<details>
+<summary>What about using this for malware?</summary>
+<br>
+
 > This project is not soliciting the development of malware for obvious reasons. Even if you intend to use it for concealment purposes, it'll most likely be flagged by antiviruses anyway and nothing is obfuscated to begin with. Good fucking luck obfuscating 10k+ lines of C++ code lmao.
 
-- Why GPL 3.0 and MIT? 
-> I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL 3.0 projects, and I have no choice but to use the same license for legal reasons. This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open-source. It should be noted that the MIT version removes **12** techniques out of 114 (as of 1.8 version), and the lesser the number of mechanisms, the less accurate the overall result might be.
+</details>
+
+<details>
+<summary>Why GPL 3.0 and MIT?</summary>
+<br>
+
+> I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL 3.0 projects, and I have no choice but to use the same license for legal reasons. This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open-source. It should be noted that the MIT version removes <b>12</b> techniques out of 114 (as of 1.8 version), and the lesser the number of mechanisms, the less accurate the overall result might be.
+
+</details>
+
+<details>
+<summary>I have linker errors when compiling</summary>
+<br>
+
+> If you're compiling with gcc or clang, add the <code>-lm</code> and <code>-lstdc++</code> flags, or use g++/clang++ compilers instead. If you're receiving linker errors from a brand new VM environment on Linux, update your system with `sudo apt/dnf/yum update -y` to install the necessary C++ components.
+
+</details>
 
-- I have linker errors when compiling
-> If you're compiling with gcc or clang, add the `-lm` and `-lstdc++` flags, or use g++/clang++ compilers instead. If you're receiving linker errors from a brand new VM environment on Linux, update your system with `sudo apt/dnf/yum update -y` to install the necessary C++ components.
 
 <br>
 

diff --git a/TODO.md b/TODO.md
@@ -45,6 +45,8 @@
 - [ ] check if bios date in /sys/class/dmi/id/ could be useful under QEMU
 - [ ] make the cli demo in the readme for the 1.8 version
 - [ ] fix the percentage thing for the disabled techniques
+- [ ] adopt the firmware technique from the vmprotect source code leak
+- [ ] update the Hyper-X graph with the cpu manufacturer part
 
 # Distant plans
 - add the library to conan.io when released

diff --git a/src/cli.cpp b/src/cli.cpp
@@ -43,8 +43,8 @@
 
 #include "vmaware.hpp"
 
-constexpr const char* ver = "1.8";
-constexpr const char* date = "August 2024";
+constexpr const char* ver = "1.9";
+constexpr const char* date = "September 2024";
 
 constexpr const char* bold = "\033[1m";
 constexpr const char* ansi_exit = "\x1B[0m";
@@ -73,6 +73,7 @@ enum arg_enum : std::uint8_t {
 };
 
 std::bitset<14> arg_bitset;
+const std::uint8_t max_bits = static_cast<std::uint8_t>(VM::MULTIPLE) + 1;
 
 #if (MSVC)
 class win_ansi_enabler_t
@@ -131,8 +132,8 @@ R"(Usage:
  -t | --type        returns the VM type (if a VM was found)
 
 Extra:
- --disable-notes        no notes will be provided
- --spoofable            allow spoofable techniques to be ran (not included by default)
+ --disable-notes    no notes will be provided
+ --spoofable        allow spoofable techniques to be ran (not included by default)
 
 )";
     std::exit(0);
@@ -250,6 +251,7 @@ AWS Nitro System (KVM-based)
 Podman
 WSL
 OpenVZ
+ANY.RUN
 )";
 
     std::exit(0);
@@ -305,6 +307,7 @@ std::string type(const std::string &brand_str) {
         { "Anubis", "Sandbox" },
         { "Comodo", "Sandbox" },
         { "ThreatExpert", "Sandbox" },
+        { "ANY.RUN", "Sandbox"},
 
         // misc
         { "Bochs", "Emulator" },
@@ -323,7 +326,7 @@ std::string type(const std::string &brand_str) {
         { "Hyper-V artifact (not an actual VM)", "No VM" },
         { "User-mode Linux", "Paravirtualised" },
         { "WSL", "Hybrid Hyper-V (type 1 and 2)" }, // debatable tbh
-        { "Apple Rosetta 2", "Binary Translation Layer/Emulator" }
+        { "Apple Rosetta 2", "Binary Translation Layer/Emulator" },
     };
 
     auto it = type_table.find(brand_str);
@@ -438,6 +441,22 @@ bool is_disabled(const VM::enum_flags flag) {
 }
 
