Merge pull request #335 from kernelwernel/dev

Improved timing attacks

Author: NotRequiem

.github/ISSUE_TEMPLATE.md .github/ISSUE_TEMPLATE/report.md.github/ISSUE_TEMPLATE.md renamed to .github/ISSUE_TEMPLATE/report.md

@@ -1,9 +1,10 @@
-For a report on a false positive, please make sure that you include:
+For a report on a false positive/bug, please make sure that you include:
 - which OS and VM you are using
 - which technique(s) have given a false positive
 - a screenshot or copy pasted message of the CLI's output
+- if necessary, running the [debug binary](https://github.com/kernelwernel/VMAware/releases/download/v2.2.0/vmaware_debug.exe) and copy pasting the output would be immensely useful for us to diagnose your issue.
 
 > [!NOTE]
 > Specific versions or in-depth system info is not required, just the bare basics is what we're looking for.
 
-If your issue is not a false positive, please make sure to write as much information as needed.
+If your issue is not a false positive, please make sure to write the necessary information needed.

README.md

@@ -239,7 +239,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 
 > I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL projects, and I have no choice but to use the same license for legal reasons. 
 > 
-> This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open source. It should be noted that the MIT version removes <b>7</b> techniques out of 117 (as of 2.0 version), and the lesser the number of techniques, the less accurate the overall result might be.
+> This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open source. It should be noted that the MIT version removes <b>7</b> techniques out of 116 (as of 2.0 version), and the lesser the number of techniques, the less accurate the overall result might be.
 
 </details>
 

auxiliary/benchmark.cpp

@@ -35,7 +35,7 @@
 
 class VMAwareBenchmark {
 public:
-    static uint64_t get_timestamp() {
+    static inline uint64_t get_timestamp() {
 #if defined(_WIN32)
         LARGE_INTEGER counter;
         QueryPerformanceCounter(&counter);
@@ -51,7 +51,7 @@ class VMAwareBenchmark {
 #endif
     }
 
-    static double get_elapsed(uint64_t start, uint64_t end) {
+    static inline double get_elapsed(uint64_t start, uint64_t end) {
 #if defined(_WIN32)
         static LARGE_INTEGER freq;
         QueryPerformanceFrequency(&freq);

docs/documentation.md

@@ -10,6 +10,7 @@
 - [`VM::conclusion()`](#vmconclusion)
 - [`VM::detected_count()`](#vmdetected_count)
 - [`VM::vmaware struct`](#vmaware-struct)
+- [Overall things to avoid](#overall-things-to-avoid)
 - [Flag table](#flag-table)
 - [Brand table](#brand-table)
 - [Setting flags](#setting-flags)
@@ -411,6 +412,12 @@ int main() {
 
 <br>
 
+# Overall things to avoid
+❌ 1. Do NOT rely on the percentage to determine whether you're in a VM. The lib is not designed for this way, and you're potentially increasing false positives. Use VM::detect() instead for that job.
+❌ 2. Do NOT depend your whole program on whether a specific brand was found. VM::brand() will not guarantee it'll give you the result you're looking for even if the environment is in fact that specific VM brand.
+❌ 3. Do NOT use VM::NO_MEMO flag if you're not sure what you're doing, this can potentially hamper the performance significantly.
+
+<br>
 
 # Flag table
 VMAware provides a convenient way to not only check for VMs, but also have the flexibility and freedom for the end-user to choose what techniques are used with complete control over what gets executed or not. This is handled with a flag system.
@@ -515,15 +522,13 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::PROCESSOR_NUMBER` | Check for number of processors | Windows | 50% |  |  |  |  |
 | `VM::NUMBER_OF_CORES` | Check for number of cores | Windows | 50% |  |  |  |  |
 | `VM::ACPI_TEMPERATURE` | Check for device's temperature | Windows | 25% |  |  |  |  |
-| `VM::PROCESSOR_ID` | Check if any processor has an empty Processor ID using SMBIOS data | Windows | 25% |  |  |  |  |
 | `VM::SYS_QEMU` | Check for existence of "qemu_fw_cfg" directories within /sys/module and /sys/firmware | Linux | 70% |  |  |  |  |
 | `VM::LSHW_QEMU` | Check for QEMU string instances with lshw command | Linux | 80% |  |  |  |  |
 | `VM::VIRTUAL_PROCESSORS` | Check if the number of virtual and logical processors are reported correctly by the system | Windows | 50% |  |  |  |  |
 | `VM::HYPERV_QUERY` | Check if a call to NtQuerySystemInformation with the 0x9f leaf fills a _SYSTEM_HYPERVISOR_DETAIL_INFORMATION structure | Windows | 100% |  |  |  |  |
 | `VM::BAD_POOLS` | Check for system pools allocated by hypervisors | Windows | 80% |  |  |  |  |
 | `VM::AMD_SEV` | Check for AMD-SEV MSR running on the system | Linux and MacOS | 50% | Admin |  |  |  |
 | `VM::AMD_THREAD_MISMATCH` | Check for AMD CPU thread count database if it matches the system's thread count |  | 95% |  |  |  |  |
-| `VM::NATIVE_VHD` | Checks if the OS was booted from a VHD container |  | 100% |  |  |  |  |
 | `VM::NATIVE_VHD` | Check for OS being booted from a VHD container | Windows | 100% |  |  |  |  |
 | `VM::VIRTUAL_REGISTRY` | Check for particular object directory which is present in Sandboxie virtual environment but not in usual host systems | Windows | 65% |  |  |  | Admin only needed for Linux |
 | `VM::FIRMWARE` | Check for VM signatures and patched strings by hardeners in firmware, while ensuring the BIOS serial is valid | Windows and Linux | 100% |  |  |  |  |

