Add check for WAET ACPI table presence #284

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

ayoubfaouzi merged 1 commit into ayoubfaouzi:master from dmfrpro:waetAcpi

Apr 1, 2025

README.md

-Original file line number
+Diff line change
@@ Expand Up @@
       - SMBIOS string checks (VMWare)
       - SMBIOS string checks (Qemu)
       - SMBIOS number of tables (Qemu, VirtualBox)
+      - ACPI string checks (WAET table)
       - ACPI string checks (VirtualBox)
       - ACPI string checks (VMWare)
       - ACPI string checks (Qemu)
@@ Expand Down @@

al-khaser/Al-khaser.cpp

-Original file line number
+Diff line change
@@ Expand Up / @@ -214,6 +214,7 @@ int main(int argc, char* argv[]) @@
     		exec_check(&registry_services_disk_enum, TEXT("Checking Services\\Disk\\Enum entries for VM strings "));
     		exec_check(&registry_disk_enum, TEXT("Checking Enum\\IDE and Enum\\SCSI entries for VM strings "));
     		exec_check(&number_SMBIOS_tables, TEXT("Checking SMBIOS tables  "));
+    		exec_check(&firmware_ACPI_WAET, TEXT("Checking if ACPI WAET table is present "));
     	}
     	/* VirtualBox Detection */
@@ Expand Down @@

al-khaser/AntiVM/Generic.cpp

100755 → 100644

-Original file line number
+Diff line change
@@ Expand Up / @@ -2044,3 +2044,53 @@ BOOL number_SMBIOS_tables() @@
     	}
     	return result;
     }
+    /*
+    Check for Windows ACPI Emulated devices Table (WAET)
+    https://download.microsoft.com/download/7/E/7/7E7662CF-CBEA-470B-A97E-CE7CE0D98DC2/WAET.docx
+    */
+    BOOL firmware_ACPI_WAET()
+    {
+    	BOOL result = FALSE;
+    	PDWORD tableNames = static_cast<PDWORD>(malloc(4096));
+    	if (tableNames) {
+    		SecureZeroMemory(tableNames, 4096);
+    		DWORD tableSize = enum_system_firmware_tables(static_cast<DWORD>('ACPI'), tableNames, 4096);
+    		// API not available
+    		if (tableSize == -1)
+    			return FALSE;
+    		DWORD tableCount = tableSize / 4;
+    		if (tableSize < 4 || tableCount == 0)
+    		{
+    			result = TRUE;
+    		}
+    		else
+    		{
+    			for (DWORD i = 0; i < tableCount; i++)
+    			{
+    				DWORD tableSize = 0;
+    				PBYTE table = get_system_firmware(static_cast<DWORD>('ACPI'), tableNames[i], &tableSize);
+    				if (table) {
+    					PBYTE waetString = (PBYTE)"WAET";
+    					size_t StringLen = 4;
+    					if (find_str_in_data(waetString, StringLen, table, tableSize))
+    					{
+    						result = TRUE;
+    					}
+    					free(table);
+    				}
+    			}
+    		}
+    		free(tableNames);
+    	}
+    	return result;
+    }

al-khaser/AntiVM/Generic.h

100755 → 100644

-Original file line number
+Diff line change
@@ Expand Up / @@ -49,4 +49,5 @@ BOOL cim_voltagesensor_wmi(); @@
     BOOL pirated_windows();
     BOOL registry_services_disk_enum();
     BOOL registry_disk_enum();
-    BOOL number_SMBIOS_tables();
+    BOOL number_SMBIOS_tables();
+    BOOL firmware_ACPI_WAET();

Provide feedback