From 32c1e484bdf604fa53d60e4b856c3433a5bf1313 Mon Sep 17 00:00:00 2001 From: Requiem Date: Tue, 28 Jan 2025 22:02:38 +0100 Subject: [PATCH] added native_vhd, virtual_registry and firmware_scan techniques --- docs/documentation.md | 3 + src/cli.cpp | 7 + src/vmaware.hpp | 1520 ++++++++++++++++++++++++----------------- 3 files changed, 912 insertions(+), 618 deletions(-) diff --git a/docs/documentation.md b/docs/documentation.md index 361a29b..b84b4c1 100644 --- a/docs/documentation.md +++ b/docs/documentation.md @@ -459,6 +459,9 @@ VMAware provides a convenient way to not only check for VMs, but also have the f | `VM::AMD_SEV` | Check for AMD-SEV MSR running on the system | Linux and MacOS | 50% | Admin | | | | | `VM::AMD_RESERVED` | Check for bits that should be reserved in leaf 8000000Ah | 50% | | | | | | `VM::AMD_THREAD_MISMATCH` | Check for AMD CPU thread count database if it matches the system's thread count | | 100% | | | | | +| `VM::NATIVE_VHD` | Checks if the OS was booted from a VHD container | | 100% | | | | | +| `VM::VIRTUAL_REGISTRY` | Checks for particular object directory which is present in Sandboxie virtual environment but not in usual host systems | | 65% | | | | | +| `VM::FIRMWARE_SCAN` | Checks for VM signatures in firmware | | 90% | | | | |
diff --git a/src/cli.cpp b/src/cli.cpp index dad5453..4383cd1 100644 --- a/src/cli.cpp +++ b/src/cli.cpp @@ -475,6 +475,9 @@ bool is_unsupported(VM::enum_flags flag) { case VM::HYPERV_QUERY: case VM::BAD_POOLS: case VM::AMD_THREAD_MISMATCH: + case VM::NATIVE_VHD: + case VM::VIRTUAL_REGISTRY: + case VM::FIRMWARE_SCAN: // ADD WINDOWS FLAG return false; default: return true; @@ -1003,6 +1006,10 @@ void general() { checker(VM::AMD_SEV, "AMD-SEV MSR"); checker(VM::AMD_RESERVED, "AMD reserved bits"); checker(VM::AMD_THREAD_MISMATCH, "AMD thread count mismatch"); + checker(VM::NATIVE_VHD, "VHD containers"); + checker(VM::VIRTUAL_REGISTRY, "registry emulation"); + checker(VM::FIRMWARE_SCAN, "firmware signatures"); + // ADD NEW TECHNIQUE CHECKER HERE std::printf("\n"); diff --git a/src/vmaware.hpp b/src/vmaware.hpp index 1d6dec7..1fa5bd8 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -459,6 +459,9 @@ struct VM { AMD_SEV, AMD_RESERVED, AMD_THREAD_MISMATCH, + NATIVE_VHD, + VIRTUAL_REGISTRY, + FIRMWARE_SCAN, // ADD NEW TECHNIQUE ENUM NAME HERE // start of settings technique flags (THE ORDERING IS VERY SPECIFIC HERE AND MIGHT BREAK SOMETHING IF RE-ORDERED) @@ -1230,13 +1233,17 @@ struct VM { struct result { result_type type; +#pragma warning(disable: 4582) // MSVC: constructor/destructor not called +#pragma warning(disable: 4583) // MSVC: destructor not called union { std::string strValue; int intValue; double doubleValue; }; - result(const std::string& str) : type(result_type::String), strValue(str) {} + result(const std::string& str) : type(result_type::String) { + new (&strValue) std::string(str); + } result(int integer) : type(result_type::Integer), intValue(integer) {} @@ -1292,6 +1299,8 @@ struct VM { strValue.~basic_string(); } } +#pragma warning(default: 4582) +#pragma warning(default: 4583) }; static bool initialize() { @@ -1517,7 +1526,7 @@ struct VM { #endif } -#if (WINDOWS) && (_UNICODE) +#if defined(WINDOWS) && (defined(UNICODE) || defined(_UNICODE)) // handle TCHAR conversion [[nodiscard]] static bool exists(const TCHAR* path) { char c_szText[_MAX_PATH]{}; @@ -2501,21 +2510,19 @@ struct VM { * * This function adjusts the token privileges to enable debugging rights, * which are required for the lib to access the memory of certain processes. - * - * @return `true` if the privilege was successfully enabled, otherwise `false`. */ - static bool EnableDebugPrivilege() { + [[nodiscard]] static void EnableDebugPrivilege() { HANDLE hToken; TOKEN_PRIVILEGES tp{}; LUID luid; if (!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { - return false; + return; } if (!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid)) { CloseHandle(hToken); - return false; + return; } tp.PrivilegeCount = 1; @@ -2524,16 +2531,15 @@ struct VM { if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), NULL, NULL)) { CloseHandle(hToken); - return false; + return; } if (GetLastError() == ERROR_NOT_ALL_ASSIGNED) { CloseHandle(hToken); - return false; + return; } CloseHandle(hToken); - return true; } @@ -3892,7 +3898,7 @@ struct VM { /* GPL */ { "vmcheck.dll", brands::VPC }, // VirtualPC /* GPL */ { "cmdvrt32.dll", brands::COMODO }, // Comodo /* GPL */ { "cmdvrt64.dll", brands::COMODO }, // Comodo -/* GPL */ // { "dbghelp.dll", NULL_BRAND }, // WindBG +/* GPL */ // { "dbghelp.dll", NULL_BRAND }, // WinDbg /* GPL */ // { "avghookx.dll", NULL_BRAND }, // AVG /* GPL */ // { "avghooka.dll", NULL_BRAND }, // AVG /* GPL */ { "snxhk.dll", brands::NULL_BRAND }, // Avast @@ -5515,7 +5521,7 @@ struct VM { return core::add(brands::VPC); } - if (supMutexExist("Frz_State")) { + if (supMutexExist("Frz_State")) { // DeepFreeze return true; } @@ -8688,8 +8694,7 @@ struct VM { (handle1 != INVALID_HANDLE_VALUE) || (handle2 != INVALID_HANDLE_VALUE) || (handle3 != INVALID_HANDLE_VALUE) || - (handle4 != INVALID_HANDLE_VALUE) || - (handle5 != INVALID_HANDLE_VALUE) + (handle4 != INVALID_HANDLE_VALUE) ) { result = true; } @@ -8698,12 +8703,17 @@ struct VM { CloseHandle(handle2); CloseHandle(handle3); CloseHandle(handle4); - CloseHandle(handle5); if (result) { return core::add(brands::VBOX); } + if (handle5 != INVALID_HANDLE_VALUE) { + CloseHandle(handle5); + return core::add(brands::VMWARE); + } + CloseHandle(handle5); + return false; #endif } @@ -8728,10 +8738,8 @@ struct VM { return false; } - if (!util::EnableDebugPrivilege()) { - return false; - } - + util::EnableDebugPrivilege(); + const HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid); if (!hProcess) { return false; @@ -9809,614 +9817,884 @@ static bool rdtsc() { #endif } + /** * @brief Check for AMD CPU thread count database if it matches the system's thread count * @link https://www.amd.com/en/products/specifications/processors.html * @category x86 * @note */ - [[nodiscard]] static bool amd_thread_mismatch() { - #if (!x86) - return false; - #else - if (!cpu::is_amd()) { - return false; - } - - if (cpu::has_hyperthreading()) { - return false; - } - - std::string model = cpu::get_brand(); - - for (char& c : model) { - c = static_cast(std::tolower(c)); - } - - #if (WINDOWS) - if (util::does_threadcount_mismatch()) { - debug("AMD_THREAD_MISMATCH: Thread tampering detected"); - return true; - } - #endif - - debug("AMD_THREAD_MISMATCH: CPU model = ", model); - - constexpr std::array, 559> thread_database = { { - { "3015ce ", 4 }, - { "3015e ", 4 }, - { "3020e ", 2 }, - { "860k ", 4 }, - { "870k ", 4 }, - { "a10 pro-7350b ", 4 }, - { "a10 pro-7800b ", 4 }, - { "a10 pro-7850b ", 4 }, - { "a10-6700 ", 4 }, - { "a10-6700t ", 4 }, - { "a10-6790b ", 4 }, - { "a10-6790k ", 4 }, - { "a10-6800b ", 4 }, - { "a10-6800k ", 4 }, - { "a10-7300 ", 4 }, - { "a10-7400p ", 4 }, - { "a10-7700k ", 4 }, - { "a10-7800 ", 4 }, - { "a10-7850k ", 4 }, - { "a10-7860k ", 4 }, - { "a10-7870k ", 4 }, - { "a10-8700b ", 4 }, - { "a10-8700p ", 4 }, - { "a10-8750b ", 4 }, - { "a10-8850b ", 4 }, - { "a12-8800b ", 4 }, - { "a4 micro-6400t ", 4 }, - { "a4 pro-3340b ", 4 }, - { "a4 pro-3350b ", 4 }, - { "a4 pro-7300b ", 2 }, - { "a4 pro-7350b ", 2 }, - { "a4-5000 ", 4 }, - { "a4-5100 ", 4 }, - { "a4-6210 ", 4 }, - { "a4-6300 ", 2 }, - { "a4-6320 ", 2 }, - { "a4-7210 ", 4 }, - { "a4-7300 ", 2 }, - { "a4-8350b ", 2 }, - { "a4-9120c ", 2 }, - { "a6 pro-7050b ", 2 }, - { "a6 pro-7400b ", 2 }, - { "a6-5200 ", 4 }, - { "a6-5200m ", 4 }, - { "a6-5350m ", 2 }, - { "a6-6310 ", 4 }, - { "a6-6400b ", 2 }, - { "a6-6400k ", 2 }, - { "a6-6420b ", 2 }, - { "a6-6420k ", 2 }, - { "a6-7000 ", 2 }, - { "a6-7310 ", 4 }, - { "a6-7400k ", 2 }, - { "a6-8500b ", 4 }, - { "a6-8500p ", 2 }, - { "a6-8550b ", 2 }, - { "a6-9220c ", 2 }, - { "a8 pro-7150b ", 4 }, - { "a8 pro-7600b ", 4 }, - { "a8-6410 ", 4 }, - { "a8-6500 ", 4 }, - { "a8-6500b ", 4 }, - { "a8-6500t ", 4 }, - { "a8-6600k ", 4 }, - { "a8-7100 ", 4 }, - { "a8-7200p ", 4 }, - { "a8-7410 ", 4 }, - { "a8-7600 ", 4 }, - { "a8-7650k ", 4 }, - { "a8-7670k ", 4 }, - { "a8-8600b ", 4 }, - { "a8-8600p ", 4 }, - { "a8-8650b ", 4 }, - { "ai 5 340 ", 12 }, - { "ai 5 pro 340 ", 12 }, - { "ai 7 350 ", 16 }, - { "ai 7 pro 350 ", 16 }, - { "ai 7 pro 360 ", 16 }, - { "ai 9 365 ", 20 }, - { "ai 9 hx 370 ", 24 }, - { "ai 9 hx 375 ", 24 }, - { "ai 9 hx pro 370 ", 24 }, - { "ai 9 hx pro 375 ", 24 }, - { "ai max 385 ", 16 }, - { "ai max 390 ", 24 }, - { "ai max pro 380 ", 12 }, - { "ai max pro 385 ", 16 }, - { "ai max pro 390 ", 24 }, - { "ai max+ 395 ", 32 }, - { "ai max+ pro 395 ", 32 }, - { "athlon silver 3050c ", 2 }, // there's an extra space in the AMD specifications for some reason, which I assume it's a typo. I added the fixed and typo'd version just in case. - { "athlon silver 3050c ", 2 }, - { "athlon 200ge ", 4 }, - { "athlon 220ge ", 4 }, - { "athlon 240ge ", 4 }, - { "athlon 255e ", 2 }, - { "athlon 3000g ", 4 }, - { "athlon 300ge ", 4 }, - { "athlon 300u ", 4 }, - { "athlon 320ge ", 4 }, - { "athlon 425e ", 3 }, - { "athlon 460 ", 3 }, - { "athlon 5150 ", 4 }, - { "athlon 5350 ", 4 }, - { "athlon 5370 ", 4 }, - { "athlon 620e ", 4 }, - { "athlon 631 ", 4 }, - { "athlon 638 ", 4 }, - { "athlon 641 ", 4 }, - { "athlon 740 ", 4 }, - { "athlon 750k ", 4 }, - { "athlon 760k ", 4 }, - { "athlon 860k ", 4 }, - { "athlon gold 3150c ", 4 }, - { "athlon gold 3150g ", 4 }, - { "athlon gold 3150ge ", 4 }, - { "athlon gold 3150u ", 4 }, - { "athlon gold 7220c ", 4 }, - { "athlon gold 7220u ", 4 }, - { "athlon gold pro 3150g ", 4 }, - { "athlon gold pro 3150ge ", 4 }, - { "athlon pro 200ge ", 4 }, - { "athlon pro 200u ", 4 }, - { "athlon pro 300ge ", 4 }, - { "athlon pro 300u ", 4 }, - { "athlon pro 3045b ", 2 }, - { "athlon pro 3145b ", 4 }, - { "athlon silver 3050e ", 4 }, - { "athlon silver 3050ge ", 4 }, - { "athlon silver 3050u ", 2 }, - { "athlon silver 7120c ", 2 }, - { "athlon silver 7120u ", 2 }, - { "athlon silver pro 3125ge ", 4 }, - { "athlon x4 940 ", 4 }, - { "athlon x4 950 ", 4 }, - { "athlon x4 970 ", 4 }, - { "b57 ", 2 }, - { "b59 ", 2 }, - { "b60 ", 2 }, - { "b75 ", 3 }, - { "b77 ", 3 }, - { "b97 ", 4 }, - { "b99 ", 4 }, - { "e1 micro-6200t ", 2 }, - { "e1-2100 ", 2 }, - { "e1-2200 ", 2 }, - { "e1-2500 ", 2 }, - { "e1-6010 ", 2 }, - { "e1-7010 ", 2 }, - { "e2-3000 ", 2 }, - { "e2-3800 ", 4 }, - { "e2-6110 ", 4 }, - { "e2-7110 ", 4 }, - { "fx 6100 ", 6 }, - { "fx-4100 ", 4 }, - { "fx-4130 ", 4 }, - { "fx-4170 ", 4 }, - { "fx-4300 ", 4 }, - { "fx-4320 ", 4 }, - { "fx-4350 ", 4 }, - { "fx-6200 ", 6 }, - { "fx-6300 ", 6 }, - { "fx-6350 ", 6 }, - { "fx-7500 ", 4 }, - { "fx-7600p ", 4 }, - { "fx-8120 ", 8 }, - { "fx-8150 ", 8 }, - { "fx-8300 ", 8 }, - { "fx-8310 ", 8 }, - { "fx-8320 ", 8 }, - { "fx-8320e ", 8 }, - { "fx-8350 ", 8 }, - { "fx-8370 ", 8 }, - { "fx-8370e ", 8 }, - { "fx-8800p ", 4 }, - { "fx-9370 ", 8 }, - { "fx-9590 ", 8 }, - { "micro-6700t ", 4 }, - { "n640 ", 2 }, - { "n660 ", 2 }, - { "n870 ", 3 }, - { "n960 ", 4 }, - { "n970 ", 4 }, - { "p650 ", 2 }, - { "p860 ", 3 }, - { "phenom ii 1075t ", 6 }, - { "phenom ii 555 ", 2 }, - { "phenom ii 565 ", 2 }, - { "phenom ii 570 ", 2 }, - { "phenom ii 840 ", 4 }, - { "phenom ii 850 ", 4 }, - { "phenom ii 960t ", 4 }, - { "phenom ii 965 ", 4 }, - { "phenom ii 975 ", 4 }, - { "phenom ii 980 ", 4 }, - { "ryzen 3 1200 ", 4 }, - { "ryzen 3 1300x ", 4 }, - { "ryzen 3 210 ", 8 }, - { "ryzen 3 2200g ", 4 }, - { "ryzen 3 2200ge ", 4 }, - { "ryzen 3 2200u ", 4 }, - { "ryzen 3 2300u ", 4 }, - { "ryzen 3 2300x ", 4 }, - { "ryzen 3 3100 ", 8 }, - { "ryzen 3 3200g ", 4 }, - { "ryzen 3 3200ge ", 4 }, - { "ryzen 3 3200u ", 4 }, - { "ryzen 3 3250c ", 4 }, - { "ryzen 3 3250u ", 4 }, - { "ryzen 3 3300u ", 4 }, - { "ryzen 3 3300x ", 8 }, - { "ryzen 3 3350u ", 4 }, - { "ryzen 3 4100 ", 8 }, - { "ryzen 3 4300g ", 8 }, - { "ryzen 3 4300ge ", 8 }, - { "ryzen 3 4300u ", 4 }, - { "ryzen 3 5125c ", 4 }, - { "ryzen 3 5300g ", 8 }, - { "ryzen 3 5300ge ", 8 }, - { "ryzen 3 5300u ", 8 }, - { "ryzen 3 5305g ", 8 }, - { "ryzen 3 5305ge ", 8 }, - { "ryzen 3 5400u ", 8 }, - { "ryzen 3 5425c ", 8 }, - { "ryzen 3 5425u ", 8 }, - { "ryzen 3 7320c ", 8 }, - { "ryzen 3 7320u ", 8 }, - { "ryzen 3 7330u ", 8 }, - { "ryzen 3 7335u ", 8 }, - { "ryzen 3 7440u ", 8 }, - { "ryzen 3 8300g ", 8 }, - { "ryzen 3 8300ge ", 8 }, - { "ryzen 3 8440u ", 8 }, - { "ryzen 3 pro 1200 ", 4 }, - { "ryzen 3 pro 1300 ", 4 }, - { "ryzen 3 pro 210 ", 8 }, - { "ryzen 3 pro 2200g ", 4 }, - { "ryzen 3 pro 2200ge ", 4 }, - { "ryzen 3 pro 2300u ", 4 }, - { "ryzen 3 pro 3200g ", 4 }, - { "ryzen 3 pro 3200ge ", 4 }, - { "ryzen 3 pro 3300u ", 4 }, - { "ryzen 3 pro 4350g ", 8 }, - { "ryzen 3 pro 4350ge ", 8 }, - { "ryzen 3 pro 4355g ", 8 }, - { "ryzen 3 pro 4355ge ", 8 }, - { "ryzen 3 pro 4450u ", 8 }, - { "ryzen 3 pro 5350g ", 8 }, - { "ryzen 3 pro 5350ge ", 8 }, - { "ryzen 3 pro 5355g ", 8 }, - { "ryzen 3 pro 5355ge ", 8 }, - { "ryzen 3 pro 5450u ", 8 }, - { "ryzen 3 pro 5475u ", 8 }, - { "ryzen 3 pro 7330u ", 8 }, - { "ryzen 3 pro 7335u ", 8 }, - { "ryzen 3 pro 8300g ", 8 }, - { "ryzen 3 pro 8300ge ", 8 }, - { "ryzen 5 1400 ", 8 }, - { "ryzen 5 1500x ", 8 }, - { "ryzen 5 1600 ", 12 }, - { "ryzen 5 1600 (af )", 12 }, - { "ryzen 5 1600x ", 12 }, - { "ryzen 5 220 ", 12 }, - { "ryzen 5 230 ", 12 }, - { "ryzen 5 240 ", 12 }, - { "ryzen 5 2400g ", 8 }, - { "ryzen 5 2400ge ", 8 }, - { "ryzen 5 2500u ", 8 }, - { "ryzen 5 2500x ", 8 }, - { "ryzen 5 2600 ", 12 }, - { "ryzen 5 2600e ", 12 }, - { "ryzen 5 2600h ", 8 }, - { "ryzen 5 2600x ", 12 }, - { "ryzen 5 3400g ", 8 }, - { "ryzen 5 3400ge ", 8 }, - { "ryzen 5 3450u ", 8 }, - { "ryzen 5 3500 ", 6 }, - { "ryzen 5 3500c ", 8 }, - { "ryzen 5 3500u ", 8 }, - { "ryzen 5 3550h ", 8 }, - { "ryzen 5 3580u ", 8 }, - { "ryzen 5 3600 ", 12 }, - { "ryzen 5 3600x ", 12 }, - { "ryzen 5 3600xt ", 12 }, - { "ryzen 5 4500 ", 12 }, - { "ryzen 5 4500u ", 6 }, - { "ryzen 5 4600g ", 12 }, - { "ryzen 5 4600ge ", 12 }, - { "ryzen 5 4600h ", 12 }, - { "ryzen 5 4600u ", 12 }, - { "ryzen 5 4680u ", 12 }, - { "ryzen 5 5500 ", 12 }, - { "ryzen 5 5500gt ", 12 }, - { "ryzen 5 5500h ", 8 }, - { "ryzen 5 5500u ", 12 }, - { "ryzen 5 5560u ", 12 }, - { "ryzen 5 5600 ", 12 }, - { "ryzen 5 5600g ", 12 }, - { "ryzen 5 5600ge ", 12 }, - { "ryzen 5 5600gt ", 12 }, - { "ryzen 5 5600h ", 12 }, - { "ryzen 5 5600hs ", 12 }, - { "ryzen 5 5600t ", 12 }, - { "ryzen 5 5600u ", 12 }, - { "ryzen 5 5600x ", 12 }, - { "ryzen 5 5600x3d ", 12 }, - { "ryzen 5 5600xt ", 12 }, - { "ryzen 5 5605g ", 12 }, - { "ryzen 5 5605ge ", 12 }, - { "ryzen 5 5625c ", 12 }, - { "ryzen 5 5625u ", 12 }, - { "ryzen 5 6600h ", 12 }, - { "ryzen 5 6600hs ", 12 }, - { "ryzen 5 6600u ", 12 }, - { "ryzen 5 7235hs ", 8 }, - { "ryzen 5 7400f ", 12 }, - { "ryzen 5 7430u ", 12 }, - { "ryzen 5 7500f ", 12 }, - { "ryzen 5 7520c ", 8 }, - { "ryzen 5 7520u ", 8 }, - { "ryzen 5 7530u ", 12 }, - { "ryzen 5 7535hs ", 12 }, - { "ryzen 5 7535u ", 12 }, - { "ryzen 5 7540u ", 12 }, - { "ryzen 5 7545u ", 12 }, - { "ryzen 5 7600 ", 12 }, - { "ryzen 5 7600x ", 12 }, - { "ryzen 5 7600x3d ", 12 }, - { "ryzen 5 7640hs ", 12 }, - { "ryzen 5 7640u ", 12 }, - { "ryzen 5 7645hx ", 12 }, - { "ryzen 5 8400f ", 12 }, - { "ryzen 5 8500g ", 12 }, - { "ryzen 5 8500ge ", 12 }, - { "ryzen 5 8540u ", 12 }, - { "ryzen 5 8600g ", 12 }, - { "ryzen 5 8640hs ", 12 }, - { "ryzen 5 8640u ", 12 }, - { "ryzen 5 8645hs ", 12 }, - { "ryzen 5 9600 ", 12 }, - { "ryzen 5 9600x ", 12 }, - { "ryzen 5 pro 1500 ", 8 }, - { "ryzen 5 pro 1600 ", 12 }, - { "ryzen 5 pro 220 ", 12 }, - { "ryzen 5 pro 230 ", 12 }, - { "ryzen 5 pro 2400g ", 8 }, - { "ryzen 5 pro 2400ge ", 8 }, - { "ryzen 5 pro 2500u ", 8 }, - { "ryzen 5 pro 2600 ", 12 }, - { "ryzen 5 pro 3350g ", 8 }, - { "ryzen 5 pro 3350ge ", 4 }, - { "ryzen 5 pro 3400g ", 8 }, - { "ryzen 5 pro 3400ge ", 8 }, - { "ryzen 5 pro 3500u ", 8 }, - { "ryzen 5 pro 3600 ", 12 }, - { "ryzen 5 pro 4650g ", 12 }, - { "ryzen 5 pro 4650ge ", 12 }, - { "ryzen 5 pro 4650u ", 12 }, - { "ryzen 5 pro 4655g ", 12 }, - { "ryzen 5 pro 4655ge ", 12 }, - { "ryzen 5 pro 5645 ", 12 }, - { "ryzen 5 pro 5650g ", 12 }, - { "ryzen 5 pro 5650ge ", 12 }, - { "ryzen 5 pro 5650u ", 12 }, - { "ryzen 5 pro 5655g ", 12 }, - { "ryzen 5 pro 5655ge ", 12 }, - { "ryzen 5 pro 5675u ", 12 }, - { "ryzen 5 pro 6650h ", 12 }, - { "ryzen 5 pro 6650hs ", 12 }, - { "ryzen 5 pro 6650u ", 12 }, - { "ryzen 5 pro 7530u ", 12 }, - { "ryzen 5 pro 7535u ", 12 }, - { "ryzen 5 pro 7540u ", 12 }, - { "ryzen 5 pro 7545u ", 12 }, - { "ryzen 5 pro 7640hs ", 12 }, - { "ryzen 5 pro 7640u ", 12 }, - { "ryzen 5 pro 7645 ", 12 }, - { "ryzen 5 pro 8500g ", 12 }, - { "ryzen 5 pro 8500ge ", 12 }, - { "ryzen 5 pro 8540u ", 12 }, - { "ryzen 5 pro 8600g ", 12 }, - { "ryzen 5 pro 8600ge ", 12 }, - { "ryzen 5 pro 8640hs ", 12 }, - { "ryzen 5 pro 8640u ", 12 }, - { "ryzen 5 pro 8645hs ", 12 }, - { "ryzen 7 1700 ", 16 }, - { "ryzen 7 1700x ", 16 }, - { "ryzen 7 1800x ", 16 }, - { "ryzen 7 250 ", 16 }, - { "ryzen 7 260 ", 16 }, - { "ryzen 7 2700 ", 16 }, - { "ryzen 7 2700e ", 16 }, - { "ryzen 7 2700u ", 8 }, - { "ryzen 7 2700x ", 16 }, - { "ryzen 7 2800h ", 8 }, - { "ryzen 7 3700c ", 8 }, - { "ryzen 7 3700u ", 8 }, - { "ryzen 7 3700x ", 16 }, - { "ryzen 7 3750h ", 8 }, - { "ryzen 7 3780u ", 8 }, - { "ryzen 7 3800x ", 16 }, - { "ryzen 7 3800xt ", 16 }, - { "ryzen 7 4700g ", 16 }, - { "ryzen 7 4700ge ", 16 }, - { "ryzen 7 4700u ", 8 }, - { "ryzen 7 4800h ", 16 }, - { "ryzen 7 4800hs ", 16 }, - { "ryzen 7 4800u ", 16 }, - { "ryzen 7 4980u ", 16 }, - { "ryzen 7 5700 ", 16 }, - { "ryzen 7 5700g ", 16 }, - { "ryzen 7 5700ge ", 16 }, - { "ryzen 7 5700u ", 16 }, - { "ryzen 7 5700x ", 16 }, - { "ryzen 7 5700x3d ", 16 }, - { "ryzen 7 5705g ", 16 }, - { "ryzen 7 5705ge ", 16 }, - { "ryzen 7 5800 ", 16 }, - { "ryzen 7 5800h ", 16 }, - { "ryzen 7 5800hs ", 16 }, - { "ryzen 7 5800u ", 16 }, - { "ryzen 7 5800x ", 16 }, - { "ryzen 7 5800x3d ", 16 }, - { "ryzen 7 5800xt ", 16 }, - { "ryzen 7 5825c ", 16 }, - { "ryzen 7 5825u ", 16 }, - { "ryzen 7 6800h ", 16 }, - { "ryzen 7 6800hs ", 16 }, - { "ryzen 7 6800u ", 16 }, - { "ryzen 7 7435hs ", 16 }, - { "ryzen 7 7700 ", 16 }, - { "ryzen 7 7700x ", 16 }, - { "ryzen 7 7730u ", 16 }, - { "ryzen 7 7735hs ", 16 }, - { "ryzen 7 7735u ", 16 }, - { "ryzen 7 7736u ", 16 }, - { "ryzen 7 7745hx ", 16 }, - { "ryzen 7 7800x3d ", 16 }, - { "ryzen 7 7840hs ", 16 }, - { "ryzen 7 7840hx ", 24 }, - { "ryzen 7 7840u ", 16 }, - { "ryzen 7 8700f ", 16 }, - { "ryzen 7 8700g ", 16 }, - { "ryzen 7 8840hs ", 16 }, - { "ryzen 7 8840u ", 16 }, - { "ryzen 7 8845hs ", 16 }, - { "ryzen 7 9700x ", 16 }, - { "ryzen 7 9800x3d ", 16 }, - { "ryzen 7 pro 1700 ", 16 }, - { "ryzen 7 pro 1700x ", 16 }, - { "ryzen 7 pro 250 ", 16 }, - { "ryzen 7 pro 2700 ", 16 }, - { "ryzen 7 pro 2700u ", 8 }, - { "ryzen 7 pro 2700x ", 16 }, - { "ryzen 7 pro 3700 ", 16 }, - { "ryzen 7 pro 3700u ", 8 }, - { "ryzen 7 pro 4750g ", 16 }, - { "ryzen 7 pro 4750ge ", 16 }, - { "ryzen 7 pro 4750u ", 16 }, - { "ryzen 7 pro 5750g ", 16 }, - { "ryzen 7 pro 5750ge ", 16 }, - { "ryzen 7 pro 5755g ", 16 }, - { "ryzen 7 pro 5755ge ", 16 }, - { "ryzen 7 pro 5845 ", 16 }, - { "ryzen 7 pro 5850u ", 16 }, - { "ryzen 7 pro 5875u ", 16 }, - { "ryzen 7 pro 6850h ", 16 }, - { "ryzen 7 pro 6850hs ", 16 }, - { "ryzen 7 pro 6850u ", 16 }, - { "ryzen 7 pro 6860z ", 16 }, - { "ryzen 7 pro 7730u ", 16 }, - { "ryzen 7 pro 7735u ", 16 }, - { "ryzen 7 pro 7745 ", 16 }, - { "ryzen 7 pro 7840hs ", 16 }, - { "ryzen 7 pro 7840u ", 16 }, - { "ryzen 7 pro 8700g ", 16 }, - { "ryzen 7 pro 8700ge ", 16 }, - { "ryzen 7 pro 8840hs ", 16 }, - { "ryzen 7 pro 8840u ", 16 }, - { "ryzen 7 pro 8845hs ", 16 }, - { "ryzen 9 270 ", 16 }, - { "ryzen 9 3900 processor ", 24 }, - { "ryzen 9 3900x ", 24 }, - { "ryzen 9 3900xt ", 24 }, - { "ryzen 9 3950x ", 32 }, - { "ryzen 9 4900h ", 16 }, - { "ryzen 9 4900hs ", 16 }, - { "ryzen 9 5900 ", 24 }, - { "ryzen 9 5900hs ", 16 }, - { "ryzen 9 5900hx ", 16 }, - { "ryzen 9 5900x ", 24 }, - { "ryzen 9 5900xt ", 32 }, - { "ryzen 9 5950x ", 32 }, - { "ryzen 9 5980hs ", 16 }, - { "ryzen 9 5980hx ", 16 }, - { "ryzen 9 6900hs ", 16 }, - { "ryzen 9 6900hx ", 16 }, - { "ryzen 9 6980hs ", 16 }, - { "ryzen 9 6980hx ", 16 }, - { "ryzen 9 7845hx ", 24 }, - { "ryzen 9 7900 ", 24 }, - { "ryzen 9 7900x ", 24 }, - { "ryzen 9 7900x3d ", 24 }, - { "ryzen 9 7940hs ", 16 }, - { "ryzen 9 7940hx ", 32 }, - { "ryzen 9 7945hx ", 32 }, - { "ryzen 9 7945hx3d ", 32 }, - { "ryzen 9 7950x ", 32 }, - { "ryzen 9 7950x3d ", 32 }, - { "ryzen 9 8945hs ", 16 }, - { "ryzen 9 9850hx ", 24 }, - { "ryzen 9 9900x ", 24 }, - { "ryzen 9 9900x3d ", 24 }, - { "ryzen 9 9950x ", 32 }, - { "ryzen 9 9950x3d ", 32 }, - { "ryzen 9 9955hx ", 32 }, - { "ryzen 9 9955hx3d ", 32 }, - { "ryzen 9 pro 3900 ", 24 }, - { "ryzen 9 pro 5945 ", 24 }, - { "ryzen 9 pro 6950h ", 16 }, - { "ryzen 9 pro 6950hs ", 16 }, - { "ryzen 9 pro 7940hs ", 16 }, - { "ryzen 9 pro 7945 ", 24 }, - { "ryzen 9 pro 8945hs ", 16 }, - { "ryzen threadripper 1900x ", 16 }, - { "ryzen threadripper 1920x ", 24 }, - { "ryzen threadripper 1950x ", 32 }, - { "ryzen threadripper 2920x ", 24 }, - { "ryzen threadripper 2950x ", 32 }, - { "ryzen threadripper 2970wx ", 48 }, - { "ryzen threadripper 2990wx ", 64 }, - { "ryzen threadripper 3960x ", 48 }, - { "ryzen threadripper 3970x ", 64 }, - { "ryzen threadripper 3990x ", 128 }, - { "ryzen threadripper 7960x ", 48 }, - { "ryzen threadripper 7970x ", 64 }, - { "ryzen threadripper 7980x ", 128 }, - { "ryzen threadripper pro 3945wx ", 24 }, - { "ryzen threadripper pro 3955wx ", 32 }, - { "ryzen threadripper pro 3975wx ", 64 }, - { "ryzen threadripper pro 3995wx ", 128 }, - { "ryzen threadripper pro 5945wx ", 24 }, - { "ryzen threadripper pro 5955wx ", 32 }, - { "ryzen threadripper pro 5965wx ", 48 }, - { "ryzen threadripper pro 5975wx ", 64 }, - { "ryzen threadripper pro 5995wx ", 128 }, - { "ryzen threadripper pro 7945wx ", 24 }, - { "ryzen threadripper pro 7955wx ", 32 }, - { "ryzen threadripper pro 7965wx ", 48 }, - { "ryzen threadripper pro 7975wx ", 64 }, - { "ryzen threadripper pro 7985wx ", 128 }, - { "ryzen threadripper pro 7995wx ", 192 }, - { "ryzen z1 ", 12 }, - { "ryzen z1 extreme ", 16 }, - { "sempron 2650 ", 2 }, - { "sempron 3850 ", 4 }, - { "x940 ", 4 }, - { "z2 extreme ", 16 }, - { "z2 go ", 8 } - }}; - - bool found = false; - - for (const auto& pair : thread_database) { - if (model.find(pair.first) != std::string::npos) { - found = (std::thread::hardware_concurrency() == static_cast(pair.second)); - break; - } + [[nodiscard]] static bool amd_thread_mismatch() { +#if (!x86) + return false; +#else + if (!cpu::is_amd()) { + return false; + } + + if (cpu::has_hyperthreading()) { + return false; + } + + std::string model = cpu::get_brand(); + + for (char& c : model) { + c = static_cast(std::tolower(c)); + } + +#if (WINDOWS) + if (util::does_threadcount_mismatch()) { + debug("AMD_THREAD_MISMATCH: Thread tampering detected"); + return true; + } +#endif + + debug("AMD_THREAD_MISMATCH: CPU model = ", model); + + constexpr std::array, 559> thread_database = { { + { "3015ce ", 4 }, + { "3015e ", 4 }, + { "3020e ", 2 }, + { "860k ", 4 }, + { "870k ", 4 }, + { "a10 pro-7350b ", 4 }, + { "a10 pro-7800b ", 4 }, + { "a10 pro-7850b ", 4 }, + { "a10-6700 ", 4 }, + { "a10-6700t ", 4 }, + { "a10-6790b ", 4 }, + { "a10-6790k ", 4 }, + { "a10-6800b ", 4 }, + { "a10-6800k ", 4 }, + { "a10-7300 ", 4 }, + { "a10-7400p ", 4 }, + { "a10-7700k ", 4 }, + { "a10-7800 ", 4 }, + { "a10-7850k ", 4 }, + { "a10-7860k ", 4 }, + { "a10-7870k ", 4 }, + { "a10-8700b ", 4 }, + { "a10-8700p ", 4 }, + { "a10-8750b ", 4 }, + { "a10-8850b ", 4 }, + { "a12-8800b ", 4 }, + { "a4 micro-6400t ", 4 }, + { "a4 pro-3340b ", 4 }, + { "a4 pro-3350b ", 4 }, + { "a4 pro-7300b ", 2 }, + { "a4 pro-7350b ", 2 }, + { "a4-5000 ", 4 }, + { "a4-5100 ", 4 }, + { "a4-6210 ", 4 }, + { "a4-6300 ", 2 }, + { "a4-6320 ", 