 
+std::bitset<max_bits> settings() {
+    std::bitset<max_bits> tmp;
+
+    if (arg_bitset.test(SPOOFABLE)) {
+        tmp.set(VM::SPOOFABLE);
+    }
+
+    if (arg_bitset.test(ALL)) {
+        tmp |= VM::ALL;
+        tmp.set(VM::SPOOFABLE);
+    }
+
+    return tmp;
+}
+
+
 void general() {
     const std::string detected = ("[  " + std::string(green) + "DETECTED" + std::string(ansi_exit) + "  ]");
     const std::string not_detected = ("[" + std::string(red) + "NOT DETECTED" + std::string(ansi_exit) + "]");
@@ -476,20 +495,13 @@ void general() {
     };
 
     bool notes_enabled = false;
-    VM::enum_flags spoofable_setting;
 
     if (arg_bitset.test(NOTES)) {
         notes_enabled = false;
     } else {
         notes_enabled = true;
     }
 
-    if (arg_bitset.test(SPOOFABLE)) {
-        spoofable_setting = VM::SPOOFABLE;
-    } else {
-        spoofable_setting = VM::NULL_ARG;
-    }
-
     #if (LINUX)
         if (notes_enabled && !is_admin()) {
             std::cout << note << " Running under root might give better results\n";
@@ -519,7 +531,7 @@ void general() {
     checker(VM::DLL, "DLLs");
     checker(VM::REGISTRY, "registry");
     checker(VM::CWSANDBOX_VM, "Sunbelt CWSandbox directory");
-    //checker(VM::WINE_CHECK, "Wine");
+    checker(VM::WINE_CHECK, "Wine");
     checker(VM::VM_FILES, "VM files");
     checker(VM::HWMODEL, "hw.model");
     checker(VM::DISK_SIZE, "disk size");
@@ -530,7 +542,7 @@ void general() {
     checker(VM::MEMORY, "low memory space");
     checker(VM::VM_PROCESSES, "VM processes");
     checker(VM::LINUX_USER_HOST, "default Linux user/host");
-    //checker(VM::VBOX_WINDOW_CLASS, "VBox window class");
+    checker(VM::VBOX_WINDOW_CLASS, "VBox window class");
     checker(VM::GAMARUE, "gamarue ransomware technique");
     checker(VM::VMID_0X4, "0x4 leaf of VMID");
     checker(VM::PARALLELS_VM, "Parallels techniques");
@@ -610,14 +622,16 @@ void general() {
     checker(VM::SMBIOS_VM_BIT, "SMBIOS VM bit");
     checker(VM::PODMAN_FILE, "Podman file");
     checker(VM::WSL_PROC, "WSL string in /proc");
+    checker(VM::ANYRUN_DRIVER, "ANY.RUN driver");
+    checker(VM::ANYRUN_DIRECTORY, "ANY.RUN directory");
 
     std::printf("\n");
 
 #ifdef __VMAWARE_DEBUG__
     std::cout << "[DEBUG] theoretical maximum points: " << VM::total_points << "\n";
 #endif
 
-    std::string brand = VM::brand(VM::MULTIPLE, spoofable_setting);
+    std::string brand = VM::brand(VM::MULTIPLE, settings());
 
     std::cout << "VM brand: " << ((brand == "Unknown") || (brand == "Hyper-V artifact (not an actual VM)") ? red : green) << brand << ansi_exit << "\n";
 
@@ -639,7 +653,7 @@ void general() {
     }
 
     const char* percent_color = "";
-    const std::uint8_t percent = VM::percentage(spoofable_setting);
+    const std::uint8_t percent = VM::percentage(settings());
 
     if      (percent == 0) { percent_color = red; }
     else if (percent < 25) { percent_color = red_orange; }
@@ -649,7 +663,7 @@ void general() {
 
     std::cout << "VM likeliness: " << percent_color << static_cast<std::uint32_t>(percent) << "%" << ansi_exit << "\n";
 
-    const bool is_detected = VM::detect(spoofable_setting);
+    const bool is_detected = VM::detect(settings());
 
     std::cout << "VM confirmation: " << (is_detected ? green : red) << std::boolalpha << is_detected << std::noboolalpha << ansi_exit << "\n";
 
@@ -803,25 +817,6 @@ int main(int argc, char* argv[]) {
             std::cerr << "--stdout, --percent, --detect, --brand, --type, and --conclusion must NOT be a combination, choose only a single one\n";
             return 1;
         }
-
-        const std::uint8_t max_bits = static_cast<std::uint8_t>(VM::MULTIPLE) + 1;
-
-        auto settings = [&]() -> std::bitset<max_bits> {
-            std::bitset<max_bits> setting_bits;
-
-            if (arg_bitset.test(SPOOFABLE)) {
-                setting_bits.set(VM::SPOOFABLE);
-            }
-
-            if (arg_bitset.test(ALL)) {
-                setting_bits |= VM::ALL;
-                setting_bits.set(VM::SPOOFABLE);
-            }
-
-            setting_bits.set(NULL_ARG);
-
-            return setting_bits;
-        };
 
         if (arg_bitset.test(STDOUT)) {
             return (!VM::detect(VM::NO_MEMO, settings()));