Merge pull request #247 from NotRequiem/dev

re-added sensors technique

Author: NotRequiem

README.md

@@ -14,9 +14,9 @@
 The library is:
 - Very easy to use
 - Cross-platform (Windows + MacOS + Linux)
-- Features up to 120+ unique VM detection techniques [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#flag-table)]
+- Features up to 130+ unique VM detection techniques [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#flag-table)]
 - Features the most cutting-edge techniques
-- Able to detect 60+ VM brands including VMware, VirtualBox, QEMU, Hyper-V, and much more [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#brand-table)]
+- Able to detect 65+ VM brands including VMware, VirtualBox, QEMU, Hyper-V, and much more [[list](https://github.com/kernelwernel/VMAware/blob/main/docs/documentation.md#brand-table)]
 - Able to beat VM hardeners
 - Compatible with x86 and ARM, with backwards compatibility for 32-bit systems
 - Very flexible, with total fine-grained control over which techniques get executed

docs/documentation.md

@@ -396,7 +396,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::SMSW` | Check for SMSW assembly instruction technique | Windows | 30% |  |  | 32-bit |  |
 | `VM::MUTEX` | Check for mutex strings of VM brands | Windows | 85% |  |  |  |  |
 | `VM::ODD_CPU_THREADS` | Check for odd CPU threads, usually a sign of modification through VM setting because 99% of CPUs have even numbers of threads |  | 80% |  |  |  |  |
-| `VM::INTEL_THREAD_MISMATCH` | Check for Intel CPU thread count database if it matches the system's thread count |  | 100% |  |  |  |  |
+| `VM::INTEL_THREAD_MISMATCH` | Check for Intel CPU thread count database if it matches the system's thread count |  | 150% |  |  |  |  |
 | `VM::XEON_THREAD_MISMATCH` | Same as above, but for Xeon Intel CPUs |  | 100% |  |  |  |  |
 | `VM::NETTITUDE_VM_MEMORY` | Check for memory regions to detect VM-specific brands | Windows | 100% | |  |  |  |
 | `VM::CPUID_BITSET` |  Check for CPUID technique by checking whether all the bits equate to more than 4000 |  | 25% |  |  |  |  |
@@ -445,7 +445,6 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::WMI_MANUFACTURER` | Check for device's manufacturer using WMI | Windows | 100% |  |  |  |  |
 | `VM::WMI_TEMPERATURE` | Check for device's temperature | Windows | 25% | Admin |  |  |  |
 | `VM::PROCESSOR_ID` | Check for empty processor ids using WMI | Windows | 25% |  |  |  |  |
-| `VM::CPU_FANS` | Check for CPU Fans | Windows | 35% |  |  |  |  |
 | `VM::VMWARE_HARDENER` | Checks for VMwareHardenerLoader's method of patching firmware detection by setting its signatures with "7" | Windows | 60% |  |  |  |  |
 | `VM::SYS_QEMU` | Check for existence of "qemu_fw_cfg" directories within /sys/module and /sys/firmware | Linux | 70% |  |  |  |  |
 | `VM::LSHW_QEMU` | Check for QEMU string instances with lshw command | Linux | 80% |  |  |  |  |
@@ -463,6 +462,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::FILE_ACCESS_HISTORY` | Check if the number of accessed files are too low for a human-managed environment | Linux | 15% |  |  |  |  |
 | `VM::AUDIO` | Check if audio device is present | Windows | 25% |  |  |  |  |
 | `VM::UNKNOWN_MANUFACTURER` | Check if the CPU manufacturer is not known |  | 50% |  |  |  |  |
+| `VM::SENSORS` | Check if the system reports any information from hardware sensors | Windows | 35% |  |  |  |  |
 
