Merge branch 'master' of github.com:ShellCode33/VM-Detection

Author: hippwn

README.md

@@ -18,7 +18,7 @@ Then see [main.go](https://github.com/ShellCode33/VM-Detection/blob/master/main.
 To build the paper, be sure to have Docker installed and run the following command inside the paper directory:
 
 ```bash
-$ docker run 
+$ docker run --rm -it -v "$(pwd):/pandoc" dalibo/pandocker --pdf-engine=xelatex --template=eisvogel --listings --highlight-style espresso *.md -o paper.pdf
 ```
 
 ## GNU/Linux techniques

vmdetect/common.go

@@ -3,8 +3,12 @@ package vmdetect
 import (
 	"bufio"
 	"fmt"
+	"github.com/klauspost/cpuid"
+	"github.com/shirou/gopsutil/mem"
 	"io"
+	"net"
 	"os"
+	"runtime"
 	"strings"
 )
 
@@ -48,3 +52,68 @@ func DoesFileContain(file *os.File, stringsToBeFound ...string) bool {
 		}
 	}
 }
+
+/*
+Tries to detect a VM using its network configuration.
+*/
+func checkNetworking() (bool, string) {
+
+	blacklistedMacAddressPrefixes := []string{
+		"00:1C:42", // Parallels
+		"08:00:27", // VirtualBox
+		"00:05:69", // |
+		"00:0C:29", // | > VMWare
+		"00:1C:14", // |
+		"00:50:56", // |
+		"00:16:E3", // Xen
+	}
+
+	interfaces, err := net.Interfaces()
+
+	if err != nil {
+		return false, err.Error()
+	}
+
+	for _, iface := range interfaces {
+
+		macAddr := iface.HardwareAddr.String()
+		if macAddr != "" {
+			for _, prefix := range blacklistedMacAddressPrefixes {
+				if strings.HasPrefix(macAddr, prefix) {
+					return true, fmt.Sprintf("Known MAC address prefix (%v)", prefix)
+				}
+			}
+		}
+
+		if iface.Name == "Vmware" {
+			return true, "Vmware found as network interface name"
+		}
+	}
+
+	return false, ""
+}
+
+/*
+Tries to detect VMs using cross-platform techniques.
+*/
+func CommonChecks() (bool, string) {
+
+	// https://lwn.net/Articles/301888/
+	if cpuid.CPU.VM() {
+		return true, "CPU Vendor (cpuid space)"
+	}
+
+	if vmDetected, how := checkNetworking(); vmDetected {
+		return true, how
+	}
+
+	vmStat, err := mem.VirtualMemory()
+
+	if err != nil {
+		PrintError(err)
+	} else if runtime.NumCPU() < 3 && vmStat.Total < 3072000000 {
+		return true, fmt.Sprintf("Low resources detected (%v CPU and %v bytes of RAM", runtime.NumCPU(), vmStat.Total)
+	}
+
+	return false, "nothing"
+}

vmdetect/linux.go

@@ -4,7 +4,6 @@ package vmdetect
 
 import (
 	"bytes"
-	"github.com/klauspost/cpuid"
 	"io/ioutil"
 	"os"
 	"os/user"
@@ -175,9 +174,8 @@ func IsRunningInVirtualMachine() (bool, string) {
 		PrintWarning("Unprivileged user detected, some techniques might not work")
 	}
 
-	// https://lwn.net/Articles/301888/
-	if cpuid.CPU.VM() {
-		return true, "CPU Vendor (cpuid space)"
+	if vmDetected, how := CommonChecks(); vmDetected {
+		return vmDetected, how
 	}
 
