From ebf29318074922d9e829add54296fff525ef8db1 Mon Sep 17 00:00:00 2001 From: Requiem Date: Thu, 26 Feb 2026 19:59:59 +0100 Subject: [PATCH 1/4] chore: updated VirtualBox crc32 hash for boot logo --- src/cli.cpp | 2 +- src/vmaware.hpp | 34 ++++++++++++++++------------------ 2 files changed, 17 insertions(+), 19 deletions(-) diff --git a/src/cli.cpp b/src/cli.cpp index fc782065..23cb9b4c 100755 --- a/src/cli.cpp +++ b/src/cli.cpp @@ -986,7 +986,7 @@ static void general( checker(VM::FIRMWARE, "firmware"); checker(VM::FILE_ACCESS_HISTORY, "low file access count"); checker(VM::NSJAIL_PID, "nsjail PID"); - checker(VM::PCI_DEVICES, "PCI vendor/device ID"); + checker(VM::DEVICES, "PCI vendor/device ID"); checker(VM::ACPI_SIGNATURE, "ACPI device signatures"); checker(VM::TRAP, "hypervisor interception"); checker(VM::UD, "undefined exceptions"); diff --git a/src/vmaware.hpp b/src/vmaware.hpp index eee83f6a..f4416052 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -586,7 +586,7 @@ struct VM { // Linux and Windows SYSTEM_REGISTERS, FIRMWARE, - PCI_DEVICES, + DEVICES, AZURE, // Linux @@ -6817,7 +6817,7 @@ struct VM { * @brief Check for PCI vendor and device IDs that are VM-specific * @link https://www.pcilookup.com/?ven=&dev=&action=submit * @category Linux, Windows - * @implements VM::PCI_DEVICES + * @implements VM::DEVICES */ [[nodiscard]] static bool pci_devices() { struct pci_device { u16 vendor_id; u32 device_id; }; @@ -7090,7 +7090,7 @@ struct VM { case 0x1af41045: case 0x1af41048: case 0x1af41049: case 0x1af41050: case 0x1af41052: case 0x1af41053: case 0x1af4105a: case 0x1af41100: case 0x1af41110: case 0x1af41b36: - debug("PCI_DEVICES: Detected Red Hat + Virtio device -> ", std::hex, id32); + debug("PCI_DEVICES: Detected Red Hat + Virtio device -> 0x", std::hex, id32); return true; // VMware @@ -7101,7 +7101,7 @@ struct VM { case 0x0e0f0001: case 0x0e0f0002: case 0x0e0f0003: case 0x0e0f0004: case 0x0e0f0005: case 0x0e0f0006: case 0x0e0f000a: case 0x0e0f8001: case 0x0e0f8002: case 0x0e0f8003: case 0x0e0ff80a: - debug("PCI_DEVICES: Detected VMWARE device -> ", std::hex, id32); + debug("PCI_DEVICES: Detected VMWARE device -> 0x", std::hex, id32); return core::add(brands::VMWARE); // Red Hat + QEMU @@ -7109,39 +7109,39 @@ struct VM { case 0x1b360005: case 0x1b360008: case 0x1b360009: case 0x1b36000b: case 0x1b36000c: case 0x1b36000d: case 0x1b360010: case 0x1b360011: case 0x1b360013: case 0x1b360100: - debug("PCI_DEVICES: Detected Red Hat + QEMU device -> ", std::hex, id32); + debug("PCI_DEVICES: Detected Red Hat + QEMU device -> 0x", std::hex, id32); return core::add(brands::QEMU); // QEMU case 0x06270001: case 0x1d1d1f1f: case 0x80865845: case 0x1d6b0200: - debug("PCI_DEVICES: Detected QEMU device -> ", std::hex, id32); + debug("PCI_DEVICES: Detected QEMU device -> 0x", std::hex, id32); return core::add(brands::QEMU); // vGPUs (NVIDIA + others) case 0x10de0fe7: case 0x10de0ff7: case 0x10de118d: case 0x10de11b0: case 0x1ec6020f: - debug("PCI_DEVICES: Detected virtual gpu device -> ", std::hex, id32); + debug("PCI_DEVICES: Detected virtual gpu device -> 0x", std::hex, id32); return true; // VirtualBox case 0x80ee0021: case 0x80ee0022: case 0x80eebeef: case 0x80eecafe: - debug("PCI_DEVICES: Detected VirtualBox device -> ", std::hex, id32); + debug("PCI_DEVICES: Detected VirtualBox device -> 0x", std::hex, id32); return core::add(brands::VBOX); // Parallels case 0x1ab84000: case 0x1ab84005: case 0x1ab84006: - debug("PCI_DEVICES: Detected Parallels device -> ", std::hex, id32); + debug("PCI_DEVICES: Detected Parallels device -> 0x", std::hex, id32); return