Added power capabilities checks.

The GetPwrCapabilities API can be used to test for certain power capabilities of the system. Most VMs don't support CPU power states S1-S4 or thermal control
lnaphade · May 28, 2018 · 4b71d41 · 4b71d41
1 parent 59558e8
commit 4b71d41
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -193,6 +193,7 @@ Please, if you encounter any of the anti-analysis tricks which you have seen in
     - VMWare
     - VBOX
     - VIRTUAL HD
+  - Power policies (S1-S4 states, thermal control)
 - **System Firmware Tables**
   - SMBIOS string checks (VirtualBox)
   - SMBIOS string checks (VMWare)

diff --git a/al-khaser/Al-khaser.cpp b/al-khaser/Al-khaser.cpp
@@ -89,6 +89,7 @@ int main(void)
 		exec_check(&manufacturer_computer_system_wmi, TEXT("Checking Manufacturer from ComputerSystem using WMI: "));
 		exec_check(&current_temperature_acpi_wmi, TEXT("Checking Current Temperature using WMI: "));
 		exec_check(&process_id_processor_wmi, TEXT("Checking ProcessId using WMI: "));
+		exec_check(&power_capabilities, TEXT("Checking power capabilities: "));
 	}
 
 	/* VirtualBox Detection */

diff --git a/al-khaser/Anti VM/Generic.cpp b/al-khaser/Anti VM/Generic.cpp
@@ -822,5 +822,25 @@ BOOL process_id_processor_wmi()
 		}
 	}
 
+	return bFound;
+}
+
+/*
+Check what power states are enabled.
+Most VMs don't support S1-S4 power states whereas most hardware does, and thermal control is usually not found either.
+This has been tested on VirtualBox and Hyper-V, as well as a physical desktop and laptop.
+*/
+BOOL power_capabilities()
+{
+	SYSTEM_POWER_CAPABILITIES powerCaps;
+	BOOL bFound = FALSE;
+	if (GetPwrCapabilities(&powerCaps) == TRUE)
+	{
+		if ((powerCaps.SystemS1 | powerCaps.SystemS2 | powerCaps.SystemS3 | powerCaps.SystemS4) == FALSE)
+		{
+			bFound = (powerCaps.ThermalControl == FALSE);
+		}
+	}
+
 	return bFound;
 }
diff --git a/al-khaser/Anti VM/Generic.h b/al-khaser/Anti VM/Generic.h
@@ -5,6 +5,9 @@
 #include <winioctl.h>	// IOCTL
 #include <intrin.h>		// cpuid()
 
+#include <powrprof.h>	// check_power_modes()
+#pragma comment(lib, "powrprof.lib")
+
 
 #include <SetupAPI.h>
 #pragma comment(lib, "setupapi.lib")
@@ -32,4 +35,5 @@ BOOL serial_number_bios_wmi();
 BOOL model_computer_system_wmi();
 BOOL manufacturer_computer_system_wmi();
 BOOL current_temperature_acpi_wmi();
-BOOL process_id_processor_wmi();
+BOOL process_id_processor_wmi();
+BOOL power_capabilities();
diff --git a/al-khaser_x64.exe b/al-khaser_x64.exe
diff --git a/al-khaser_x86.exe b/al-khaser_x86.exe