Merge pull request #327 from NotRequiem/dev

Improvements to VM::GPU_CAPABILITIES

Author: NotRequiem

docs/documentation.md

@@ -510,7 +510,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::HDD_SERIAL` | Check for serial numbers of virtual disks | Windows | 100% |  |  |  |  |
 | `VM::PORT_CONNECTORS` | Check for physical connection ports | Windows | 25% |  |  |  | This technique is known to false flag on devices like Surface Pro |
 | `VM::GPU_CAPABILITIES` | Check for GPU capabilities related to VMs | Windows | 100% | Admin |  |  | Admin only needed for some heuristics |
-| `VM::GPU_VM_STRINGS` | Check for specific GPU string signatures related to VMs | Windows | 100% |  |  |  |  |
+| `VM::GPU_VM_STRINGS` | Check for specific GPU string signatures related to VMs | Windows | 100% |  |  |  | If GPU_CAPABILITIES also flags, the overall score will be 50 instead of 100 |
 | `VM::VM_DEVICES` | Check for VM-specific devices | Windows | 50% |  |  |  |  |
 | `VM::IDT_GDT_SCAN` | Check if the IDT and GDT virtual base addresses are equal across different CPU cores when not running under Hyper-V | Windows | 50% |  |  |  |  |
 | `VM::PROCESSOR_NUMBER` | Check for number of processors | Windows | 50% |  |  |  |  |
@@ -527,9 +527,9 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::NATIVE_VHD` | Checks if the OS was booted from a VHD container |  | 100% |  |  |  |  |
 | `VM::NATIVE_VHD` | Check for OS being booted from a VHD container | Windows | 100% |  |  |  |  |
 | `VM::VIRTUAL_REGISTRY` | Check for particular object directory which is present in Sandboxie virtual environment but not in usual host systems | Windows | 65% |  |  |  | Admin only needed for Linux |
-| `VM::FIRMWARE` | Check for VM signatures and patched strings by hardeners in firmware, while ensuring the BIOS serial is valid | Windows and Linux | 75% |  |  |  |  |
+| `VM::FIRMWARE` | Check for VM signatures and patched strings by hardeners in firmware, while ensuring the BIOS serial is valid | Windows and Linux | 100% |  |  |  |  |
 | `VM::FILE_ACCESS_HISTORY` | Check if the number of accessed files are too low for a human-managed environment | Linux | 15% |  |  |  |  |
-| `VM::AUDIO` | Check if audio device is present | Windows | 25% |  |  |  |  |
+| `VM::AUDIO` | Check if any waveform-audio output devices are present in the system | Windows | 25% |  |  |  |  |
 | `VM::UNKNOWN_MANUFACTURER` | Check if the CPU manufacturer is not known |  | 50% |  |  |  |  |
 | `VM::OSXSAVE` | Check if running xgetbv in the XCR0 extended feature register triggers an exception | Windows | 50% |  |  |  |  |
 | `VM::NSJAIL_PID` | Check if process status matches with nsjail patterns with PID anomalies | Linux | 75% |  |  |  |  |

src/vmaware.hpp

@@ -31,10 +31,10 @@
  * - struct for internal cpu operations        => line 749
  * - struct for internal memoization           => line 1220
  * - struct for internal utility functions     => line 1344
- * - struct for internal core components       => line 100128
+ * - struct for internal core components       => line 10153
  * - start of VM detection technique list      => line 2345
- * - start of public VM detection functions    => line 10792
- * - start of externally defined variables     => line 11742
+ * - start of public VM detection functions    => line 10817
+ * - start of externally defined variables     => line 11767
  *
  *
  * ============================== EXAMPLE ===================================
@@ -7598,7 +7598,7 @@ struct VM {
     /**
      * @brief Check for GPU capabilities related to VMs
      * @category Windows
-     * @author Requiem
+     * @author Requiem (https://github.com/NotRequiem)
      * @implements VM::GPU_CAPABILITIES
      */
     [[nodiscard]] static bool gpu_capabilities() {
@@ -7611,25 +7611,52 @@ struct VM {
 
         IDirect3D9* pD3D = Direct3DCreate9(D3D_SDK_VERSION);
         if (!pD3D) {
-            debug("GPU_CAPABILITIES: Direct3DCreate9");
+            debug("GPU_CAPABILITIES: Direct3DCreate9 failed");
             return true;
         }
 