core::add(brands::PARALLELS); // Xen case 0x5853c000: case 0xfffd0101: case 0x5853c147: case 0x5853c110: case 0x5853c200: case 0x58530001: - debug("PCI_DEVICES: Detected Xen device -> ", std::hex, id32); + debug("PCI_DEVICES: Detected Xen device -> 0x", std::hex, id32); return core::add(brands::XEN); // Connectix (VirtualPC) case 0x29556e61: - debug("PCI_DEVICES: Detected VirtualPC device -> ", std::hex, id32); + debug("PCI_DEVICES: Detected VirtualPC device -> 0x", std::hex, id32); return core::add(brands::VPC); } @@ -7156,11 +7156,11 @@ struct VM { case 0x0000000010131100ULL: case 0x00000000106b1100ULL: case 0x0000000010221100ULL: - debug("PCI_DEVICES: Detected QEMU device -> ", std::hex, id64); + debug("PCI_DEVICES: Detected QEMU device -> 0x", std::hex, id64); return core::add(brands::QEMU); case 0x0000000015ad0800ULL: // Hypervisor ROM Interface - debug("PCI_DEVICES: Detected Hypervisor ROM interface -> ", std::hex, id64); + debug("PCI_DEVICES: Detected Hypervisor ROM interface -> 0x", std::hex, id64); return core::add(brands::VMWARE); } } @@ -9718,7 +9718,7 @@ struct VM { switch (hash) { case 0x110350C5: return core::add(brands::QEMU); // TianoCore EDK2 case 0x87c39681: return core::add(brands::HYPERV); - case 0xf6829262: return core::add(brands::VBOX); + case 0x9502cb33: return core::add(brands::VBOX); default: return false; } #else @@ -10083,8 +10083,6 @@ struct VM { // --------------------------------------------------------------------- // Constants & Data // --------------------------------------------------------------------- - constexpr const char* vendor_list_ascii[] = { "msi","asrock","asus","asustek","gigabyte","giga-byte","micro-star","microstar" }; - constexpr const wchar_t* vendor_list_wide[] = { L"msi",L"asrock",L"asus",L"asustek",L"gigabyte",L"giga-byte",L"micro-star",L"microstar" }; constexpr const char redhat_sig_ascii[] = "red hat"; constexpr const wchar_t redhat_sig_wide[] = L"red hat"; @@ -12256,7 +12254,7 @@ struct VM { case FILE_ACCESS_HISTORY: return "FILE_ACCESS_HISTORY"; case AUDIO: return "AUDIO"; case NSJAIL_PID: return "NSJAIL_PID"; - case PCI_DEVICES: return "PCI_DEVICES"; + case DEVICES: return "PCI_DEVICES"; case ACPI_SIGNATURE: return "ACPI_SIGNATURE"; case TRAP: return "TRAP"; case UD: return "UNDEFINED_INSTRUCTION"; @@ -12911,7 +12909,7 @@ std::array VM::core::technique_table = [ #if (LINUX || WINDOWS) {VM::FIRMWARE, {100, VM::firmware}}, - {VM::PCI_DEVICES, {95, VM::pci_devices}}, + {VM::DEVICES, {95, VM::pci_devices}}, {VM::SYSTEM_REGISTERS, {50, VM::system_registers}}, {VM::AZURE, {30, VM::azure}}, #endif From 63862c88461b9225e7a1d6162a718c4541e28922 Mon Sep 17 00:00:00 2001 From: Requiem Date: Thu, 26 Feb 2026 20:14:10 +0100 Subject: [PATCH 2/4] feat: tightened power capabilities checks --- src/vmaware.hpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/vmaware.hpp b/src/vmaware.hpp index f4416052..808f97a4 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -7665,9 +7665,9 @@ struct VM { } // could check for HKLM\\SYSTEM\\CurrentControlSet\\Control\\Power\\PlatformAoAcOverride - const bool no_sleep_states = !s0_supported && !s1_supported && !s2_supported && !s3_supported; + const bool no_sleep_states = !s0_supported && !s1_supported && !s2_supported && !s3_supported && !s4_supported && !hiber_file_present; if (no_sleep_states) { - debug("POWER_CAPABILITIES: Detected !(S0||S1||S2||S3) pattern"); // can sometimes false flag baremetal devices + debug("POWER_CAPABILITIES: Detected !