Merge pull request #445 from NotRequiem/dev

NotRequiem · web-flow · commit 250a1f3c58a8 · 2025-06-25T01:28:07.000+02:00
Improved checks for QEMU device signatures
diff --git a/auxiliary/boot_logo_hasher.cpp b/auxiliary/boot_logo_hasher.cpp
@@ -0,0 +1,60 @@
+﻿/**
+ * ██╗   ██╗███╗   ███╗ █████╗ ██╗    ██╗ █████╗ ██████╗ ███████╗
+ * ██║   ██║████╗ ████║██╔══██╗██║    ██║██╔══██╗██╔══██╗██╔════╝
+ * ██║   ██║██╔████╔██║███████║██║ █╗ ██║███████║██████╔╝█████╗
+ * ╚██╗ ██╔╝██║╚██╔╝██║██╔══██║██║███╗██║██╔══██║██╔══██╗██╔══╝
+ *  ╚████╔╝ ██║ ╚═╝ ██║██║  ██║╚███╔███╔╝██║  ██║██║  ██║███████╗
+ *   ╚═══╝  ╚═╝     ╚═╝╚═╝  ╚═╝ ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝  ╚═╝╚══════╝
+ *
+ *  C++ VM detection library
+ *
+ * ===============================================================
+ *
+ *  This program computes a CRC32 checksum of boot logo images
+ *  via hardware‐accelerated intrinsics in 8-byte chunks.
+ *
+ * ===============================================================
+ *
+ *  - Made by: @Requiem (https://github.com/NotRequiem)
+ *  - Repository: https://github.com/kernelwernel/VMAware
+ *  - License: MIT
+ */
+
+#include <immintrin.h>
+#include <fstream>
+#include <vector>
+#include <iostream>
+#include <cstdint>
+
+static inline uint32_t crc32c_bmp(const char* filename) {
+    std::ifstream in{ filename, std::ios::binary | std::ios::ate };
+    auto size = in.tellg();
+    in.seekg(0);
+    std::vector<uint8_t> buf(size);
+    in.read(reinterpret_cast<char*>(buf.data()), size);
+
+    // BMP offset at bytes 10–13
+    uint32_t offset = *reinterpret_cast<uint32_t*>(buf.data() + 10);
+    uint8_t* bmp = buf.data() + offset;
+    size_t len = buf.size() - offset;
+
+    uint64_t crcReg = 0xFFFFFFFFull;
+    size_t qwords = len / 8;
+    auto ptr = reinterpret_cast<uint64_t*>(bmp);
+    for (size_t i = 0; i < qwords; ++i)
+        crcReg = _mm_crc32_u64(crcReg, ptr[i]);
+
+    uint32_t crc = static_cast<uint32_t>(crcReg);
+    auto tail = reinterpret_cast<uint8_t*>(ptr + qwords);
+    for (size_t i = 0, r = len & 7; i < r; ++i)
+        crc = _mm_crc32_u8(crc, tail[i]);
+
+    return crc ^ 0xFFFFFFFFu;
+}
+
+int main(int argc, char** argv) {
+    for (int i = 1; i < argc; ++i) {
+        uint32_t h = crc32c_bmp(argv[i]);
+        std::cout << argv[i] << ": 0x" << std::hex << std::uppercase << h << "\n";
+    }
+}
diff --git a/docs/documentation.md b/docs/documentation.md
@@ -528,12 +528,12 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::NSJAIL_PID` | Check if process status matches with nsjail patterns with PID anomalies | 🐧 | 75% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L5233) |
 | `VM::TPM` | Check if the system has a physical TPM by matching the TPM manufacturer against known physical TPM chip vendors | 🪟 | 100% |  |  | CRB model will succeed, while TIS will fail | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8019) |
 | `VM::PCI_DEVICES` | Check for PCI vendor and device IDs that are VM-specific | 🐧🪟 | 95% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L5946) |
-| `VM::QEMU_SIGNATURE` | Check for QEMU's DSDT signature | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8100) |
-| `VM::TRAP` | Check if after raising two traps at the same RIP, a hypervisor interferes with the instruction pointer delivery | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8204) |
-| `VM::UD` | Check if after executing an undefined instruction, a hypervisor misinterpret it as a system call | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8302) |
-| `VM::BLOCKSTEP` | Check if a hypervisor does not properly restore the interruptibility state after a VM-exit in compatibility mode | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8328) |
-| `VM::DBVM` | Check if Dark Byte's VM is present | 🪟 | 150% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8376) |
-| `VM::BOOT_LOGO` | Check boot logo for known images | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8472) |
+| `VM::QEMU_SIGNATURE` | Check for QEMU's ACPI device signature | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8100) |
+| `VM::TRAP` | Check if after raising two traps at the same RIP, a hypervisor interferes with the instruction pointer delivery | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8245) |
+| `VM::UD` | Check if after executing an undefined instruction, a hypervisor misinterpret it as a system call | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8343) |
+| `VM::BLOCKSTEP` | Check if a hypervisor does not properly restore the interruptibility state after a VM-exit in compatibility mode | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8369) |
+| `VM::DBVM` | Check if Dark Byte's VM is present | 🪟 | 150% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8417) |
+| `VM::BOOT_LOGO` | Check boot logo for known VM images | 🪟 | 100% |  |  |  | [link](https://github.com/kernelwernel/VMAware/tree/main/src/vmaware.hpp#L8513) |
 
 <!-- END OF TECHNIQUE DOCUMENTATION -->
 
diff --git a/src/vmaware.hpp b/src/vmaware.hpp
