Skip to content

Commit 64717d6

Browse files
ShellCode33ShellCode33
committed
Add three new detection techniques
1 parent 71d175e commit 64717d6

File tree

2 files changed

+61
-4
lines changed

2 files changed

+61
-4
lines changed

vmdetect/common.go

Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,16 @@ func PrintWarning(loggee interface{}) {
1616
fmt.Printf("[!] %v\n", loggee)
1717
}
1818

19+
func DoesFileExist(path string) bool {
20+
_, err := os.Stat(path)
21+
22+
if err != nil {
23+
PrintError(err)
24+
}
25+
26+
return !os.IsNotExist(err)
27+
}
28+
1929
func DoesFileContain(file *os.File, stringToBeFound string) bool {
2030
reader := bufio.NewReader(file)
2131

@@ -24,9 +34,7 @@ func DoesFileContain(file *os.File, stringToBeFound string) bool {
2434

2535
if err != nil {
2636

27-
if err == io.EOF {
28-
PrintError(file.Name() + " didn't match")
29-
} else if !os.IsTimeout(err) {
37+
if !os.IsTimeout(err) && err != io.EOF {
3038
PrintError(err)
3139
}
3240

vmdetect/linux.go

Lines changed: 50 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import (
77
"github.com/klauspost/cpuid"
88
"io/ioutil"
99
"os"
10+
"os/user"
1011
"time"
1112
)
1213

@@ -121,14 +122,50 @@ func checkSysInfo() bool {
121122
return DoesFileContain(file, "VM00")
122123
}
123124

125+
/*
126+
Some virtualization technologies can be detected using /proc/device-tree
127+
*/
128+
func checkDeviceTree() bool {
129+
deviceTreeBase := "/proc/device-tree"
130+
131+
if DoesFileExist(deviceTreeBase + "/hypervisor/compatible") {
132+
return true
133+
}
134+
135+
if DoesFileExist(deviceTreeBase + "/fw-cfg") {
136+
return true
137+
}
138+
139+
return false
140+
}
141+
142+
/*
143+
Some virtualization technologies can be detected using /proc/type
144+
*/
145+
func checkHypervisorType() bool {
146+
return DoesFileExist("/sys/hypervisor/type")
147+
}
148+
149+
/*
150+
Xen can be detected thanks to /proc/xen
151+
*/
152+
func checkXenProcFile() bool {
153+
return DoesFileExist("/proc/xen")
154+
}
155+
124156
/*
125157
Public function returning true if a VM is detected.
126158
If so, a non-empty string is also returned to tell how it was detected.
127159
*/
128160
func IsRunningInVirtualMachine() (bool, string) {
129161

162+
if currentUser, _ := user.Current(); currentUser != nil && currentUser.Uid != "0" {
163+
PrintWarning("Unprivileged user detected, some techniques might not work")
164+
}
165+
166+
// https://lwn.net/Articles/301888/
130167
if cpuid.CPU.VM() {
131-
return true, "CPU Vendor (assembly instructions)"
168+
return true, "CPU Vendor (cpuid space)"
132169
}
133170

134171
if checkUML() {
@@ -147,5 +184,17 @@ func IsRunningInVirtualMachine() (bool, string) {
147184
return true, "Kernel Ring Buffer (/dev/kmsg)"
148185
}
149186

187+
if checkDeviceTree() {
188+
return true, "VM device tree (/proc/device-tree)"
189+
}
190+
191+
if checkHypervisorType() {
192+
return true, "Hypervisor type file (/sys/hypervisor/type)"
193+
}
194+
195+
if checkXenProcFile() {
196+
return true, "Xen proc file (/proc/xen)"
197+
}
198+
150199
return false, "nothing"
151200
}

0 commit comments

Comments
 (0)