(S0||S1||S2||S3||S4||H) pattern"); return true; } From f854dd1d6b707f529660df9baf614e60abb64354 Mon Sep 17 00:00:00 2001 From: Requiem Date: Thu, 26 Feb 2026 20:19:08 +0100 Subject: [PATCH 3/4] chore: renamed VM::PCI_DEVICES and VM::DEVICE_HANDLES --- src/cli.cpp | 2 +- src/vmaware.hpp | 38 +++++++++++++++++++------------------- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/src/cli.cpp b/src/cli.cpp index 23cb9b4c..691975e6 100755 --- a/src/cli.cpp +++ b/src/cli.cpp @@ -941,7 +941,7 @@ static void general( checker(VM::IOREG_GREP, "IO registry grep"); checker(VM::MAC_SIP, "MacOS SIP"); checker(VM::AUDIO, "audio devices"); - checker(VM::DEVICE_HANDLES, "device handles"); + checker(VM::HANDLES, "device handles"); checker(VM::VPC_INVALID, "VPC invalid instructions"); checker(VM::SYSTEM_REGISTERS, "Task segment and descriptor tables"); checker(VM::VMWARE_IOMEM, "/proc/iomem file"); diff --git a/src/vmaware.hpp b/src/vmaware.hpp index 808f97a4..1e649699 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -555,7 +555,7 @@ struct VM { DISK_SERIAL, IVSHMEM, DRIVERS, - DEVICE_HANDLES, + HANDLES, VIRTUAL_PROCESSORS, HYPERVISOR_QUERY, AUDIO, @@ -7090,7 +7090,7 @@ struct VM { case 0x1af41045: case 0x1af41048: case 0x1af41049: case 0x1af41050: case 0x1af41052: case 0x1af41053: case 0x1af4105a: case 0x1af41100: case 0x1af41110: case 0x1af41b36: - debug("PCI_DEVICES: Detected Red Hat + Virtio device -> 0x", std::hex, id32); + debug("DEVICES: Detected Red Hat + Virtio device -> 0x", std::hex, id32); return true; // VMware @@ -7101,7 +7101,7 @@ struct VM { case 0x0e0f0001: case 0x0e0f0002: case 0x0e0f0003: case 0x0e0f0004: case 0x0e0f0005: case 0x0e0f0006: case 0x0e0f000a: case 0x0e0f8001: case 0x0e0f8002: case 0x0e0f8003: case 0x0e0ff80a: - debug("PCI_DEVICES: Detected VMWARE device -> 0x", std::hex, id32); + debug("DEVICES: Detected VMWARE device -> 0x", std::hex, id32); return core::add(brands::VMWARE); // Red Hat + QEMU @@ -7109,39 +7109,39 @@ struct VM { case 0x1b360005: case 0x1b360008: case 0x1b360009: case 0x1b36000b: case 0x1b36000c: case 0x1b36000d: case 0x1b360010: case 0x1b360011: case 0x1b360013: case 0x1b360100: - debug("PCI_DEVICES: Detected Red Hat + QEMU device -> 0x", std::hex, id32); + debug("DEVICES: Detected Red Hat + QEMU device -> 0x", std::hex, id32); return core::add(brands::QEMU); // QEMU case 0x06270001: case 0x1d1d1f1f: case 0x80865845: case 0x1d6b0200: - debug("PCI_DEVICES: Detected QEMU device -> 0x", std::hex, id32); + debug("DEVICES: Detected QEMU device -> 0x", std::hex, id32); return core::add(brands::QEMU); // vGPUs (NVIDIA + others) case 0x10de0fe7: case 0x10de0ff7: case 0x10de118d: case 0x10de11b0: case 0x1ec6020f: - debug("PCI_DEVICES: Detected virtual gpu device -> 0x", std::hex, id32); + debug("DEVICES: Detected virtual gpu device -> 0x", std::hex, id32); return true; // VirtualBox case 0x80ee0021: case 0x80ee0022: case 0x80eebeef: case 0x80eecafe: - debug("PCI_DEVICES: Detected VirtualBox device -> 0x", std::hex, id32); + debug("DEVICES: Detected VirtualBox device -> 0x", std::hex, id32); return core::add(brands::VBOX); // Parallels case 0x1ab84000: case 0x1ab84005: case 0x1ab84006: - debug("PCI_DEVICES: Detected Parallels device -> 0x", std::hex, id32); + debug("DEVICES: Detected Parallels device -> 0x", std::hex, id32); return core::add(brands::PARALLELS); // Xen case 0x5853c000: case 0xfffd0101: case 0x5853c147: case 0x5853c110: case 0x5853c200: case 0x58530001: - debug("PCI_DEVICES: Detected Xen device -> 0x", std::hex, id32); + debug("DEVICES: Detected Xen device -> 0x", std::hex, id32); return core::add(brands::XEN); // Connectix (VirtualPC) case 0x29556e61: - debug("PCI_DEVICES: Detected VirtualPC device -> 0x", std::hex, id32); + debug("DEVICES: Detected VirtualPC device -> 