2 }, + { "a4-7210 ", 4 }, + { "a4-7300 ", 2 }, + { "a4-8350b ", 2 }, + { "a4-9120c ", 2 }, + { "a6 pro-7050b ", 2 }, + { "a6 pro-7400b ", 2 }, + { "a6-5200 ", 4 }, + { "a6-5200m ", 4 }, + { "a6-5350m ", 2 }, + { "a6-6310 ", 4 }, + { "a6-6400b ", 2 }, + { "a6-6400k ", 2 }, + { "a6-6420b ", 2 }, + { "a6-6420k ", 2 }, + { "a6-7000 ", 2 }, + { "a6-7310 ", 4 }, + { "a6-7400k ", 2 }, + { "a6-8500b ", 4 }, + { "a6-8500p ", 2 }, + { "a6-8550b ", 2 }, + { "a6-9220c ", 2 }, + { "a8 pro-7150b ", 4 }, + { "a8 pro-7600b ", 4 }, + { "a8-6410 ", 4 }, + { "a8-6500 ", 4 }, + { "a8-6500b ", 4 }, + { "a8-6500t ", 4 }, + { "a8-6600k ", 4 }, + { "a8-7100 ", 4 }, + { "a8-7200p ", 4 }, + { "a8-7410 ", 4 }, + { "a8-7600 ", 4 }, + { "a8-7650k ", 4 }, + { "a8-7670k ", 4 }, + { "a8-8600b ", 4 }, + { "a8-8600p ", 4 }, + { "a8-8650b ", 4 }, + { "ai 5 340 ", 12 }, + { "ai 5 pro 340 ", 12 }, + { "ai 7 350 ", 16 }, + { "ai 7 pro 350 ", 16 }, + { "ai 7 pro 360 ", 16 }, + { "ai 9 365 ", 20 }, + { "ai 9 hx 370 ", 24 }, + { "ai 9 hx 375 ", 24 }, + { "ai 9 hx pro 370 ", 24 }, + { "ai 9 hx pro 375 ", 24 }, + { "ai max 385 ", 16 }, + { "ai max 390 ", 24 }, + { "ai max pro 380 ", 12 }, + { "ai max pro 385 ", 16 }, + { "ai max pro 390 ", 24 }, + { "ai max+ 395 ", 32 }, + { "ai max+ pro 395 ", 32 }, + { "athlon silver 3050c ", 2 }, // there's an extra space in the AMD specifications for some reason, which I assume it's a typo. I added the fixed and typo'd version just in case. + { "athlon silver 3050c ", 2 }, + { "athlon 200ge ", 4 }, + { "athlon 220ge ", 4 }, + { "athlon 240ge ", 4 }, + { "athlon 255e ", 2 }, + { "athlon 3000g ", 4 }, + { "athlon 300ge ", 4 }, + { "athlon 300u ", 4 }, + { "athlon 320ge ", 4 }, + { "athlon 425e ", 3 }, + { "athlon 460 ", 3 }, + { "athlon 5150 ", 4 }, + { "athlon 5350 ", 4 }, + { "athlon 5370 ", 4 }, + { "athlon 620e ", 4 }, + { "athlon 631 ", 4 }, + { "athlon 638 ", 4 }, + { "athlon 641 ", 4 }, + { "athlon 740 ", 4 }, + { "athlon 750k ", 4 }, + { "athlon 760k ", 4 }, + { "athlon 860k ", 4 }, + { "athlon gold 3150c ", 4 }, + { "athlon gold 3150g ", 4 }, + { "athlon gold 3150ge ", 4 }, + { "athlon gold 3150u ", 4 }, + { "athlon gold 7220c ", 4 }, + { "athlon gold 7220u ", 4 }, + { "athlon gold pro 3150g ", 4 }, + { "athlon gold pro 3150ge ", 4 }, + { "athlon pro 200ge ", 4 }, + { "athlon pro 200u ", 4 }, + { "athlon pro 300ge ", 4 }, + { "athlon pro 300u ", 4 }, + { "athlon pro 3045b ", 2 }, + { "athlon pro 3145b ", 4 }, + { "athlon silver 3050e ", 4 }, + { "athlon silver 3050ge ", 4 }, + { "athlon silver 3050u ", 2 }, + { "athlon silver 7120c ", 2 }, + { "athlon silver 7120u ", 2 }, + { "athlon silver pro 3125ge ", 4 }, + { "athlon x4 940 ", 4 }, + { "athlon x4 950 ", 4 }, + { "athlon x4 970 ", 4 }, + { "b57 ", 2 }, + { "b59 ", 2 }, + { "b60 ", 2 }, + { "b75 ", 3 }, + { "b77 ", 3 }, + { "b97 ", 4 }, + { "b99 ", 4 }, + { "e1 micro-6200t ", 2 }, + { "e1-2100 ", 2 }, + { "e1-2200 ", 2 }, + { "e1-2500 ", 2 }, + { "e1-6010 ", 2 }, + { "e1-7010 ", 2 }, + { "e2-3000 ", 2 }, + { "e2-3800 ", 4 }, + { "e2-6110 ", 4 }, + { "e2-7110 ", 4 }, + { "fx 6100 ", 6 }, + { "fx-4100 ", 4 }, + { "fx-4130 ", 4 }, + { "fx-4170 ", 4 }, + { "fx-4300 ", 4 }, + { "fx-4320 ", 4 }, + { "fx-4350 ", 4 }, + { "fx-6200 ", 6 }, + { "fx-6300 ", 6 }, + { "fx-6350 ", 6 }, + { "fx-7500 ", 4 }, + { "fx-7600p ", 4 }, + { "fx-8120 ", 8 }, + { "fx-8150 ", 8 }, + { "fx-8300 ", 8 }, + { "fx-8310 ", 8 }, + { "fx-8320 ", 8 }, + { "fx-8320e ", 8 }, + { "fx-8350 ", 8 }, + { "fx-8370 ", 8 }, + { "fx-8370e ", 8 }, + { "fx-8800p ", 4 }, + { "fx-9370 ", 8 }, + { "fx-9590 ", 8 }, + { "micro-6700t ", 4 }, + { "n640 ", 2 }, + { "n660 ", 2 }, + { "n870 ", 3 }, + { "n960 ", 4 }, + { "n970 ", 4 }, + { "p650 ", 2 }, + { "p860 ", 3 }, + { "phenom ii 1075t ", 6 }, + { "phenom ii 555 ", 2 }, + { "phenom ii 565 ", 2 }, + { "phenom ii 570 ", 2 }, + { "phenom ii 840 ", 4 }, + { "phenom ii 850 ", 4 }, + { "phenom ii 960t ", 4 }, + { "phenom ii 965 ", 4 }, + { "phenom ii 975 ", 4 }, + { "phenom ii 980 ", 4 }, + { "ryzen 3 1200 ", 4 }, + { "ryzen 3 1300x ", 4 }, + { "ryzen 3 210 ", 8 }, + { "ryzen 3 2200g ", 4 }, + { "ryzen 3 2200ge ", 4 }, + { "ryzen 3 2200u ", 4 }, + { "ryzen 3 2300u ", 4 }, + { "ryzen 3 2300x ", 4 }, + { "ryzen 3 3100 ", 8 }, + { "ryzen 3 3200g ", 4 }, + { "ryzen 3 3200ge ", 4 }, + { "ryzen 3 3200u ", 4 }, + { "ryzen 3 3250c ", 4 }, + { "ryzen 3 3250u ", 4 }, + { "ryzen 3 3300u ", 4 }, + { "ryzen 3 3300x ", 8 }, + { "ryzen 3 3350u ", 4 }, + { "ryzen 3 4100 ", 8 }, + { "ryzen 3 4300g ", 8 }, + { "ryzen 3 4300ge ", 8 }, + { "ryzen 3 4300u ", 4 }, + { "ryzen 3 5125c ", 4 }, + { "ryzen 3 5300g ", 8 }, + { "ryzen 3 5300ge ", 8 }, + { "ryzen 3 5300u ", 8 }, + { "ryzen 3 5305g ", 8 }, + { "ryzen 3 5305ge ", 8 }, + { "ryzen 3 5400u ", 8 }, + { "ryzen 3 5425c ", 8 }, + { "ryzen 3 5425u ", 8 }, + { "ryzen 3 7320c ", 8 }, + { "ryzen 3 7320u ", 8 }, + { "ryzen 3 7330u ", 8 }, + { "ryzen 3 7335u ", 8 }, + { "ryzen 3 7440u ", 8 }, + { "ryzen 3 8300g ", 8 }, + { "ryzen 3 8300ge ", 8 }, + { "ryzen 3 8440u ", 8 }, + { "ryzen 3 pro 1200 ", 4 }, + { "ryzen 3 pro 1300 ", 4 }, + { "ryzen 3 pro 210 ", 8 }, + { "ryzen 3 pro 2200g ", 4 }, + { "ryzen 3 pro 2200ge ", 4 }, + { "ryzen 3 pro 2300u ", 4 }, + { "ryzen 3 pro 3200g ", 4 }, + { "ryzen 3 pro 3200ge ", 4 }, + { "ryzen 3 pro 3300u ", 4 }, + { "ryzen 3 pro 4350g ", 8 }, + { "ryzen 3 pro 4350ge ", 8 }, + { "ryzen 3 pro 4355g ", 8 }, + { "ryzen 3 pro 4355ge ", 8 }, + { "ryzen 3 pro 4450u ", 8 }, + { "ryzen 3 pro 5350g ", 8 }, + { "ryzen 3 pro 5350ge ", 8 }, + { "ryzen 3 pro 5355g ", 8 }, + { "ryzen 3 pro 5355ge ", 8 }, + { "ryzen 3 pro 5450u ", 8 }, + { "ryzen 3 pro 5475u ", 8 }, + { "ryzen 3 pro 7330u ", 8 }, + { "ryzen 3 pro 7335u ", 8 }, + { "ryzen 3 pro 8300g ", 8 }, + { "ryzen 3 pro 8300ge ", 8 }, + { "ryzen 5 1400 ", 8 }, + { "ryzen 5 1500x ", 8 }, + { "ryzen 5 1600 ", 12 }, + { "ryzen 5 1600 (af )", 12 }, + { "ryzen 5 1600x ", 12 }, + { "ryzen 5 220 ", 12 }, + { "ryzen 5 230 ", 12 }, + { "ryzen 5 240 ", 