Implement advanced ACPI scan for generic sandbox & QEMU (#288)

Signed-off-by: dmfrpro <[email protected]>

Author: dmfrpro

README.md

@@ -214,7 +214,7 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
   - SMBIOS string checks (VMWare)
   - SMBIOS string checks (Qemu)
   - SMBIOS number of tables (Qemu, VirtualBox)
-  - ACPI string checks (WAET table)
+  - ACPI string checks (WAET table, PNP devices, PM state with battery checks)
   - ACPI string checks (VirtualBox)
   - ACPI string checks (VMWare)
   - ACPI string checks (Qemu)

al-khaser/Al-khaser.cpp

@@ -216,7 +216,7 @@ int main(int argc, char* argv[])
 		exec_check(&registry_services_disk_enum, TEXT("Checking Services\\Disk\\Enum entries for VM strings "));
 		exec_check(&registry_disk_enum, TEXT("Checking Enum\\IDE and Enum\\SCSI entries for VM strings "));
 		exec_check(&number_SMBIOS_tables, TEXT("Checking SMBIOS tables  "));
-		exec_check(&firmware_ACPI_WAET, TEXT("Checking if ACPI WAET table is present "));
+		exec_check(&firmware_ACPI, TEXT("Checking ACPI table strings "));
 	}
 
 	/* VirtualBox Detection */

al-khaser/AntiVM/Generic.cpp

@@ -2046,13 +2046,12 @@ BOOL number_SMBIOS_tables()
 }
 
 /*
-Check for Windows ACPI Emulated devices Table (WAET)
-https://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/WAET.docx
+Check for generic 
 */
-BOOL firmware_ACPI_WAET()
+BOOL firmware_ACPI()
 {
 	BOOL result = FALSE;
-
+	BOOL foundWSMT = FALSE;
 	PDWORD tableNames = static_cast<PDWORD>(malloc(4096));
 
 	if (tableNames) {
@@ -2070,29 +2069,79 @@ BOOL firmware_ACPI_WAET()
 		}
 		else
 		{
+			// Windows ACPI Emulated devices Table (WAET)
+			// https://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/WAET.docx
+			PBYTE waetString = (PBYTE)"WAET";
+			size_t waetStringLen = 4;
+
+			PBYTE batteryDevice = (PBYTE)"PNP0C0A"; // Control Method Battery
+			size_t batteryDeviceLen = 7;
+			BOOL needsBatteryCheck = false;
+
+			const char *requiredDevices[] = {
+				"PNP0000",	// 8259-compatible Programmable Interrupt Controller
+				"PNP0C0C",	// Power Button Device
+				"PNP0C0E",	// Sleep Button Device
+				"PNP0C14",	// Windows Management Instrumentation Device
+				"PNP0D80",	// Windows-compatible System Power Management Controller
+			};
+
+restart:
 			for (DWORD i = 0; i < tableCount; i++)
 			{
 				DWORD tableSize = 0;
 				PBYTE table = get_system_firmware(static_cast<DWORD>('ACPI'), tableNames[i], &tableSize);
 
 				if (table) {
 
-					PBYTE waetString = (PBYTE)"WAET";
-					size_t StringLen = 4;
+					if (tableNames[i] == static_cast<DWORD>('TMSW'))
+					{
+						foundWSMT = TRUE;
+					}
+
+					// Format: [HexOffset DecimalOffset ByteLength]  FieldName  : FieldValue (in hex)
+					//		   [02Dh      0045          001h      ]	 PM Profile : 0 [Unspecified] or 1 [Desktop] or 2 [Mobile]
+					if (!needsBatteryCheck && tableNames[i] == static_cast<DWORD>('PCAF') && tableSize > 45) {
+						if ((BYTE)table[45] == (BYTE)0 /* Mobile == 2 */)
+						{
+							needsBatteryCheck = true;
+							free(table);
+							goto restart;
+						}
+					}
+
+					if (find_str_in_data(waetString, waetStringLen, table, tableSize))
+					{
+						free(table);
+						result = TRUE;
+						goto out;
+					}
 
-					if (find_str_in_data(waetString, StringLen, table, tableSize))
+					if (needsBatteryCheck && !find_str_in_data(waetString, waetStringLen, table, tableSize))
 					{
+						free(table);
 						result = TRUE;
+						goto out;
+					}
+
+					for (DWORD j = 0; j < sizeof(requiredDevices) / sizeof(char*); j++)
+					{
+						if (!find_str_in_data((PBYTE)requiredDevices[j], strlen(requiredDevices[j]), table, tableSize))
+						{
+							free(table);
+							result = TRUE;
+							goto out;
+						}
 					}
 
 					free(table);
 				}
 			}
 		}
-
+out:
 		free(tableNames);
 	}
-	return result;
+	return result || !foundWSMT;
 }
 
 /*

al-khaser/AntiVM/Generic.h

@@ -50,6 +50,6 @@ BOOL pirated_windows();
 BOOL registry_services_disk_enum();
 BOOL registry_disk_enum();
 BOOL number_SMBIOS_tables();
-BOOL firmware_ACPI_WAET();
+BOOL firmware_ACPI();
 BOOL hosting_check();
 VOID looking_glass_vdd_processes();

al-khaser/AntiVM/Qemu.cpp

@@ -163,28 +163,54 @@ BOOL qemu_firmware_ACPI()
 		}
 		else
 		{
+			const char* strings[] = {
+				"FWCF",		// fw_cfg name
+				"QEMU0002",	// fw_cfg HID/CID
+				"BOCHS",	// OEM ID
+				"BXPC"		// OEM Table ID
+			};
+
 			for (DWORD i = 0; i < tableCount; i++)
 			{
 				DWORD tableSize = 0;
 				PBYTE table = get_system_firmware(static_cast<DWORD>('ACPI'), tableNames[i], &tableSize);
 
 				if (table) {
 
-					PBYTE qemuString1 = (PBYTE)"BOCHS";
-					size_t StringLen = 4;
-					PBYTE qemuString2 = (PBYTE)"BXPC";
-
-					if (find_str_in_data(qemuString1, StringLen, table, tableSize) ||
-						find_str_in_data(qemuString2, StringLen, table, tableSize))
+					for (DWORD j = 0; j < sizeof(strings) / sizeof(char*); j++)
 					{
-						result = TRUE;
+						if (!find_str_in_data((PBYTE)strings[j], strlen(strings[j]), table, tableSize))
+						{
+							free(table);
+							result = TRUE;
+							goto out;
+						}
 					}
 
 					free(table);
 				}
 			}
-		}
 
+			DWORD tableSize = 0;
+			PBYTE table = get_system_firmware(static_cast<DWORD>('ACPI'), static_cast<DWORD>('PCAF'), &tableSize);
+
+			if (table) {
+				if (tableSize < 45)
+				{
+					return FALSE; // Corrupted table
+				}
+
+				// Format: [HexOffset DecimalOffset ByteLength]  FieldName  : FieldValue (in hex)
+				//		   [02Dh      0045          001h      ]	 PM Profile : 00 [Unspecified] - hardcoded in QEMU src
+				if ((BYTE) table[45] == (BYTE)0)
+				{
+					result = TRUE;
+				}
+
+				free(table);
+			}
+		}
+	out:
 		free(tableNames);
 	}
 	return result;