 	if checkKernelModules() {

vmdetect/windows.go

@@ -2,10 +2,172 @@
 
 package vmdetect
 
+import (
+	"fmt"
+	"golang.org/x/sys/windows/registry"
+	"os"
+	"path"
+	"strings"
+)
+
+func doesRegistryKeyExist(key string) bool {
+
+	subkeyPrefix := ""
+
+	// Handle trailing wildcard
+	if key[len(key)-1:] == "*" {
+		key, subkeyPrefix = path.Split(key)
+		subkeyPrefix = subkeyPrefix[:len(subkeyPrefix)-1] // remove *
+	}
+
+	firstSeparatorIndex := strings.Index(key, string(os.PathSeparator))
+	keyTypeStr := key[:firstSeparatorIndex]
+	keyPath := key[firstSeparatorIndex+1:]
+
+	var keyType registry.Key
+	switch keyTypeStr {
+	case "HKLM":
+		keyType = registry.LOCAL_MACHINE
+		break
+	case "HKCR":
+		keyType = registry.CLASSES_ROOT
+		break
+	case "HKCU":
+		keyType = registry.CURRENT_USER
+		break
+	case "HKU":
+		keyType = registry.USERS
+		break
+	case "HKCC":
+		keyType = registry.CURRENT_CONFIG
+		break
+	default:
+		PrintError(fmt.Sprintf("Invalid keytype (%v)", keyTypeStr))
+		return false
+	}
+
+	keyHandle, err := registry.OpenKey(keyType, keyPath, registry.QUERY_VALUE)
+
+	if err != nil {
+		PrintError(fmt.Sprintf("Cannot open %v : %v", key, err))
+		return false
+	}
+
+	defer keyHandle.Close()
+
+	// If a wildcard has been specified...
+	if subkeyPrefix != "" {
+		// ... we look for sub-keys to see if one exists
+		subKeys, err := keyHandle.ReadSubKeyNames(0xFFFF)
+
+		if err != nil {
+			PrintError(err)
+			return false
+		}
+
+		for _, subKeyName := range subKeys {
+			if strings.HasPrefix(subKeyName, subkeyPrefix) {
+				return true
+			}
+		}
+
+		return false
+	} else {
+		// The key we were looking for has been found
+		return true
+	}
+}
+
+func checkRegistry() (bool, string) {
+
+	hyperVKeys := []string{
+		`HKLM\SOFTWARE\Microsoft\Hyper-V`,
+		`HKLM\SOFTWARE\Microsoft\VirtualMachine`,
+		`HKLM\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters`,
+		`HKLM\SYSTEM\ControlSet001\Services\vmicheartbeat`,
+		`HKLM\SYSTEM\ControlSet001\Services\vmicvss`,
+		`HKLM\SYSTEM\ControlSet001\Services\vmicshutdown`,
+		`HKLM\SYSTEM\ControlSet001\Services\vmicexchange`,
+	}
+
+	parallelsKeys := []string{
+		`HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_1AB8*`,
+	}
+
+	virtualBoxKeys := []string{
+		`HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_80EE*`,
+		`HKLM\HARDWARE\ACPI\DSDT\VBOX__`,
+		`HKLM\HARDWARE\ACPI\FADT\VBOX__`,
+		`HKLM\HARDWARE\ACPI\RSDT\VBOX__`,
+		`HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions`,
+		`HKLM\SYSTEM\ControlSet001\Services\VBoxGuest`,
+		`HKLM\SYSTEM\ControlSet001\Services\VBoxMouse`,
+		`HKLM\SYSTEM\ControlSet001\Services\VBoxService`,
+		`HKLM\SYSTEM\ControlSet001\Services\VBoxSF`,
+		`HKLM\SYSTEM\ControlSet001\Services\VBoxVideo`,
+	}
+
+	virtualPCKeys := []string{
+		`HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_5333*`,
+		`HKLM\SYSTEM\ControlSet001\Services\vpcbus`,
+		`HKLM\SYSTEM\ControlSet001\Services\vpc-s3`,
+		`HKLM\SYSTEM\ControlSet001\Services\vpcuhub`,
+		`HKLM\SYSTEM\ControlSet001\Services\msvmmouf`,
+	}
+
+	vmwareKeys := []string{
+		`HKLM\SYSTEM\CurrentControlSet\Enum\PCI\VEN_15AD*`,
+		`HKCU\SOFTWARE\VMware, Inc.\VMware Tools`,
+		`HKLM\SOFTWARE\VMware, Inc.\VMware Tools`,
+		`HKLM\SYSTEM\ControlSet001\Services\vmdebug`,
+		`HKLM\SYSTEM\ControlSet001\Services\vmmouse`,
+		`HKLM\SYSTEM\ControlSet001\Services\VMTools`,
+		`HKLM\SYSTEM\ControlSet001\Services\VMMEMCTL`,
+		`HKLM\SYSTEM\ControlSet001\Services\vmware`,
+		`HKLM\SYSTEM\ControlSet001\Services\vmci`,
+		`HKLM\SYSTEM\ControlSet001\Services\vmx86`,
+		`HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_IDE_CD*`,
+		`HKLM\SYSTEM\CurrentControlSet\Enum\IDE\CdRomNECVMWar_VMware_SATA_CD*`,
+		`HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_IDE_Hard_Drive*`,
+		`HKLM\SYSTEM\CurrentControlSet\Enum\IDE\DiskVMware_Virtual_SATA_Hard_Drive*`,
+	}
+
+	xenKeys := []string{
+		`HKLM\HARDWARE\ACPI\DSDT\xen`,
+		`HKLM\HARDWARE\ACPI\FADT\xen`,
+		`HKLM\HARDWARE\ACPI\RSDT\xen`,
+		`HKLM\SYSTEM\ControlSet001\Services\xenevtchn`,
+		`HKLM\SYSTEM\ControlSet001\Services\xennet`,
+		`HKLM\SYSTEM\ControlSet001\Services\xennet6`,
+		`HKLM\SYSTEM\ControlSet001\Services\xensvc`,
+		`HKLM\SYSTEM\ControlSet001\Services\xenvdb`,
+	}
+
+	allKeys := [][]string{hyperVKeys, parallelsKeys, virtualBoxKeys, virtualPCKeys, vmwareKeys, xenKeys}
+
+	for _, keys := range allKeys {
+		for _, key := range keys {
+			if doesRegistryKeyExist(key) {
+				return true, key
+			}
+		}
+	}
+
+	return false, "none"
+}
+
 /*
 	Public function returning true if a VM is detected.
 	If so, a non-empty string is also returned to tell how it was detected.
 */
 func IsRunningInVirtualMachine() (bool, string) {
+	/*if vmDetected, how := CommonChecks(); vmDetected {
+		return vmDetected, how
+	}*/
+
+	if vmDetected, registryKey := checkRegistry(); vmDetected {
+		return vmDetected, fmt.Sprintf("Registry key (%v)", registryKey)
+	}
+
 	return false, "nothing"
 }