Two new techniques + refacto

Author: ShellCode33

vmdetect/common.go

@@ -1,6 +1,12 @@
 package vmdetect
 
-import "fmt"
+import (
+	"bufio"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+)
 
 func PrintError(loggee interface{}) {
 	fmt.Printf("[x] %v\n", loggee)
@@ -9,3 +15,26 @@ func PrintError(loggee interface{}) {
 func PrintWarning(loggee interface{}) {
 	fmt.Printf("[!] %v\n", loggee)
 }
+
+func DoesFileContain(file *os.File, stringToBeFound string) bool {
+	reader := bufio.NewReader(file)
+
+	for {
+		line, err := reader.ReadString('\n')
+
+		if err != nil {
+
+			if err == io.EOF {
+				PrintError(file.Name() + " didn't match")
+			} else if !os.IsTimeout(err) {
+				PrintError(err)
+			}
+
+			return false
+		}
+
+		if strings.Contains(line, stringToBeFound) {
+			return true
+		}
+	}
+}

vmdetect/linux.go

@@ -3,7 +3,6 @@
 package vmdetect
 
 import (
-	"bufio"
 	"bytes"
 	"github.com/klauspost/cpuid"
 	"io/ioutil"
@@ -12,7 +11,7 @@ import (
 )
 
 /*
-	Checks if the DMI table contains vendor strings of known VMs.
+Checks if the DMI table contains vendor strings of known VMs.
 */
 func checkDMITable() bool {
 
@@ -58,15 +57,14 @@ func checkDMITable() bool {
 				return true
 			}
 		}
-
 	}
 
 	return false
 }
 
 /*
-	Checks printk messages to see if Linux detected an hypervisor.
-	https://github.com/torvalds/linux/blob/31cc088a4f5d83481c6f5041bd6eb06115b974af/arch/x86/kernel/cpu/hypervisor.c#L79
+Checks printk messages to see if Linux detected an hypervisor.
+https://github.com/torvalds/linux/blob/31cc088a4f5d83481c6f5041bd6eb06115b974af/arch/x86/kernel/cpu/hypervisor.c#L79
 */
 func checkKernelRingBuffer() bool {
 
@@ -85,42 +83,68 @@ func checkKernelRingBuffer() bool {
 		return false
 	}
 
-	reader := bufio.NewReader(file)
+	return DoesFileContain(file, "Hypervisor detected")
+}
 
-	for {
-		line, _, err := reader.ReadLine()
+/*
+Checks if UML is being used
+https://en.wikipedia.org/wiki/User-mode_Linux
+*/
+func checkUML() bool {
 
-		if err != nil {
-			if !os.IsTimeout(err) {
-				PrintError(err)
-			}
+	file, err := os.Open("/proc/cpuinfo")
 
-			return false
-		}
+	if err != nil {
+		PrintError(err)
+		return false
+	}
 
-		// Lowercase comparison to prevent false negatives
-		if bytes.Contains(bytes.ToLower(line), []byte("hypervisor detected")) {
-			return true
-		}
+	defer file.Close()
+
+	return DoesFileContain(file, "User Mode Linux")
+}
+
+/*
+Some GNU/Linux distributions expose /proc/sysinfo containing potential VM info
+https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lhdd/lhdd_t_sysinfo.html
+*/
+func checkSysInfo() bool {
+	file, err := os.Open("/proc/sysinfo")
+
+	if err != nil {
+		PrintError(err)
+		return false
 	}
+
+	defer file.Close()
+
+	return DoesFileContain(file, "VM00")
 }
 
 /*
-	Public function returning true if a VM is detected.
-	If so, a non-empty string is also returned to tell how it was detected.
+Public function returning true if a VM is detected.
+If so, a non-empty string is also returned to tell how it was detected.
 */
 func IsRunningInVirtualMachine() (bool, string) {
 
 	if cpuid.CPU.VM() {
-		return true, "CPU Vendor"
+		return true, "CPU Vendor (assembly instructions)"
+	}
+
+	if checkUML() {
+		return true, "CPU Vendor (/proc/cpuinfo)"
+	}
+
+	if checkSysInfo() {
+		return true, "System Information (/proc/sysinfo)"
 	}
 
 	if checkDMITable() {
-		return true, "DMI Table"
+		return true, "DMI Table (/sys/class/dmi/id/*)"
 	}
 
 	if checkKernelRingBuffer() {
-		return true, "Kernel Ring Buffer"
+		return true, "Kernel Ring Buffer (/dev/kmsg)"
 	}
 
 	return false, "nothing"