vm-detect/detection.cpp at main · msh31/vm-detect · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#include "detection.hpp"

utils _utils;

bool VMDetection::isVirtualMachine() {
    checkForVMSignatures(getComputerName(), "Computer Name");
    checkForVMSignatures(getBIOSManufacturer(), "BIOS Manufacturer");
    checkForVMSignatures(getBIOSVersion(), "BIOS Version");
    checkForVMSignatures(getSystemProductName(), "System Product Name");
    checkForVMSignatures(getVideoBiosVersion(), "Video BIOS Version");

    return !detectedSignatures.empty();
}

void VMDetection::generateReport() {
    std::string hypervisor = VMDetection::hypervisor;

    std::cout << "Confidence of being a VM: " << VMDetection::confidence << "\n";
    std::cout << "\nDetected Signatures: \n";

    for(const auto &sigs : VMDetection::detectedSignatures) {
        if(sigs.empty()) {
            std::cout << "No signatures found!";
        } else {
            std::cout << "  " << sigs << "\n";
        }
    }

    std::cout << "\nDetected HyperVisor: " << VMDetection::hypervisor << "\n";
}

std::string VMDetection::checkForVMSignatures(const std::string& value, const std::string& source) {
    VMSignatures sigs;

    for (const auto& keyword : sigs.vmware) {
        if (value.find(keyword) != std::string::npos) {
            detectedSignatures.emplace_back(source + ": " + value);
            hypervisor = "VMware";
            confidence = "HIGH";
            return "VMware";
        }
    }

    for (const auto& keyword : sigs.virtualbox) {
        if (value.find(keyword) != std::string::npos) {
            detectedSignatures.emplace_back(source + ": " + value);
            hypervisor = "VirtualBox";
            confidence = "HIGH";
            return "VirtualBox";
        }
    }

    for (const auto& keyword : sigs.hyperv) {
        if (value.find(keyword) != std::string::npos) {
            detectedSignatures.emplace_back(source + ": " + value);
            hypervisor = "Hyper-V";
            confidence = "HIGH";
            return "Hyper-V";
        }
    }

    for (const auto& keyword : sigs.qemu) {
        if (value.find(keyword) != std::string::npos) {
            detectedSignatures.emplace_back(source + ": " + value);
            hypervisor = "Qemu";
            confidence = "HIGH";
            return "Qemu";
        }
    }

    return "None";
}

std::string VMDetection::getComputerName() {
    char computerName[MAX_COMPUTERNAME_LENGTH + 1];
    DWORD size = sizeof(computerName);

    if (GetComputerNameA(computerName, &size)) {
        return std::string(computerName);
    }

    return "Unknown";
}

std::string VMDetection::getSystemProductName() {
    std::string biosManufacturer = _utils.getRegistryValue(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\BIOS", "SystemProductName");
    return biosManufacturer;
}

std::string VMDetection::getBIOSManufacturer() {
    std::string biosManufacturer = _utils.getRegistryValue(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\BIOS", "SystemManufacturer");
    return biosManufacturer;
}

std::string VMDetection::getBIOSVersion() {
    std::string biosVersion = _utils.getRegistryValue(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\BIOS", "BIOSVersion");
    return biosVersion;
}

std::string VMDetection::getVideoBiosVersion() {
    std::string vBiosVersion = _utils.getRegistryValue(HKEY_LOCAL_MACHINE, "HARDWARE\\DESCRIPTION\\System\\BIOS", "VideoBiosVersion");
    return vBiosVersion;
}