0x", std::hex, id32); return core::add(brands::VPC); } @@ -7156,11 +7156,11 @@ struct VM { case 0x0000000010131100ULL: case 0x00000000106b1100ULL: case 0x0000000010221100ULL: - debug("PCI_DEVICES: Detected QEMU device -> 0x", std::hex, id64); + debug("DEVICES: Detected QEMU device -> 0x", std::hex, id64); return core::add(brands::QEMU); case 0x0000000015ad0800ULL: // Hypervisor ROM Interface - debug("PCI_DEVICES: Detected Hypervisor ROM interface -> 0x", std::hex, id64); + debug("DEVICES: Detected Hypervisor ROM interface -> 0x", std::hex, id64); return core::add(brands::VMWARE); } } @@ -8640,7 +8640,7 @@ struct VM { /** * @brief Check for vm-specific devices * @category Windows - * @implements VM::DEVICE_HANDLES + * @implements VM::HANDLES */ [[nodiscard]] static bool device_handles() { const HMODULE ntdll = util::get_ntdll(); @@ -8721,17 +8721,17 @@ struct VM { } if (vbox) { - debug("DEVICE_HANDLES: Detected VBox related device handles"); + debug("HANDLES: Detected VBox related device handles"); return core::add(brands::VBOX); } if (vmware) { - debug("DEVICE_HANDLES: Detected VMware related device (HGFS)"); + debug("HANDLES: Detected VMware related device (HGFS)"); return core::add(brands::VMWARE); } if (cuckoo) { - debug("DEVICE_HANDLES: Detected Cuckoo related device (pipe)"); + debug("HANDLES: Detected Cuckoo related device (pipe)"); return core::add(brands::CUCKOO); } @@ -12244,7 +12244,7 @@ struct VM { case DISK_SERIAL: return "DISK_SERIAL"; case IVSHMEM: return "IVSHMEM"; case GPU_CAPABILITIES: return "GPU_CAPABILITIES"; - case DEVICE_HANDLES: return "DEVICE_HANDLES"; + case HANDLES: return "HANDLES"; case QEMU_FW_CFG: return "QEMU_FW_CFG"; case VIRTUAL_PROCESSORS: return "VIRTUAL_PROCESSORS"; case HYPERVISOR_QUERY: return "HYPERVISOR_QUERY"; @@ -12254,7 +12254,7 @@ struct VM { case FILE_ACCESS_HISTORY: return "FILE_ACCESS_HISTORY"; case AUDIO: return "AUDIO"; case NSJAIL_PID: return "NSJAIL_PID"; - case DEVICES: return "PCI_DEVICES"; + case DEVICES: return "DEVICES"; case ACPI_SIGNATURE: return "ACPI_SIGNATURE"; case TRAP: return "TRAP"; case UD: return "UNDEFINED_INSTRUCTION"; @@ -12885,7 +12885,7 @@ std::array VM::core::technique_table = [ {VM::EDID, {100, VM::edid}}, {VM::IVSHMEM, {100, VM::ivshmem}}, {VM::DRIVERS, {100, VM::drivers}}, - {VM::DEVICE_HANDLES, {100, VM::device_handles}}, + {VM::HANDLES, {100, VM::device_handles}}, {VM::VIRTUAL_PROCESSORS, {100, VM::virtual_processors}}, {VM::KERNEL_OBJECTS, {100, VM::kernel_objects}}, {VM::HYPERVISOR_QUERY, {100, VM::hypervisor_query}}, From 21c089615aaf3fe35952cf565786a77142c44e09 Mon Sep 17 00:00:00 2001 From: Requiem Date: Thu, 26 Feb 2026 20:37:12 +0100 Subject: [PATCH 4/4] feat: updated core to remove unknown brand if detected with other brands --- src/vmaware.hpp | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/vmaware.hpp b/src/vmaware.hpp index 1e649699..b803279f 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -11996,6 +11996,14 @@ struct VM { } } + // remove "Unknown" if detected with other brands + if (active_count > 1) { + const int idx = find_index(brands::NULL_BRAND); + if (idx != -1) { + remove_at(idx); + } + } + if (active_count > 1) { std::sort(active_brands.begin(), active_brands.begin() + static_cast(active_count), []( const brand_element_t& a, @@ -12611,7 +12619,7 @@ struct VM { } auto hardened_logic = []() -> bool { - // Helper to get the specific brand associated with a technique using the cache. + // Helper to get the specific brand associated with a technique using the cache auto detected_brand = [](const enum_flags flag) -> const char* { if (!check(flag)) { return brands::NULL_BRAND;