         D3DADAPTER_IDENTIFIER9 adapterId;
-        D3DCAPS9 caps;
         if (SUCCEEDED(pD3D->GetAdapterIdentifier(D3DADAPTER_DEFAULT, 0, &adapterId))) {
-            if (adapterId.VendorId == 0x15AD) {
+            if (adapterId.VendorId == 0x15AD) {   
                 pD3D->Release();
                 return core::add(brands::VMWARE);
             }
-            else if (adapterId.VendorId == 0x80EE) {
+            else if (adapterId.VendorId == 0x80EE) {   
                 pD3D->Release();
                 return core::add(brands::VBOX);
             }
         }
 
-        if (FAILED(pD3D->GetDeviceCaps(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, &caps))) {
-            debug("GPU_CAPABILITIES: GetDeviceCaps");
+        D3DCAPS9 caps;
+        HRESULT hr = pD3D->GetDeviceCaps(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, &caps);
+        const int maxRetries = 3;
+        for (int attempt = 0; FAILED(hr) && (attempt < maxRetries); ++attempt) {
+            SleepEx(500, FALSE);  
+            hr = pD3D->GetDeviceCaps(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, &caps);
+        }
+        if (FAILED(hr)) {
+            debug("GPU_CAPABILITIES: GetDeviceCaps failure");
+            pD3D->Release();
+            return false;
+        }
+
+        // Pixel Shader version 2.0
+        if (caps.PixelShaderVersion < D3DPS_VERSION(2, 0)) {
+            debug("GPU_CAPABILITIES: Insufficient Pixel Shader version");
+            pD3D->Release();
+            return true;
+        }
+
+        // hardware transform and lighting capability
+        if (!(caps.DevCaps & D3DDEVCAPS_HWTRANSFORMANDLIGHT)) {
+            debug("GPU_CAPABILITIES: Missing hardware T&L support");
+            pD3D->Release();
+            return true;
+        }
+
+        // simultaneous render targets
+        if (caps.NumSimultaneousRTs < 2) {
+            debug("GPU_CAPABILITIES: Insufficient simultaneous render targets");
             pD3D->Release();
             return true;
         }
@@ -7638,31 +7665,26 @@ struct VM {
 
         IDXGIFactory* pFactory = nullptr;
         if (FAILED(CreateDXGIFactory(__uuidof(IDXGIFactory), reinterpret_cast<void**>(&pFactory)))) {
-            debug("GPU_CAPABILITIES: DXGIFactory");
+            debug("GPU_CAPABILITIES: DXGIFactory creation failed");
             return true;
         }
 
         IDXGIAdapter* pAdapter = nullptr;
-        // Do not enumerate all adapters, otherwise it would false flag with adapters with no dedicated GPUs
-        // like Microsoft Basic Render Driver (vid 0x1414)
+        // Enumerate only the primary adapter so as not to mistakenly flag machines without a dedicated GPU, like Microsoft Basic Render Driver (vid 0x1414)
         if (pFactory->EnumAdapters(0, &pAdapter) != DXGI_ERROR_NOT_FOUND) {
             DXGI_ADAPTER_DESC adapterDesc;
             if (SUCCEEDED(pAdapter->GetDesc(&adapterDesc))) {
-                char description[128] = { 0 };
-                size_t converted = 0;
-                wcstombs_s(&converted, description, adapterDesc.Description, sizeof(description));
-
-                if (adapterDesc.DedicatedVideoMemory < static_cast<unsigned long long>(1024 * 1024) * 1024) {
-                    debug("GPU_CAPABILITIES: Video memory");
+                if (adapterDesc.DedicatedVideoMemory < (1024ULL * 1024ULL * 1024ULL)) {
+                    debug("GPU_CAPABILITIES: Video memory below threshold");
                     pAdapter->Release();
                     pFactory->Release();
                     return true;
                 }
             }
             pAdapter->Release();
         }
-
         pFactory->Release();
+
         return false;
 #endif
     }
@@ -7730,7 +7752,7 @@ struct VM {
      *        However, when Windows is running under Hyper-V (in a root partition), the IDT and GDT base address will always be the same across all CPU cores if called from user-mode.
      *        This kernel address leak prevention measure is done by Hyper-V on purpose and can be abused to detect VMs.
      * @category Windows, x64
-     * @author Requiem
+     * @author Requiem (https://github.com/NotRequiem)
      * @implements VM::IDT_GDT_SCAN
      */
     [[nodiscard]] static bool idt_gdt_scan() {
@@ -8000,6 +8022,7 @@ struct VM {
     /**
      * @brief Check for timing anomalies in the system
      * @category x86
+     * @author Requiem (https://github.com/NotRequiem)
      * @implements VM::TIMER
      */
     [[nodiscard]]
@@ -9903,7 +9926,7 @@ struct VM {
 	}
 