 
 <br>

src/cli.cpp

@@ -472,7 +472,6 @@ bool is_unsupported(VM::enum_flags flag) {
             case VM::WMI_MANUFACTURER:
             case VM::WMI_TEMPERATURE:
             case VM::PROCESSOR_ID:
-            case VM::CPU_FANS:
             case VM::POWER_CAPABILITIES:
             case VM::SETUPAPI_DISK: 
             case VM::VMWARE_HARDENER:
@@ -486,6 +485,7 @@ bool is_unsupported(VM::enum_flags flag) {
             case VM::FIRMWARE_SCAN:
             case VM::NX_BIT:
             case VM::UNKNOWN_MANUFACTURER:
+            case VM::SENSORS:
             // ADD WINDOWS FLAG
             return false;
             default: return true;
@@ -1003,7 +1003,6 @@ void general() {
     checker(VM::WMI_MANUFACTURER, "hardware manufacturer");
     checker(VM::WMI_TEMPERATURE, "WMI temperature");
     checker(VM::PROCESSOR_ID, "processor ID");
-    checker(VM::CPU_FANS, "CPU fans");
     checker(VM::POWER_CAPABILITIES, "Power capabilities");
     checker(VM::SETUPAPI_DISK, "SETUPDI diskdrive");
     checker(VM::VMWARE_HARDENER, "VMware hardener");
@@ -1021,6 +1020,7 @@ void general() {
     checker(VM::NX_BIT, "NX/XD anomalies");
 	checker(VM::FILE_ACCESS_HISTORY, "low file access count");
     checker(VM::UNKNOWN_MANUFACTURER, "unknown manufacturer ids");
+    checker(VM::SENSORS, "sensors");
 
     // ADD NEW TECHNIQUE CHECKER HERE
 

src/vmaware.hpp

@@ -582,7 +582,6 @@ struct VM {
         WMI_MANUFACTURER,
         WMI_TEMPERATURE,
         PROCESSOR_ID,
-        CPU_FANS,
         VMWARE_HARDENER,
         SYS_QEMU,
         LSHW_QEMU,
@@ -599,6 +598,7 @@ struct VM {
 		FILE_ACCESS_HISTORY,
         AUDIO,
         UNKNOWN_MANUFACTURER,
+        SENSORS,
         // ADD NEW TECHNIQUE ENUM NAME HERE
 
         // start of settings technique flags (THE ORDERING IS VERY SPECIFIC HERE AND MIGHT BREAK SOMETHING IF RE-ORDERED)
@@ -1402,10 +1402,10 @@ struct VM {
                     new (&strValue) std::string(other.strValue);
                     break;
                 case result_type::Integer:
-                    intValue = other.intValue;
+                    new (&intValue) int(other.intValue);
                     break;
                 case result_type::Double:
-                    doubleValue = other.doubleValue;
+                    new (&doubleValue) double(other.doubleValue);
                     break;
                 default:
                     break;
@@ -1449,6 +1449,7 @@ struct VM {
             if (results.empty()) {
                 std::cout << "No results\n";
             }
+
             for (const auto& res : results) {
                 switch (res.type) {
                 case result_type::String:
@@ -1563,7 +1564,8 @@ struct VM {
             return true;
         }
 
-        // Execute a WQL query. The caller can choose which namespace to use via the optional 'cim' parameter.
+        // Execute a WQL query. The caller can choose which namespace to use via the optional 'cim' parameter. 
+        // If no property is specified, the wmi wrapper will execute the query and count the number of entries.
         static std::vector<result> execute(const std::wstring& query,
             const std::vector<std::wstring>& properties,
             bool cim = true) {
@@ -1603,35 +1605,54 @@ struct VM {
 
             IWbemClassObject* pclsObj = nullptr;
             ULONG uReturn = 0;
-            while (pEnumerator) {
-                HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);
-                if (0 == uReturn || FAILED(hr)) {
-                    break;
+
+            if (properties.empty()) {
+                int count = 0;
+                while (true) {
+                    HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);
+                    if (FAILED(hr) || uReturn == 0) {
+                        break;
+                    }
+                    count++;
+                    pclsObj->Release();
+                    pclsObj = nullptr;
                 }
+                results.emplace_back(count);
+            }
+            else {
+                while (true) {
+                    HRESULT hr = pEnumerator->Next(WBEM_INFINITE, 1, &pclsObj, &uReturn);
+                    if (FAILED(hr) || uReturn == 0) {
+                        break;
+                    }
 
