official 2.3.0 release

Author: kernelwernel

src/vmaware.hpp

@@ -31,10 +31,10 @@
  * - struct for internal cpu operations        => line 743
  * - struct for internal memoization           => line 1214
  * - struct for internal utility functions     => line 1342
- * - struct for internal core components       => line 10153
+ * - struct for internal core components       => line 10173
  * - start of VM detection technique list      => line 2429
- * - start of public VM detection functions    => line 10821
- * - start of externally defined variables     => line 11764
+ * - start of public VM detection functions    => line 10841
+ * - start of externally defined variables     => line 11784
  *
  *
  * ============================== EXAMPLE ===================================

src/vmaware_MIT.hpp

@@ -53,10 +53,10 @@
  * - struct for internal cpu operations        => line 758
  * - struct for internal memoization           => line 1229
  * - struct for internal utility functions     => line 1357
- * - struct for internal core components       => line 9941
+ * - struct for internal core components       => line 9961
  * - start of VM detection technique list      => line 2444
- * - start of public VM detection functions    => line 10609
- * - start of externally defined variables     => line 11545
+ * - start of public VM detection functions    => line 10629
+ * - start of externally defined variables     => line 11565
  *
  *
  * ============================== EXAMPLE ===================================
@@ -2955,8 +2955,13 @@ struct VM {
 #endif
 
 #elif (WINDOWS)
+        // Clang/GCC on x64 emits a full 10-byte SIDT (16-bit limit + 64-bit base), on 32-bit it still only writes 6 bytes
+#if defined(_M_X64) || defined(__x86_64__)
+        unsigned char m[10] = { 0 };
+#else
         unsigned char m[6] = { 0 };
-        u32	idt = 0;
+#endif
+        u32 idt = 0;
 
         __try {
 #if (CLANG || GCC)
@@ -2982,13 +2987,16 @@ struct VM {
         __except (EXCEPTION_EXECUTE_HANDLER) {
             return false; // umip
         }
+
+        // Extract 32-bit base from bytes [2..5]
         idt = *((unsigned long*)&m[2]);
 
         if ((idt >> 24) == 0xE8) {
             return core::add(brands::VPC);
         }
 
-        return (m[5] > 0xD0); // top‐most byte of the 64‑bit base
+        // On x64, m[5] is the top byte of the 64-bit base; on x86 it's high byte of 32-bit base
+        return (m[5] > 0xD0);
 #endif
     }
 
@@ -4233,7 +4241,7 @@ struct VM {
      * @implements VM::VPC_INVALID
      */
     [[nodiscard]] static bool vpc_invalid() {
-#if (WINDOWS && x86_32)
+#if (WINDOWS && x86_32 && !CLANG)
         bool rc = false;
 
         auto IsInsideVPC_exceptionFilter = [](PEXCEPTION_POINTERS ep) -> DWORD {
@@ -4290,38 +4298,50 @@ struct VM {
      */
     [[nodiscard]] static bool sgdt() {
 #if (WINDOWS)
+    #if defined(_M_X64) || defined(__x86_64__)
+        unsigned char gdtr[10] = { 0 };
+    #else
         unsigned char gdtr[6] = { 0 };
+    #endif
         unsigned int  gdt = 0;
 
         __try {
-#if (CLANG || GCC)
+    #if (CLANG || GCC)
             __asm__ volatile("sgdt %0" : "=m"(gdtr));
-#elif (MSVC && x86_32)
+    #elif (MSVC && x86_32)
             __asm {
                 sgdt gdtr
             }
-#elif (MSVC)
+    #elif (MSVC)
     #pragma pack(push, 1)
-            struct { unsigned short limit; unsigned long long base; } _gdtr = {};
+            struct {
+                unsigned short limit;
+                unsigned long long base;
+            } _gdtr = {};
     #pragma pack(pop)
+
             _sgdt(&_gdtr);
             std::memcpy(gdtr, &_gdtr, sizeof(gdtr));
-#else
+    #else
             return false;
-#endif
+    #endif
         }
         __except (EXCEPTION_EXECUTE_HANDLER) {
             return false; // umip
         }
 
+        // 32-bit base from bytes [2..5]
         std::memcpy(&gdt, &gdtr[2], sizeof(gdt));
 
-        if (gdtr[5] > 0xD0) { // top‐most byte of the 64‑bit base
+        // On x64, gdtr[5] is the top byte of the 64-bit base; on x86 it's high byte of 32-bit base
+        if (gdtr[5] > 0xD0) {
             debug("SGDT: top-most byte signature detected");
             return true;
         }
+
+        // 0xFF signature in the high byte of the 32-bit base
         return ((gdt >> 24) == 0xFF);
-#else
+    #else
         return false;
 #endif
     }
@@ -4500,7 +4520,7 @@ struct VM {
      * @implements VM::VMWARE_BACKDOOR
      */
     [[nodiscard]] static bool vmware_backdoor() {
-#if (WINDOWS && x86_32)
+#if (WINDOWS && x86_32 && !CLANG)
         u32 a = 0;
         u32 b = 0;
 
@@ -4509,49 +4529,49 @@ struct VM {
         bool is_vm = false;
 
         for (u8 i = 0; i < ioports.size(); ++i) {
-            ioport = ioports[i];
-            for (u8 cmd = 0; cmd < 0x2c; ++cmd) {
-                __try {
-                    __asm {
-                        push eax
-                        push ebx
-                        push ecx
-                        push edx
-
-                        mov eax, 'VMXh'
-                        movzx ecx, cmd
-                        mov dx, ioport
-                        in eax, dx      // <- key point is here
-
-                        mov a, ebx
-                        mov b, ecx
-
-                        pop edx
-                        pop ecx
-                        pop ebx
-                        pop eax
-                    }
+             ioport = ioports[i];
+             for (u8 cmd = 0; cmd < 0x2c; ++cmd) {
+                   __try {
+                        __asm {
+                            push eax
+                            push ebx
+                            push ecx
+                            push edx
+
+                            mov eax, 'VMXh'
+                            movzx ecx, cmd
+                            mov dx, ioport
+                            in eax, dx      // <- key point is here
+
+                            mov a, ebx
+                            mov b, ecx
+
+                            pop edx
+                            pop ecx
+                            pop ebx
+                            pop eax
+                        }
 
-                    is_vm = true;
-                    break;
+                        is_vm = true;
+                        break;
+                    }
+                    __except (EXCEPTION_EXECUTE_HANDLER) {}
                 }
-                __except (EXCEPTION_EXECUTE_HANDLER) {}
             }
-        }
 
-        if (is_vm) {
-            switch (b) {
+            if (is_vm) {
+                switch (b) {
                 case 1:  return core::add(brands::VMWARE_EXPRESS);
                 case 2:  return core::add(brands::VMWARE_ESX);
                 case 3:  return core::add(brands::VMWARE_GSX);
                 case 4:  return core::add(brands::VMWARE_WORKSTATION);
                 default: return core::add(brands::VMWARE);
+                }
             }
-        }
 
-        return false;
+         return false;
 #else
-        return false;
+         return false;
 #endif
     }
 
@@ -7941,7 +7961,7 @@ struct VM {
                 overlap = chunk;
             }
 
-            for (size_t i = 0; i < std::size(patterns); ++i) {
+            for (size_t i = 0; i < patterns.size(); ++i) {
                 if (!seen[i] && chunk.find(patterns[i]) != std::string::npos) {
                     debug("LSHW_QEMU: found ", patterns[i]);
                     seen[i] = true;