 
-    /* @brief Check if audio device is present
+    /* @brief Check if any waveform-audio output devices are present in the system
      * @category Windows
      * @implements VM::AUDIO
      */
@@ -11976,7 +11999,7 @@ std::pair<VM::enum_flags, VM::core::technique> VM::core::technique_list[] = {
     std::make_pair(VM::AMD_SEV, VM::core::technique(50, VM::amd_sev)),
     std::make_pair(VM::NATIVE_VHD, VM::core::technique(100, VM::native_vhd)),
     std::make_pair(VM::VIRTUAL_REGISTRY, VM::core::technique(65, VM::virtual_registry)),
-    std::make_pair(VM::FIRMWARE, VM::core::technique(75, VM::firmware_scan)),
+    std::make_pair(VM::FIRMWARE, VM::core::technique(100, VM::firmware_scan)),
     std::make_pair(VM::FILE_ACCESS_HISTORY, VM::core::technique(15, VM::file_access_history)),
     std::make_pair(VM::AUDIO, VM::core::technique(25, VM::check_audio)),
     std::make_pair(VM::UNKNOWN_MANUFACTURER, VM::core::technique(50, VM::unknown_manufacturer)),

src/vmaware_MIT.hpp

@@ -53,10 +53,10 @@
  * - struct for internal cpu operations        => line 764
  * - struct for internal memoization           => line 1236
  * - struct for internal utility functions     => line 1361
- * - struct for internal core components       => line 9934
+ * - struct for internal core components       => line 9959
  * - start of VM detection technique list      => line 2364
- * - start of public VM detection functions    => line 10609
- * - start of externally defined variables     => line 11561
+ * - start of public VM detection functions    => line 10634
+ * - start of externally defined variables     => line 11586
  *
  *
  * ============================== EXAMPLE ===================================
@@ -7403,7 +7403,7 @@ struct VM {
     /**
      * @brief Check for GPU capabilities related to VMs
      * @category Windows
-     * @author Requiem
+     * @author Requiem (https://github.com/NotRequiem)
      * @implements VM::GPU_CAPABILITIES
      */
     [[nodiscard]] static bool gpu_capabilities() {
@@ -7416,12 +7416,11 @@ struct VM {
 
         IDirect3D9* pD3D = Direct3DCreate9(D3D_SDK_VERSION);
         if (!pD3D) {
-            debug("GPU_CAPABILITIES: Direct3DCreate9");
+            debug("GPU_CAPABILITIES: Direct3DCreate9 failed");
             return true;
         }
 
         D3DADAPTER_IDENTIFIER9 adapterId;
-        D3DCAPS9 caps;
         if (SUCCEEDED(pD3D->GetAdapterIdentifier(D3DADAPTER_DEFAULT, 0, &adapterId))) {
             if (adapterId.VendorId == 0x15AD) {
                 pD3D->Release();
@@ -7433,8 +7432,36 @@ struct VM {
             }
         }
 
-        if (FAILED(pD3D->GetDeviceCaps(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, &caps))) {
-            debug("GPU_CAPABILITIES: GetDeviceCaps");
+        D3DCAPS9 caps;
+        HRESULT hr = pD3D->GetDeviceCaps(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, &caps);
+        const int maxRetries = 3;
+        for (int attempt = 0; FAILED(hr) && (attempt < maxRetries); ++attempt) {
+            SleepEx(500, FALSE);
+            hr = pD3D->GetDeviceCaps(D3DADAPTER_DEFAULT, D3DDEVTYPE_HAL, &caps);
+        }
+        if (FAILED(hr)) {
+            debug("GPU_CAPABILITIES: GetDeviceCaps failure");
+            pD3D->Release();
+            return false;
+        }
+
+        // Pixel Shader version 2.0
+        if (caps.PixelShaderVersion < D3DPS_VERSION(2, 0)) {
+            debug("GPU_CAPABILITIES: Insufficient Pixel Shader version");
+            pD3D->Release();
+            return true;
+        }
+
+        // hardware transform and lighting capability
+        if (!(caps.DevCaps & D3DDEVCAPS_HWTRANSFORMANDLIGHT)) {
+            debug("GPU_CAPABILITIES: Missing hardware T&L support");
+            pD3D->Release();
+            return true;
+        }
+
+        // simultaneous render targets
+        if (caps.NumSimultaneousRTs < 2) {
+            debug("GPU_CAPABILITIES: Insufficient simultaneous render targets");
             pD3D->Release();
             return true;
         }
@@ -7443,31 +7470,26 @@ struct VM {
 
