Implement advanced ACPI scan for generic sandbox & QEMU

dmfrpro · dmfrpro · commit 593c12a3eef9 · 2025-04-21T22:15:41.000+03:00
Signed-off-by: dmfrpro &lt;dmfr2021y@gmail.com&gt;
diff --git a/al-khaser/Al-khaser.cpp b/al-khaser/Al-khaser.cpp
@@ -216,7 +216,7 @@ int main(int argc, char* argv[])
 		exec_check(&registry_services_disk_enum, TEXT("Checking Services\\Disk\\Enum entries for VM strings "));
 		exec_check(&registry_disk_enum, TEXT("Checking Enum\\IDE and Enum\\SCSI entries for VM strings "));
 		exec_check(&number_SMBIOS_tables, TEXT("Checking SMBIOS tables  "));
-		exec_check(&firmware_ACPI_WAET, TEXT("Checking if ACPI WAET table is present "));
+		exec_check(&firmware_ACPI, TEXT("Checking ACPI table strings "));
 	}
 
 	/* VirtualBox Detection */
diff --git a/al-khaser/AntiVM/Generic.cpp b/al-khaser/AntiVM/Generic.cpp
@@ -2046,10 +2046,9 @@ BOOL number_SMBIOS_tables()
 }
 
 /*
-Check for Windows ACPI Emulated devices Table (WAET)
-https://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/WAET.docx
+Check for generic 
 */
-BOOL firmware_ACPI_WAET()
+BOOL firmware_ACPI()
 {
 	BOOL result = FALSE;
 
@@ -2070,26 +2069,71 @@ BOOL firmware_ACPI_WAET()
 		}
 		else
 		{
+			// Windows ACPI Emulated devices Table (WAET)
+			// https://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/WAET.docx
+			PBYTE waetString = (PBYTE)"WAET";
+			size_t waetStringLen = 4;
+
+			PBYTE batteryDevice = (PBYTE)"PNP0C0A"; // Control Method Battery
+			size_t batteryDeviceLen = 7;
+			BOOL needsBatteryCheck = false;
+
+			const char *requiredDevices[] = {
+				"PNP0000",	// 8259-compatible Programmable Interrupt Controller
+				"PNP0C0C",	// Power Button Device
+				"PNP0C0E",	// Sleep Button Device
+				"PNP0C14",	// Windows Management Instrumentation Device
+				"PNP0D80",	// Windows-compatible System Power Management Controller
+			};
+
+restart:
 			for (DWORD i = 0; i < tableCount; i++)
 			{
 				DWORD tableSize = 0;
 				PBYTE table = get_system_firmware(static_cast<DWORD>('ACPI'), tableNames[i], &tableSize);
 
 				if (table) {
 
-					PBYTE waetString = (PBYTE)"WAET";
-					size_t StringLen = 4;
+					// Format: [HexOffset DecimalOffset ByteLength]  FieldName  : FieldValue (in hex)
+					//		   [02Dh      0045          001h      ]	 PM Profile : 0 [Unspecified] or 1 [Desktop] or 2 [Mobile]
+					if (!needsBatteryCheck && tableNames[i] == static_cast<DWORD>('PCAF') && tableSize > 45) {
+						if ((BYTE)table[45] == (BYTE)2 /* Mobile == 2 */)
+						{
+							needsBatteryCheck = true;
+							free(table);
+							goto restart;
+						}
+					}
+
+					if (find_str_in_data(waetString, waetStringLen, table, tableSize))
+					{
+						free(table);
+						result = TRUE;
+						goto out;
+					}
 
