From 5a97f115c22de5dc7e7f62b64c049aeec1027abe Mon Sep 17 00:00:00 2001 From: Requiem Date: Wed, 6 May 2026 03:44:25 +0200 Subject: [PATCH 1/2] perf: rearranged techniques --- src/cli.cpp | 8 ++++---- src/vmaware.hpp | 28 ++++++++++++++-------------- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/src/cli.cpp b/src/cli.cpp index 428d8f67..7a6b9899 100755 --- a/src/cli.cpp +++ b/src/cli.cpp @@ -986,21 +986,21 @@ static void general( checker(VM::NSJAIL_PID, "nsjail PID"); checker(VM::DEVICES, "PCI vendor/device ID"); checker(VM::ACPI_SIGNATURE, "ACPI device signatures"); - checker(VM::TRAP, "hypervisor interception"); checker(VM::UD, "undefined exceptions"); - checker(VM::INTERRUPT_SHADOW, "interrupt shadows"); checker(VM::DBVM, "DBVM hypervisor"); checker(VM::BOOT_LOGO, "boot logo"); checker(VM::MAC_SYS, "system profiler"); checker(VM::KERNEL_OBJECTS, "kernel objects"); checker(VM::NVRAM, "NVRAM"); checker(VM::EDID, "EDID"); - checker(VM::CPU_HEURISTIC, "CPU heuristics"); checker(VM::CLOCK, "system timers"); checker(VM::MSR, "model specific registers"); + checker(VM::CPU_HEURISTIC, "instruction capabilities"); + checker(VM::INTERRUPT_SHADOW, "interrupt shadows"); + checker(VM::TRAP, "hypervisor interception"); checker(VM::KVM_INTERCEPTION, "KVM interception"); checker(VM::HYPERVISOR_HOOK, "EPT/NPT hooking"); - checker(VM::POPF, "popf behavior"); + checker(VM::SINGLE_STEP, "single step behavior"); checker(VM::EIP_OVERFLOW, "instructions in compat mode"); // ADD NEW TECHNIQUE CHECKER HERE diff --git a/src/vmaware.hpp b/src/vmaware.hpp index a08ee7d1..c9abb50e 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -596,7 +596,7 @@ struct VM { MSR, KVM_INTERCEPTION, HYPERVISOR_HOOK, - POPF, + SINGLE_STEP, EIP_OVERFLOW, // Linux and Windows @@ -12644,9 +12644,9 @@ struct VM { /** * @brief Check whether a hypervisor delays trap flags over exiting instructions * @category Windows, x86 - * @implements VM::POPF + * @implements VM::SINGLE_STEP */ - [[nodiscard]] static bool popf() { + [[nodiscard]] static bool single_step() { #if (!x86) return false; #else @@ -13654,7 +13654,7 @@ struct VM { case MSR: return "MSR"; case KVM_INTERCEPTION: return "KVM_INTERCEPTION"; case HYPERVISOR_HOOK: return "BREAKPOINT"; - case POPF: return "POPF"; + case SINGLE_STEP: return "POPF"; case EIP_OVERFLOW: return "EIP_OVERFLOW"; // END OF TECHNIQUE LIST case DEFAULT: return "DEFAULT"; @@ -14189,31 +14189,31 @@ std::array VM::core::technique_table = [ // START OF TECHNIQUE TABLE #if (WINDOWS) {VM::TRAP, {100, VM::trap}}, + {VM::KVM_INTERCEPTION, {100, VM::kvm_interception}}, + {VM::INTERRUPT_SHADOW, {100, VM::interrupt_shadow}}, + {VM::EIP_OVERFLOW, {100, VM::eip_overflow}}, + {VM::HYPERVISOR_HOOK, {100, VM::hypervisor_hook}}, + {VM::SINGLE_STEP, {100, VM::single_step}}, {VM::NVRAM, {100, VM::nvram}}, - {VM::HYPERVISOR_QUERY, {100, VM::hypervisor_query}}, - {VM::ACPI_SIGNATURE, {100, VM::acpi_signature}}, {VM::CPU_HEURISTIC, {90, VM::cpu_heuristic}}, + {VM::ACPI_SIGNATURE, {100, VM::acpi_signature}}, {VM::CLOCK, {45, VM::clock}}, {VM::POWER_CAPABILITIES, {25, VM::power_capabilities}}, {VM::GPU_CAPABILITIES, {25, VM::gpu_capabilities}}, - {VM::KVM_INTERCEPTION, {100, VM::kvm_interception}}, - {VM::EIP_OVERFLOW, {100, VM::eip_overflow}}, - {VM::HYPERVISOR_HOOK, {100, VM::hypervisor_hook}}, - {VM::POPF, {100, VM::popf}}, - {VM::INTERRUPT_SHADOW, {100, VM::interrupt_shadow}}, - {VM::MSR, {100, VM::msr}}, {VM::EDID, {100, VM::edid}}, + {VM::MSR, {100, VM::msr}}, {VM::VIRTUAL_PROCESSORS, {100, VM::virtual_processors}}, {VM::WINE, {100, VM::wine}}, {VM::DBVM, {150, VM::dbvm}}, + {VM::UD, {100, VM::ud}}, {VM::IVSHMEM, {100, VM::ivshmem}}, {VM::DRIVERS, {100, VM::drivers}}, + {VM::HYPERVISOR_QUERY, {100, VM::hypervisor_query}}, {VM::HANDLES, {100, VM::device_handles}}, {VM::KERNEL_OBJECTS, {100, VM::kernel_objects}}, + {VM::DLL, {50, VM::dll}}, {VM::AUDIO, {25, VM::audio}}, {VM::DISPLAY, {25, VM::display}}, - {VM::DLL, {50, VM::dll}}, - {VM::UD, {100, VM::ud}}, {VM::VMWARE_BACKDOOR, {100, VM::vmware_backdoor}}, {VM::VIRTUAL_REGISTRY, {90, VM::virtual_registry}}, {VM::MUTEX, {100, VM::mutex}}, From ddcf5e3e194ad766108d3c1cbb5cb790c485cbfb Mon Sep 17 00:00:00 2001 From: Requiem Date: Thu, 7 May 2026 01:04:11 +0200 Subject: [PATCH 2/2] style: formatted extended/hv leaves as hex --- src/vmaware.hpp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/vmaware.hpp b/src/vmaware.hpp index c9abb50e..fad2101b 100644 --- a/src/vmaware.hpp +++ b/src/vmaware.hpp @@ -909,19 +909,19 @@ struct VM { if (p_leaf < 0x40000000) { // Standard range: 0x00000000 - 0x3FFFFFFF cpu::cpuid(eax, unused, unused, unused, 0x00000000); - debug("CPUID: max standard leaf = ", eax); + debug("CPUID: max standard leaf = 0x", std::hex, eax); supported = (p_leaf <= eax); } else if (p_leaf < 0x80000000) { // Hypervisor range: 0x40000000 - 0x7FFFFFFF cpu::cpuid(eax, unused, unused, unused, cpu::leaf::hypervisor); - debug("CPUID: max hypervisor leaf = ", eax); + debug("CPUID: max hypervisor leaf = 0x", std::hex, eax); supported = (p_leaf <= eax); } else if (p_leaf < 0xC0000000) { // Extended range: 0x80000000 - 0xBFFFFFFF cpu::cpuid(eax, unused, unused, unused, cpu::leaf::func_ext); - debug("CPUID: max extended leaf = ", eax); + debug("CPUID: max extended leaf = 0x", std::hex, eax); supported = (p_leaf <= eax); } else {