         IDXGIFactory* pFactory = nullptr;
         if (FAILED(CreateDXGIFactory(__uuidof(IDXGIFactory), reinterpret_cast<void**>(&pFactory)))) {
-            debug("GPU_CAPABILITIES: DXGIFactory");
+            debug("GPU_CAPABILITIES: DXGIFactory creation failed");
             return true;
         }
 
         IDXGIAdapter* pAdapter = nullptr;
-        // Do not enumerate all adapters, otherwise it would false flag with adapters with no dedicated GPUs
-        // like Microsoft Basic Render Driver (vid 0x1414)
+        // Enumerate only the primary adapter so as not to mistakenly flag machines without a dedicated GPU, like Microsoft Basic Render Driver (vid 0x1414)
         if (pFactory->EnumAdapters(0, &pAdapter) != DXGI_ERROR_NOT_FOUND) {
             DXGI_ADAPTER_DESC adapterDesc;
             if (SUCCEEDED(pAdapter->GetDesc(&adapterDesc))) {
-                char description[128] = { 0 };
-                size_t converted = 0;
-                wcstombs_s(&converted, description, adapterDesc.Description, sizeof(description));
-
-                if (adapterDesc.DedicatedVideoMemory < static_cast<unsigned long long>(1024 * 1024) * 1024) {
-                    debug("GPU_CAPABILITIES: Video memory");
+                if (adapterDesc.DedicatedVideoMemory < (1024ULL * 1024ULL * 1024ULL)) {
+                    debug("GPU_CAPABILITIES: Video memory below threshold");
                     pAdapter->Release();
                     pFactory->Release();
                     return true;
                 }
             }
             pAdapter->Release();
         }
-
         pFactory->Release();
+
         return false;
 #endif
     }
@@ -7535,7 +7557,7 @@ struct VM {
      *        However, when Windows is running under Hyper-V (in a root partition), the IDT and GDT base address will always be the same across all CPU cores if called from user-mode.
      *        This kernel address leak prevention measure is done by Hyper-V on purpose and can be abused to detect VMs.
      * @category Windows, x64
-     * @author Requiem
+     * @author Requiem (https://github.com/NotRequiem)
      * @implements VM::IDT_GDT_SCAN
      */
     [[nodiscard]] static bool idt_gdt_scan() {
@@ -7805,6 +7827,7 @@ struct VM {
     /**
      * @brief Check for timing anomalies in the system
      * @category x86
+     * @author Requiem (https://github.com/NotRequiem)
      * @implements VM::TIMER
      */
     [[nodiscard]]
@@ -9708,7 +9731,7 @@ struct VM {
     }
 
 
-    /* @brief Check if audio device is present
+    /* @brief Check if any waveform-audio output devices are present in the system
      * @category Windows
      * @implements VM::AUDIO
      */
@@ -11788,7 +11811,7 @@ std::pair<VM::enum_flags, VM::core::technique> VM::core::technique_list[] = {
     std::make_pair(VM::AMD_SEV, VM::core::technique(50, VM::amd_sev)),
     std::make_pair(VM::NATIVE_VHD, VM::core::technique(100, VM::native_vhd)),
     std::make_pair(VM::VIRTUAL_REGISTRY, VM::core::technique(65, VM::virtual_registry)),
-    std::make_pair(VM::FIRMWARE, VM::core::technique(75, VM::firmware_scan)),
+    std::make_pair(VM::FIRMWARE, VM::core::technique(100, VM::firmware_scan)),
     std::make_pair(VM::FILE_ACCESS_HISTORY, VM::core::technique(15, VM::file_access_history)),
     std::make_pair(VM::AUDIO, VM::core::technique(25, VM::check_audio)),
     std::make_pair(VM::UNKNOWN_MANUFACTURER, VM::core::technique(50, VM::unknown_manufacturer)),