Add cpuid vendor detection

pafish/cpu.c

@@ -1,6 +1,7 @@
 
 #include <windows.h>
 #include <stdio.h>
+#include <string.h>
 
 #include "types.h"
 #include "cpu.h"
@@ -57,3 +58,17 @@ void cpu_write_vendor(char * vendor) {
 	cpuid_vendor_00(vendor);
 }
 
+int cpu_known_vm_vendors(char * vendor) {
+	const int count = 4;
+	int i;
+	string strs[count];
+	strs[0] = "KVMKVMKVMKVM";
+	strs[1] = "Microsoft Hv";
+	strs[2] = "VMwareVMware";
+	strs[3] = "XenVMMXenVMM";
+	for (i = 0; i < count; i++) {
+		if (!memcmp(vendor, strs[i], 12)) return TRUE;
+	}
+	return FALSE;
+}
+

pafish/cpu.h

@@ -8,4 +8,6 @@ int cpu_hv();
 
 void cpu_write_vendor(char *);
 
+int cpu_known_vm_vendors(char *);
+
 #endif

pafish/main.c

@@ -82,7 +82,7 @@ int main(int argc, char *argv[])
 	}
 
 	/* CPU information based detection tricks */
-	printf("\n[-] CPU information detection\n");
+	printf("\n[-] CPU information based detections\n");
 	printf("[*] Checking the difference between CPU timestamp counters (rdtsc) ... ");
 	if (cpu_rdtsc() == TRUE) {
 		print_traced();
@@ -99,6 +99,14 @@ int main(int argc, char *argv[])
 	}
 	else print_not_traced();
 
+	printf("[*] Checking cpuid vendor for known VM vendors ... ");
+	if (cpu_known_vm_vendors(cpu_vendor) == TRUE) {
+		print_traced();
+		write_log("CPU VM traced by checking cpuid vendor for known VM vendors");
+		write_trace("hi_CPU_VM_vendor_name");
+	}
+	else print_not_traced();
+
 	/* Generic sandbox detection tricks */
 	printf("\n[-] Generic sandbox detection\n");
 	printf("[*] Using mouse activity ... ");