12 }, + { "ryzen 5 2400g ", 8 }, + { "ryzen 5 2400ge ", 8 }, + { "ryzen 5 2500u ", 8 }, + { "ryzen 5 2500x ", 8 }, + { "ryzen 5 2600 ", 12 }, + { "ryzen 5 2600e ", 12 }, + { "ryzen 5 2600h ", 8 }, + { "ryzen 5 2600x ", 12 }, + { "ryzen 5 3400g ", 8 }, + { "ryzen 5 3400ge ", 8 }, + { "ryzen 5 3450u ", 8 }, + { "ryzen 5 3500 ", 6 }, + { "ryzen 5 3500c ", 8 }, + { "ryzen 5 3500u ", 8 }, + { "ryzen 5 3550h ", 8 }, + { "ryzen 5 3580u ", 8 }, + { "ryzen 5 3600 ", 12 }, + { "ryzen 5 3600x ", 12 }, + { "ryzen 5 3600xt ", 12 }, + { "ryzen 5 4500 ", 12 }, + { "ryzen 5 4500u ", 6 }, + { "ryzen 5 4600g ", 12 }, + { "ryzen 5 4600ge ", 12 }, + { "ryzen 5 4600h ", 12 }, + { "ryzen 5 4600u ", 12 }, + { "ryzen 5 4680u ", 12 }, + { "ryzen 5 5500 ", 12 }, + { "ryzen 5 5500gt ", 12 }, + { "ryzen 5 5500h ", 8 }, + { "ryzen 5 5500u ", 12 }, + { "ryzen 5 5560u ", 12 }, + { "ryzen 5 5600 ", 12 }, + { "ryzen 5 5600g ", 12 }, + { "ryzen 5 5600ge ", 12 }, + { "ryzen 5 5600gt ", 12 }, + { "ryzen 5 5600h ", 12 }, + { "ryzen 5 5600hs ", 12 }, + { "ryzen 5 5600t ", 12 }, + { "ryzen 5 5600u ", 12 }, + { "ryzen 5 5600x ", 12 }, + { "ryzen 5 5600x3d ", 12 }, + { "ryzen 5 5600xt ", 12 }, + { "ryzen 5 5605g ", 12 }, + { "ryzen 5 5605ge ", 12 }, + { "ryzen 5 5625c ", 12 }, + { "ryzen 5 5625u ", 12 }, + { "ryzen 5 6600h ", 12 }, + { "ryzen 5 6600hs ", 12 }, + { "ryzen 5 6600u ", 12 }, + { "ryzen 5 7235hs ", 8 }, + { "ryzen 5 7400f ", 12 }, + { "ryzen 5 7430u ", 12 }, + { "ryzen 5 7500f ", 12 }, + { "ryzen 5 7520c ", 8 }, + { "ryzen 5 7520u ", 8 }, + { "ryzen 5 7530u ", 12 }, + { "ryzen 5 7535hs ", 12 }, + { "ryzen 5 7535u ", 12 }, + { "ryzen 5 7540u ", 12 }, + { "ryzen 5 7545u ", 12 }, + { "ryzen 5 7600 ", 12 }, + { "ryzen 5 7600x ", 12 }, + { "ryzen 5 7600x3d ", 12 }, + { "ryzen 5 7640hs ", 12 }, + { "ryzen 5 7640u ", 12 }, + { "ryzen 5 7645hx ", 12 }, + { "ryzen 5 8400f ", 12 }, + { "ryzen 5 8500g ", 12 }, + { "ryzen 5 8500ge ", 12 }, + { "ryzen 5 8540u ", 12 }, + { "ryzen 5 8600g ", 12 }, + { "ryzen 5 8640hs ", 12 }, + { "ryzen 5 8640u ", 12 }, + { "ryzen 5 8645hs ", 12 }, + { "ryzen 5 9600 ", 12 }, + { "ryzen 5 9600x ", 12 }, + { "ryzen 5 pro 1500 ", 8 }, + { "ryzen 5 pro 1600 ", 12 }, + { "ryzen 5 pro 220 ", 12 }, + { "ryzen 5 pro 230 ", 12 }, + { "ryzen 5 pro 2400g ", 8 }, + { "ryzen 5 pro 2400ge ", 8 }, + { "ryzen 5 pro 2500u ", 8 }, + { "ryzen 5 pro 2600 ", 12 }, + { "ryzen 5 pro 3350g ", 8 }, + { "ryzen 5 pro 3350ge ", 4 }, + { "ryzen 5 pro 3400g ", 8 }, + { "ryzen 5 pro 3400ge ", 8 }, + { "ryzen 5 pro 3500u ", 8 }, + { "ryzen 5 pro 3600 ", 12 }, + { "ryzen 5 pro 4650g ", 12 }, + { "ryzen 5 pro 4650ge ", 12 }, + { "ryzen 5 pro 4650u ", 12 }, + { "ryzen 5 pro 4655g ", 12 }, + { "ryzen 5 pro 4655ge ", 12 }, + { "ryzen 5 pro 5645 ", 12 }, + { "ryzen 5 pro 5650g ", 12 }, + { "ryzen 5 pro 5650ge ", 12 }, + { "ryzen 5 pro 5650u ", 12 }, + { "ryzen 5 pro 5655g ", 12 }, + { "ryzen 5 pro 5655ge ", 12 }, + { "ryzen 5 pro 5675u ", 12 }, + { "ryzen 5 pro 6650h ", 12 }, + { "ryzen 5 pro 6650hs ", 12 }, + { "ryzen 5 pro 6650u ", 12 }, + { "ryzen 5 pro 7530u ", 12 }, + { "ryzen 5 pro 7535u ", 12 }, + { "ryzen 5 pro 7540u ", 12 }, + { "ryzen 5 pro 7545u ", 12 }, + { "ryzen 5 pro 7640hs ", 12 }, + { "ryzen 5 pro 7640u ", 12 }, + { "ryzen 5 pro 7645 ", 12 }, + { "ryzen 5 pro 8500g ", 12 }, + { "ryzen 5 pro 8500ge ", 12 }, + { "ryzen 5 pro 8540u ", 12 }, + { "ryzen 5 pro 8600g ", 12 }, + { "ryzen 5 pro 8600ge ", 12 }, + { "ryzen 5 pro 8640hs ", 12 }, + { "ryzen 5 pro 8640u ", 12 }, + { "ryzen 5 pro 8645hs ", 12 }, + { "ryzen 7 1700 ", 16 }, + { "ryzen 7 1700x ", 16 }, + { "ryzen 7 1800x ", 16 }, + { "ryzen 7 250 ", 16 }, + { "ryzen 7 260 ", 16 }, + { "ryzen 7 2700 ", 16 }, + { "ryzen 7 2700e ", 16 }, + { "ryzen 7 2700u ", 8 }, + { "ryzen 7 2700x ", 16 }, + { "ryzen 7 2800h ", 8 }, + { "ryzen 7 3700c ", 8 }, + { "ryzen 7 3700u ", 8 }, + { "ryzen 7 3700x ", 16 }, + { "ryzen 7 3750h ", 8 }, + { "ryzen 7 3780u ", 8 }, + { "ryzen 7 3800x ", 16 }, + { "ryzen 7 3800xt ", 16 }, + { "ryzen 7 4700g ", 16 }, + { "ryzen 7 4700ge ", 16 }, + { "ryzen 7 4700u ", 8 }, + { "ryzen 7 4800h ", 16 }, + { "ryzen 7 4800hs ", 16 }, + { "ryzen 7 4800u ", 16 }, + { "ryzen 7 4980u ", 16 }, + { "ryzen 7 5700 ", 16 }, + { "ryzen 7 5700g ", 16 }, + { "ryzen 7 5700ge ", 16 }, + { "ryzen 7 5700u ", 16 }, + { "ryzen 7 5700x ", 16 }, + { "ryzen 7 5700x3d ", 16 }, + { "ryzen 7 5705g ", 16 }, + { "ryzen 7 5705ge ", 16 }, + { "ryzen 7 5800 ", 16 }, + { "ryzen 7 5800h ", 16 }, + { "ryzen 7 5800hs ", 16 }, + { "ryzen 7 5800u ", 16 }, + { "ryzen 7 5800x ", 16 }, + { "ryzen 7 5800x3d ", 16 }, + { "ryzen 7 5800xt ", 16 }, + { "ryzen 7 5825c ", 16 }, + { "ryzen 7 5825u ", 16 }, + { "ryzen 7 6800h ", 16 }, + { "ryzen 7 6800hs ", 16 }, + { "ryzen 7 6800u ", 16 }, + { "ryzen 7 7435hs ", 16 }, + { "ryzen 7 7700 ", 16 }, + { "ryzen 7 7700x ", 16 }, + { "ryzen 7 7730u ", 16 }, + { "ryzen 7 7735hs ", 16 }, + { "ryzen 7 7735u ", 16 }, + { "ryzen 7 7736u ", 16 }, + { "ryzen 7 7745hx ", 16 }, + { "ryzen 7 7800x3d ", 16 }, + { "ryzen 7 7840hs ", 16 }, + { "ryzen 7 7840hx ", 24 }, + { "ryzen 7 7840u ", 16 }, + { "ryzen 7 8700f ", 16 }, + { "ryzen 7 8700g ", 16 }, + { "ryzen 7 8840hs ", 16 }, + { "ryzen 7 8840u ", 16 }, + { "ryzen 7 8845hs ", 16 }, + { "ryzen 7 9700x ", 16 }, + { "ryzen 7 9800x3d ", 16 }, + { "ryzen 7 pro 1700 ", 16 }, + { "ryzen 7 pro 1700x ", 16 }, + { "ryzen 7 pro 250 ", 16 }, + { "ryzen 7 pro 2700 ", 16 }, + { "ryzen 7 pro 2700u ", 8 }, + { "ryzen 7 pro 2700x ", 16 }, + { "ryzen 7 pro 3700 ", 16 }, + { "ryzen 7 pro 3700u ", 8 }, + { "ryzen 7 pro 4750g ", 16 }, + { "ryzen 7 pro 4750ge ", 16 }, + { "ryzen 7 pro 4750u ", 16 }, + { "ryzen 7 pro 5750g ", 16 }, + { "ryzen 7 pro 5750ge ", 16 }, + { "ryzen 7 pro 5755g ", 16 }, + { "ryzen 7 pro 5755ge ", 16 }, + { "ryzen 7 pro 5845 ", 16 }, + { "ryzen 7 pro 5850u ", 16 }, + { "ryzen 7 pro 5875u ", 16 }, + { "ryzen 7 pro 6850h ", 16 }, + { "ryzen 7 pro 6850hs ", 16 }, + { "ryzen 7 pro 6850u ", 16 }, + { "ryzen 7 pro 6860z ", 16 }, + { "ryzen 7 pro 7730u ", 16 }, + { "ryzen 7 pro 7735u ", 16 }, + { "ryzen 7 pro 7745 ", 16 }, + { "ryzen 7 pro 7840hs ", 16 }, + { "ryzen 7 pro 7840u ", 16 }, + { "ryzen 7 pro 8700g ", 16 }, + { "ryzen 7 pro 8700ge ", 16 }, + { "ryzen 7 pro 8840hs ", 16 }, + { "ryzen 7 pro 8840u ", 16 }, + { "ryzen 7 pro 8845hs ", 16 }, + { "ryzen 9 270 ", 16 }, + { "ryzen 9 3900 processor ", 24 }, + { "ryzen 9 3900x ", 24 }, + { "ryzen 9 3900xt ", 24 }, + { "ryzen 9 3950x ", 32 }, + { "ryzen 9 4900h ", 16 }, + { "ryzen 9 4900hs ", 16 }, + { "ryzen 9 5900 ", 24 }, + { "ryzen 9 5900hs ", 16 }, + { "ryzen 9 5900hx ", 16 }, + { "ryzen 9 5900x ", 24 }, + { "ryzen 9 5900xt ", 32 }, + { "ryzen 9 5950x ", 32 }, + { "ryzen 9 5980hs ", 16 }, + { "ryzen 9 5980hx ", 16 }, + { "ryzen 9 6900hs ", 16 }, + { "ryzen 9 6900hx ", 16 }, + { "ryzen 9 6980hs ", 16 }, + { "ryzen 9 6980hx ", 16 }, + { "ryzen 9 7845hx ", 24 }, + { "ryzen 9 7900 ", 24 }, + { "ryzen 9 7900x ", 24 }, + { "ryzen 9 7900x3d ", 24 }, + { "ryzen 9 7940hs ", 16 }, + { "ryzen 9 7940hx ", 32 }, + { "ryzen 9 7945hx ", 32 }, + { "ryzen 9 7945hx3d ", 32 }, + { "ryzen 9 7950x ", 32 }, + { "ryzen 9 7950x3d ", 32 }, + { "ryzen 9 8945hs ", 16 }, + { "ryzen 9 9850hx ", 24 }, + { "ryzen 9 9900x ", 24 }, + { "ryzen 9 9900x3d ", 24 }, + { "ryzen 9 9950x ", 32 }, + { "ryzen 9 9950x3d ", 32 }, + { "ryzen 9 9955hx ", 32 }, + { "ryzen 9 9955hx3d ", 32 }, + { "ryzen 9 pro 3900 ", 24 }, + { "ryzen 9 pro 5945 ", 24 }, + { "ryzen 9 pro 6950h ", 16 }, + { "ryzen 9 pro 6950hs ", 16 }, + { "ryzen 9 pro 7940hs ", 16 }, + { "ryzen 9 pro 7945 ", 24 }, + { "ryzen 9 pro 8945hs ", 16 }, + { "ryzen threadripper 1900x ", 16 }, + { "ryzen threadripper 1920x ", 24 }, + { "ryzen threadripper 1950x ", 32 }, + { "ryzen threadripper 2920x ", 24 }, + { "ryzen threadripper 2950x ", 32 }, + { "ryzen threadripper 2970wx ", 48 }, + { "ryzen threadripper 2990wx ", 64 }, + { "ryzen threadripper 3960x ", 48 }, + { "ryzen threadripper 3970x ", 64 }, + { "ryzen threadripper 3990x ", 128 }, + { "ryzen threadripper 7960x ", 48 }, + { "ryzen threadripper 7970x ", 64 }, + { "ryzen threadripper 7980x ", 128 }, + { "ryzen threadripper pro 3945wx ", 24 }, + { "ryzen threadripper pro 3955wx ", 32 }, + { "ryzen threadripper pro 3975wx ", 64 }, + { "ryzen threadripper pro 3995wx ", 128 }, + { "ryzen threadripper pro 5945wx ", 24 }, + { "ryzen threadripper pro 5955wx ", 32 }, + { "ryzen threadripper pro 5965wx ", 48 }, + { "ryzen threadripper pro 5975wx ", 64 }, + { "ryzen threadripper pro 5995wx ", 128 }, + { "ryzen threadripper pro 7945wx ", 24 }, + { "ryzen threadripper pro 7955wx ", 32 }, + { "ryzen threadripper pro 7965wx ", 48 }, + { "ryzen threadripper pro 7975wx ", 64 }, + { "ryzen threadripper pro 7985wx ", 128 }, + { "ryzen threadripper pro 7995wx ", 192 }, + { "ryzen z1 ", 12 }, + { "ryzen z1 extreme ", 16 }, + { "sempron 2650 ", 2 }, + { "sempron 3850 ", 4 }, + { "x940 ", 4 }, + { "z2 extreme ", 16 }, + { "z2 go ", 8 } + } }; + + bool found = false; + + for (const auto& pair : thread_database) { + if (model.find(pair.first) != std::string::npos) { + found = (std::thread::hardware_concurrency() == static_cast(pair.second)); + break; } - - return found; + } + + return found; #endif - } + } + + + /** + * @brief Checks if the OS was booted from a VHD container + * @category Windows + */ + [[nodiscard]] static bool native_vhd() { +#if (!WINDOWS) + return false; +#else + BOOL isNativeVhdBoot = FALSE; + if (IsNativeVhdBoot(&isNativeVhdBoot)) { + return isNativeVhdBoot == TRUE; + } + + return false; +#endif + } + + + /** + * @brief Checks for particular object directory which is present in Sandboxie virtual environment but not in usual host systems + * @category Windows + * @note https://evasions.checkpoint.com/src/Evasions/techniques/global-os-objects.html + */ + [[nodiscard]] static bool virtual_registry() { +#if (!WINDOWS) + return false; +#else +#pragma warning (disable: 4459) + typedef struct _UNICODE_STRING { + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; + } UNICODE_STRING; + typedef UNICODE_STRING* PUNICODE_STRING; + typedef const UNICODE_STRING* PCUNICODE_STRING; + + typedef struct _OBJECT_ATTRIBUTES { + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; + } OBJECT_ATTRIBUTES; + typedef OBJECT_ATTRIBUTES* POBJECT_ATTRIBUTES; + + typedef enum _OBJECT_INFORMATION_CLASS { + ObjectBasicInformation = 0, + ObjectNameInformation = 1, + ObjectTypeInformation = 2 + } OBJECT_INFORMATION_CLASS; + + typedef struct _OBJECT_NAME_INFORMATION { + UNICODE_STRING Name; + } OBJECT_NAME_INFORMATION, * POBJECT_NAME_INFORMATION; +#pragma warning (default : 4459) + HMODULE hNtdll = GetModuleHandleW(L"ntdll.dll"); + if (!hNtdll) return false; + + typedef NTSTATUS(NTAPI* PNtOpenKey)(PHANDLE, ACCESS_MASK, POBJECT_ATTRIBUTES); + typedef NTSTATUS(NTAPI* PNtQueryObject)(HANDLE, OBJECT_INFORMATION_CLASS, PVOID, ULONG, PULONG); + typedef BOOLEAN(NTAPI* PRtlEqualUnicodeString)(PCUNICODE_STRING, PCUNICODE_STRING, BOOLEAN); +#pragma warning (disable : 4191) + auto NtOpenKey = reinterpret_cast(GetProcAddress(hNtdll, "NtOpenKey")); + auto NtQueryObject = reinterpret_cast(GetProcAddress(hNtdll, "NtQueryObject")); + auto RtlEqualUnicodeString = reinterpret_cast(GetProcAddress(hNtdll, "RtlEqualUnicodeString")); +#pragma warning (default : 4191) + if (!NtOpenKey || !NtQueryObject || !RtlEqualUnicodeString) return false; + + UNICODE_STRING keyPath{}; + keyPath.Buffer = const_cast(L"\\REGISTRY\\USER"); + keyPath.Length = static_cast(wcslen(keyPath.Buffer) * sizeof(WCHAR)); + keyPath.MaximumLength = keyPath.Length + sizeof(WCHAR); + + OBJECT_ATTRIBUTES objAttr{}; + { + (&objAttr)->Length = sizeof(OBJECT_ATTRIBUTES); + (&objAttr)->RootDirectory = nullptr; + (&objAttr)->Attributes = 0x00000040L; + (&objAttr)->ObjectName = &keyPath; + (&objAttr)->SecurityDescriptor = nullptr; + (&objAttr)->SecurityQualityOfService = 0; + }; + + HANDLE hKey = nullptr; + NTSTATUS status = NtOpenKey(&hKey, KEY_READ, &objAttr); + if (!