-					if (find_str_in_data(waetString, StringLen, table, tableSize))
+					if (needsBatteryCheck && !find_str_in_data(waetString, waetStringLen, table, tableSize))
 					{
+						free(table);
 						result = TRUE;
+						goto out;
+					}
+
+					for (DWORD j = 0; j < sizeof(requiredDevices) / sizeof(char*); j++)
+					{
+						if (!find_str_in_data((PBYTE)requiredDevices[j], strlen(requiredDevices[j]), table, tableSize))
+						{
+							free(table);
+							result = TRUE;
+							goto out;
+						}
 					}
 
 					free(table);
 				}
 			}
 		}
-
+out:
 		free(tableNames);
 	}
 	return result;
diff --git a/al-khaser/AntiVM/Generic.h b/al-khaser/AntiVM/Generic.h
@@ -50,6 +50,6 @@ BOOL pirated_windows();
 BOOL registry_services_disk_enum();
 BOOL registry_disk_enum();
 BOOL number_SMBIOS_tables();
-BOOL firmware_ACPI_WAET();
+BOOL firmware_ACPI();
 BOOL hosting_check();
 VOID looking_glass_vdd_processes();
diff --git a/al-khaser/AntiVM/Qemu.cpp b/al-khaser/AntiVM/Qemu.cpp
@@ -163,28 +163,54 @@ BOOL qemu_firmware_ACPI()
 		}
 		else
 		{
+			const char* strings[] = {
+				"FWCF",		// fw_cfg name
+				"QEMU0002",	// fw_cfg HID/CID
+				"BOCHS",	// OEM ID
+				"BXPC"		// OEM Table ID
+			};
+
 			for (DWORD i = 0; i < tableCount; i++)
 			{
 				DWORD tableSize = 0;
 				PBYTE table = get_system_firmware(static_cast<DWORD>('ACPI'), tableNames[i], &tableSize);
 
 				if (table) {
 
-					PBYTE qemuString1 = (PBYTE)"BOCHS";
-					size_t StringLen = 4;
-					PBYTE qemuString2 = (PBYTE)"BXPC";
-
-					if (find_str_in_data(qemuString1, StringLen, table, tableSize) ||
-						find_str_in_data(qemuString2, StringLen, table, tableSize))
+					for (DWORD j = 0; j < sizeof(strings) / sizeof(char*); j++)
 					{
-						result = TRUE;
+						if (!find_str_in_data((PBYTE)strings[j], strlen(strings[j]), table, tableSize))
+						{
+							free(table);
+							result = TRUE;
+							goto out;
+						}
 					}
 
 					free(table);
 				}
 			}
-		}
 
+			DWORD tableSize = 0;
+			PBYTE table = get_system_firmware(static_cast<DWORD>('ACPI'), static_cast<DWORD>('PCAF'), &tableSize);
+
+			if (table) {
+				if (tableSize < 45)
+				{
+					return FALSE; // Corrupted table
+				}
+
+				// Format: [HexOffset DecimalOffset ByteLength]  FieldName  : FieldValue (in hex)
+				//		   [02Dh      0045          001h      ]	 PM Profile : 00 [Unspecified] - hardcoded in QEMU src
+				if ((BYTE) table[45] == (BYTE)0)
+				{
+					result = TRUE;
+				}
+
+				free(table);
+			}
+		}
+out:
 		free(tableNames);
 	}
 	return result;

Original file line number	Diff line number	Diff line change
`@@ -216,7 +216,7 @@ int main(int argc, char* argv[])`
`216`	`216`	`exec_check(&registry_services_disk_enum, TEXT("Checking Services\\Disk\\Enum entries for VM strings "));`
`217`	`217`	`exec_check(&registry_disk_enum, TEXT("Checking Enum\\IDE and Enum\\SCSI entries for VM strings "));`
`218`	`218`	`exec_check(&number_SMBIOS_tables, TEXT("Checking SMBIOS tables "));`
`219`		`- exec_check(&firmware_ACPI_WAET, TEXT("Checking if ACPI WAET table is present "));`
	`219`	`+ exec_check(&firmware_ACPI, TEXT("Checking ACPI table strings "));`
`220`	`220`	`}`
`221`	`221`
`222`	`222`	`/* VirtualBox Detection */`