-                for (const auto& prop : properties) {
-                    VARIANT vtProp;
-                    VariantInit(&vtProp);
-                    hr = pclsObj->Get(prop.c_str(), 0, &vtProp, 0, 0);
-                    if (SUCCEEDED(hr)) {
-                        if (vtProp.vt == VT_BSTR) {
-                            results.emplace_back(_com_util::ConvertBSTRToString(vtProp.bstrVal));
-                        }
-                        else if (vtProp.vt == VT_I4) {
-                            results.emplace_back(vtProp.intVal);
-                        }
-                        else if (vtProp.vt == VT_R8) {
-                            results.emplace_back(vtProp.dblVal);
+                    for (const auto& prop : properties) {
+                        VARIANT vtProp;
+                        VariantInit(&vtProp);
+                        hr = pclsObj->Get(prop.c_str(), 0, &vtProp, 0, 0);
+                        if (SUCCEEDED(hr)) {
+                            if (vtProp.vt == VT_BSTR) {
+                                results.emplace_back(_com_util::ConvertBSTRToString(vtProp.bstrVal));
+                            }
+                            else if (vtProp.vt == VT_I4) {
+                                results.emplace_back(vtProp.intVal);
+                            }
+                            else if (vtProp.vt == VT_R8) {
+                                results.emplace_back(vtProp.dblVal);
+                            }
                         }
+                        VariantClear(&vtProp);
                     }
-                    VariantClear(&vtProp);
+                    pclsObj->Release();
+                    pclsObj = nullptr;
                 }
-                pclsObj->Release();
             }
+
             pEnumerator->Release();
             return results;
         }
 
+
         static void cleanup() noexcept {
             if (pSvc) {
                 pSvc->Release();
@@ -9593,25 +9614,6 @@ struct VM {
     }
 
 
-    /**
-     * @brief Check for CPU Fans
-     * @category Windows
-     * @author idea from Al-Khaser project
-     * @implements VM::CPU_FANS
-     */
-    [[nodiscard]] static bool cpu_fans() {
-#if (!WINDOWS)
-        return false;
-#else
-        std::wstring query = L"SELECT * FROM Win32_Fan";
-        std::vector<std::wstring> properties = { };
-        wmi_result results = wmi::execute(query, properties);
-
-        return !results.empty();
-#endif
-    }
-
-
     /**
      * @brief Check RDTSC
      * @category Windows
@@ -11323,17 +11325,18 @@ static bool rdtsc() {
 
     /* @brief Check if the CPU manufacturer is not known
      * @category x86
+     * @implements VM::UNKNOWN_MANUFACTURER
      */
     [[nodiscard]] static bool unknown_manufacturer() {
-        constexpr std::array<const char*, 21> known_ids = {
+        constexpr std::array<const char*, 21> known_ids = {{
             "AuthenticAMD", "CentaurHauls", "CyrixInstead",
             "GenuineIntel", "GenuineIotel", "TransmetaCPU",
             "GenuineTMx86", "Geode by NSC", "NexGenDriven",
             "RiseRiseRise", "SiS SiS SiS ", "UMC UMC UMC ",
             "Vortex86 SoC", "  Shanghai  ", "HygonGenuine",
             "Genuine  RDC", "E2K MACHINE", "VIA VIA VIA ",
             "AMD ISBETTER", "GenuineAO486", "MiSTer AO486"
-        };
+        }};
 
         const auto brands = cpu::cpu_manufacturer(0);
         const std::string& brand1 = brands[0];
@@ -11346,10 +11349,41 @@ static bool rdtsc() {
                     return s == id;
                 }
             );
-            };
+        };
 