(((NTSTATUS)(status)) >= 0)) return false; + + BYTE buffer[1024]{}; + ULONG returnedLength = 0; + status = NtQueryObject(hKey, ObjectNameInformation, buffer, sizeof(buffer), &returnedLength); + CloseHandle(hKey); + + if (!(((NTSTATUS)(status)) >= 0)) return false; + + auto pObjectName = reinterpret_cast(buffer); + UNICODE_STRING expectedName{}; + expectedName.Buffer = const_cast(L"\\REGISTRY\\USER"); + expectedName.Length = static_cast(wcslen(expectedName.Buffer) * sizeof(WCHAR)); + expectedName.MaximumLength = expectedName.Length + sizeof(WCHAR); + + if (!RtlEqualUnicodeString(&pObjectName->Name, &expectedName, TRUE)) { + return core::add(brands::SANDBOXIE); + } + + return false; +#endif + } + + + /** + * @brief Checks for VM signatures in firmware + * @category Windows + * @note https://github.com/hfiref0x/VMDE/blob/master/src/vmde/detect.c + */ + [[nodiscard]] static bool firmware_scan() { +#if (!WINDOWS) + return false; +#else +#pragma warning (disable: 4459) + typedef enum _SYSTEM_INFORMATION_CLASS { + SystemFirmwareTableInformation = 76 + } SYSTEM_INFORMATION_CLASS; + + typedef struct _SYSTEM_FIRMWARE_TABLE_INFORMATION { + ULONG ProviderSignature; + ULONG Action; + ULONG TableID; + ULONG TableBufferLength; + UCHAR TableBuffer[1]; + } SYSTEM_FIRMWARE_TABLE_INFORMATION, * PSYSTEM_FIRMWARE_TABLE_INFORMATION; +#pragma warning (default : 4459) + + typedef NTSTATUS(NTAPI* PNtQuerySystemInformation)( + SYSTEM_INFORMATION_CLASS SystemInformationClass, + PVOID SystemInformation, + ULONG SystemInformationLength, + PULONG ReturnLength + ); + + const char* targets[] = { + "Parallels Software International", + "Parallels(R)", + "innotek", + "Oracle", + "VirtualBox", + "VS2005R2", // Microsoft Virtual Server 2005 R2 + "VMware, Inc.", + "VMware", + "S3 Corp." + }; + + // Check SMBIOS + const HMODULE hNtdll = GetModuleHandleA("ntdll.dll"); + if (hNtdll) return false; +#pragma warning (disable : 4191) + PNtQuerySystemInformation NtQuery = reinterpret_cast( + GetProcAddress(hNtdll, "NtQuerySystemInformation")); +#pragma warning (default : 4191) + if (NtQuery) { + PSYSTEM_FIRMWARE_TABLE_INFORMATION info = static_cast( + malloc(sizeof(SYSTEM_FIRMWARE_TABLE_INFORMATION))); + if (info) { + info->ProviderSignature = 'RSMB'; + info->Action = 1; + info->TableID = 0; + info->TableBufferLength = 0; + + ULONG returnLength = 0; + NTSTATUS status = NtQuery(SystemFirmwareTableInformation, info, sizeof(SYSTEM_FIRMWARE_TABLE_INFORMATION), &returnLength); + if (status == 0xC0000023) { // STATUS_BUFFER_TOO_SMALL + free(info); + info = static_cast(malloc(returnLength)); + if (info) { + info->ProviderSignature = 'RSMB'; + info->Action = 1; + info->TableID = 0; + info->TableBufferLength = returnLength - sizeof(SYSTEM_FIRMWARE_TABLE_INFORMATION); + + status = NtQuery(SystemFirmwareTableInformation, info, returnLength, &returnLength); + if (status >= 0) { + ULONG bufferSize = info->TableBufferLength; + PVOID buffer = malloc(bufferSize); + if (buffer) { + memcpy(buffer, info->TableBuffer, bufferSize); + // Check for targets + for (size_t i = 0; i < sizeof(targets) / sizeof(targets[0]); ++i) { + const char* target = targets[i]; + size_t targetLen = strlen(target); + if (targetLen == 0 || bufferSize < targetLen) continue; + for (size_t j = 0; j <= bufferSize - targetLen; ++j) { + if (memcmp(static_cast(buffer) + j, target, targetLen) == 0) { + free(buffer); + free(info); + return true; + } + } + } + free(buffer); + } + } + } + free(info); + } + else { + free(info); + } + } + } + + // Check FIRM ROM + const ULONG addresses[] = { 0xC0000, 0xE0000 }; + for (int addrIdx = 0; addrIdx < 2; ++addrIdx) { + PSYSTEM_FIRMWARE_TABLE_INFORMATION info = static_cast( + malloc(sizeof(SYSTEM_FIRMWARE_TABLE_INFORMATION))); + if (!info) continue; + + info->ProviderSignature = 'FIRM'; + info->Action = 1; + info->TableID = addresses[addrIdx]; + info->TableBufferLength = 0; + + ULONG returnLength = 0; + + NTSTATUS status = NtQuery(SystemFirmwareTableInformation, info, sizeof(SYSTEM_FIRMWARE_TABLE_INFORMATION), &returnLength); + if (status == 0xC0000023) { // STATUS_BUFFER_TOO_SMALL + free(info); + info = static_cast(malloc(returnLength)); + if (info) { + info->ProviderSignature = 'FIRM'; + info->Action = 1; + info->TableID = addresses[addrIdx]; + info->TableBufferLength = returnLength - sizeof(SYSTEM_FIRMWARE_TABLE_INFORMATION); + + status = NtQuery(SystemFirmwareTableInformation, info, returnLength, &returnLength); + if (status >= 0) { + ULONG bufferSize = info->TableBufferLength; + PVOID buffer = malloc(bufferSize); + if (buffer) { + memcpy(buffer, info->TableBuffer, bufferSize); + // Check for targets + for (size_t i = 0; i < sizeof(targets) / sizeof(targets[0]); ++i) { + const char* target = targets[i]; + size_t targetLen = strlen(target); + if (targetLen == 0 || bufferSize < targetLen) continue; + for (size_t j = 0; j <= bufferSize - targetLen; ++j) { + if (memcmp(static_cast(buffer) + j, target, targetLen) == 0) { + free(buffer); + free(info); + return true; + } + } + } + free(buffer); + } + } + } + free(info); + } + else { + free(info); + } + } + + return false; +#endif + } // ADD NEW TECHNIQUE FUNCTION HERE @@ -11464,6 +11742,9 @@ static bool rdtsc() { case AMD_SEV: return "AMD_SEV"; case AMD_RESERVED: return "AMD_RESERVED"; case AMD_THREAD_MISMATCH: return "AMD_THREAD_MISMATCH"; + case NATIVE_VHD: return "NATIVE_VHD"; + case VIRTUAL_REGISTRY: return "VIRTUAL_REGISTRY"; + case FIRMWARE_SCAN: return "FIRMWARE_SCAN"; // ADD NEW CASE HERE FOR NEW TECHNIQUE default: return "Unknown flag"; } @@ -12050,6 +12331,9 @@ std::pair VM::core::technique_list[] = { { VM::AMD_SEV, { 50, VM::amd_sev, false } }, { VM::AMD_RESERVED, { 50, VM::amd_reserved, false } }, { VM::AMD_THREAD_MISMATCH, { 100, VM::amd_thread_mismatch, false } }, + { VM::NATIVE_VHD, { 100, VM::native_vhd, false } }, + { VM::VIRTUAL_REGISTRY, { 65, VM::virtual_registry, false } }, + { VM::FIRMWARE_SCAN, { 90, VM::firmware_scan, false } }, // ADD NEW TECHNIQUE STRUCTURE HERE };