src/README.md

@@ -2,7 +2,7 @@
 |------|---------|
 | `cli.cpp`  | Entire CLI tool code |
 | `vmaware.hpp` | Official and original library header in GPL-3.0, most likely what you're looking for. |
-| `vmaware_MIT.hpp` | Same as above but in MIT. But this removes 7 techniques out of 117 |
+| `vmaware_MIT.hpp` | Same as above but in MIT. But this removes 7 techniques out of 116 |
 
 <br>
 

src/cli.cpp

@@ -458,7 +458,6 @@ bool is_unsupported(VM::enum_flags flag) {
             case VM::PROCESSOR_NUMBER:
             case VM::NUMBER_OF_CORES:
             case VM::ACPI_TEMPERATURE:
-            case VM::PROCESSOR_ID:
             case VM::POWER_CAPABILITIES:
             case VM::SETUPAPI_DISK: 
             case VM::VIRTUAL_PROCESSORS:
@@ -807,36 +806,27 @@ void checker(const VM::enum_flags flag, const char* message) {
 // overload for std::function, this is specific for any.run techniques
 // that are embedded in the CLI because it was removed in the lib as of 2.0
 void checker(const std::function<bool()>& func, const char* message) {
-#if __cplusplus >= 201703L
-    if constexpr (!CLI_WINDOWS) {
-        if (arg_bitset.test(VERBOSE)) {
-            unsupported_count++;
-        }
-        else {
-            supported_count++;
-        }
-    }
-    else {
-        supported_count++;
-    }
-#else
-#if !CLI_WINDOWS
+#if (!CLI_WINDOWS)
     if (arg_bitset.test(VERBOSE)) {
         unsupported_count++;
-    }
-    else {
+    } else {
         supported_count++;
     }
 #else
     supported_count++;
 #endif
-#endif
+
+    const bool result = func();
 
     std::cout <<
-        (func() ? detected : not_detected) <<
+        (result ? detected : not_detected) <<
+        (result ? bold : "") <<
         " Checking " <<
         message <<
-        "...\n";
+        "..." << 
+        (result ? ansi_exit : "") << 
+        "\n";
+
 }
 
 
@@ -974,7 +964,6 @@ void general() {
     checker(VM::PROCESSOR_NUMBER, "processor count");
     checker(VM::NUMBER_OF_CORES, "CPU core count");
     checker(VM::ACPI_TEMPERATURE, "thermal devices");
-    checker(VM::PROCESSOR_ID, "processor ID");
     checker(VM::POWER_CAPABILITIES, "Power capabilities");
     checker(VM::SETUPAPI_DISK, "SETUPDI diskdrive");
     checker(VM::SYS_QEMU, "QEMU in /sys");
@@ -1159,11 +1148,20 @@ void general() {
     {
         const char* conclusion_color = color(vm.percentage);
 
+        std::string conclusion = vm.conclusion;
+
+        if (is_anyrun && VM::brand() == brands::NULL_BRAND) {
+            const std::string original = "unknown";
+            const std::string new_brand = "ANY.RUN";
+
+            replace(conclusion, original, new_brand);
+        }
+
         std::cout
             << bold
             << "====== CONCLUSION: "
             << ansi_exit
-            << conclusion_color << vm.conclusion << " " << ansi_exit
+            << conclusion_color << conclusion << " " << ansi_exit
             << bold
             << "======"
             << ansi_exit