         return !matches(brand1) && !matches(brand2);
     }
+
+
+    /*
+     * @brief Check if the system reports any information from hardware sensors
+     * @category Windows
+     * @implements VM::SENSORS
+     */
+    [[nodiscard]] static bool sensors() {
+#if (!WINDOWS)
+        return false;
+#else
+        const std::vector<std::wstring> queries = {
+            L"SELECT * FROM Win32_VoltageProbe",
+            L"SELECT * FROM Win32_PerfFormattedData_Counters_ThermalZoneInformation",
+        //  L"SELECT * FROM CIM_Sensor",
+            L"SELECT * FROM CIM_NumericSensor",
+            L"SELECT * FROM CIM_TemperatureSensor",
+            L"SELECT * FROM CIM_VoltageSensor",
+            L"SELECT * FROM Win32_Fan"
+        };
+
+        for (const auto& query : queries) {
+            const auto results = wmi::execute(query, {});
+            if (results.empty()) {
+                return true;
+            }
+        }
+
+        return false;
+#endif
+    }
     // ADD NEW TECHNIQUE FUNCTION HERE
 
 
@@ -12372,7 +12406,6 @@ static bool rdtsc() {
             case WMI_MANUFACTURER: return "WMI_MANUFACTURER";
             case WMI_TEMPERATURE: return "WMI_TEMPERATURE";
             case PROCESSOR_ID: return "PROCESSOR_ID";
-            case CPU_FANS: return "CPU_FANS";
             case POWER_CAPABILITIES: return "POWER_CAPABILITIES";
             case SETUPAPI_DISK: return "SETUPAPI_DISK";
             case VMWARE_HARDENER: return "VMWARE_HARDENER";
@@ -12391,6 +12424,7 @@ static bool rdtsc() {
 			case FILE_ACCESS_HISTORY: return "FILE_ACCESS_HISTORY";
             case AUDIO: return "AUDIO";
             case UNKNOWN_MANUFACTURER: return "UNKNOWN_MANUFACTURER";
+            case SENSORS: return "SENSORS";
             // ADD NEW CASE HERE FOR NEW TECHNIQUE
             default: return "Unknown flag";
         }
@@ -12900,7 +12934,7 @@ std::pair<VM::enum_flags, VM::core::technique> VM::core::technique_list[] = {
     { VM::SMSW, { 30, VM::smsw } }, 
     { VM::MUTEX, { 85, VM::mutex } }, 
     { VM::ODD_CPU_THREADS, { 80, VM::odd_cpu_threads } },
-    { VM::INTEL_THREAD_MISMATCH, { 100, VM::intel_thread_mismatch } },
+    { VM::INTEL_THREAD_MISMATCH, { 150, VM::intel_thread_mismatch } },
     { VM::XEON_THREAD_MISMATCH, { 100, VM::xeon_thread_mismatch } }, 
     { VM::NETTITUDE_VM_MEMORY, { 100, VM::nettitude_vm_memory } },
     { VM::CPUID_BITSET, { 25, VM::cpuid_bitset } },
@@ -12947,7 +12981,6 @@ std::pair<VM::enum_flags, VM::core::technique> VM::core::technique_list[] = {
     { VM::WMI_MANUFACTURER, { 100, VM::wmi_manufacturer } },
     { VM::WMI_TEMPERATURE, { 25, VM::wmi_temperature } },
     { VM::PROCESSOR_ID, { 25, VM::processor_id } },
-    { VM::CPU_FANS, { 35, VM::cpu_fans } },
     { VM::VMWARE_HARDENER, { 60, VM::vmware_hardener } },
     { VM::SYS_QEMU, { 70, VM::sys_qemu_dir } },
     { VM::LSHW_QEMU, { 80, VM::lshw_qemu } },
@@ -12964,6 +12997,7 @@ std::pair<VM::enum_flags, VM::core::technique> VM::core::technique_list[] = {
 	{ VM::FILE_ACCESS_HISTORY, { 15, VM::file_access_history } },
     { VM::AUDIO, { 25, VM::check_audio } },
     { VM::UNKNOWN_MANUFACTURER, { 50, VM::unknown_manufacturer } },
+    { VM::SENSORS, { 35, VM::sensors } },
     // ADD NEW TECHNIQUE STRUCTURE HERE
 };