Added GCE detections

README.md

@@ -157,7 +157,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 <summary>Who is this library for and what are the use cases?</summary>
 <br>
 
-> It's designed for security researchers, VM engineers, gamer developers, and pretty much anybody who needs a practical and rock-solid VM detection mechanism in their project. For example, the library is suitable if you're making a VM and you're testing the effectiveness of concealing itself. If you're a proprietary software developer, the library is useful to thwart against reverse engineers. If you're a malware analyst and you want to check the concealment capability of your VM, this would be the perfect tool to benchmark how well-concealed your VM is against malware. 
+> It's designed for security researchers, VM engineers, anticheat developers, and pretty much anybody who needs a practical and rock-solid VM detection mechanism in their project. For example, the library is suitable if you're making a VM and you're testing the effectiveness of concealing itself. If you're a proprietary software developer, the library is useful to thwart against reverse engineers. If you're a malware analyst and you want to check the concealment capability of your VM, this would be the perfect tool to benchmark how well-concealed your VM is against malware. 
 > 
 > Additionally, software could adjust the behaviour of their program base on the detected environment. It could be useful for debugging and testing purposes, system administrators could manage configurations differently, and some applications might want to restrict usage in VMs to prevent unauthorized distribution or testing.
 
@@ -169,7 +169,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 
 > There's already loads of projects that have the same goal such as 
 <a href="https://github.com/CheckPointSW/InviZzzible">InviZzzible</a>, <a href="https://github.com/a0rtega/pafish">pafish</a> and <a href="https://github.com/LordNoteworthy/al-khaser">Al-Khaser</a>. But the difference between the aforementioned projects is that they don't provide a programmable interface to interact with the detection mechanisms, on top of having little to no support for non-Windows systems. 
-> Pafish and InviZzzible have been abandoned for years, while Al-Khaser does receive updates and has a wide scope of detection that includes anti-debuggers, anti-injection, and so on, but the VM detections are not sophisticated enough to be practically applied to real-world scenarios, while most of the technique they implement are bypassable.
+> Pafish and InviZzzible have been abandoned for years, while Al-Khaser does receive updates and has a wide scope of detection that includes anti-debuggers, anti-injection, and so on, but the VM detections are not sophisticated enough to be practically applied to real-world scenarios.
 > 
 > I wanted the core detection techniques to be accessible programmatically in a cross-platform way for everybody to get something useful out of it rather than providing just a CLI tool. It also contains a larger quantity of techniques, so it's basically just a VM detection library and tool on steroids with maximum flexibility.
 
@@ -187,20 +187,6 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 </details>
 
 
-<details>
-<summary>How can the library distinguish between Hyper-V artifacts and an actual Hyper-V VM in the system?</summary>
-<br>
-
-> Hyper-V has an obscure feature where if it's enabled in the host system, the CPU hardware values makes it look like the whole system is running inside Hyper-V, which isn't true. This makes it a challenge to determine whether the hardware values the library is collecting is either a real Hyper-V VM, or just the artifacts of what Hyper-V has left as a consequence of having it enabled in the host system. 
-> 
-> The reason why this is a problem is because the library might falsely conclude that your the host system is running in Hyper-V, which is a false positive. This is where the **Hyper-X** mechanism comes into play to distinguish between these two. This was designed by <a href="https://github.com/NotRequiem">Requiem</a>
-
-<p align="center">
-<img src="assets/hyper-x/v5/Hyper-X_version_5.drawio.png" align="center" title="Hyper-X">
-<br>
-</details>
-
-
 <details>
 <summary>How effective are VM hardeners against the lib?</summary>
 <br>
@@ -222,7 +208,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 <summary>What about using this for malware?</summary>
 <br>
 
-> This project is not soliciting the development of malware for obvious reasons. Even if you intend to use it for concealment purposes, it'll most likely be flagged by antiviruses anyway and nothing is obfuscated to begin with. Good fucking luck obfuscating 10k+ lines of C++ code lmao.
+> This project is not soliciting the development of malware for obvious reasons. Even if you intend to use it for concealment purposes, it'll most likely be flagged by antiviruses anyway and nothing is obfuscated to begin with. Good fucking luck obfuscating 12k+ lines of C++ code lmao.
 
 </details>
 
@@ -232,7 +218,7 @@ You can view the full docs [here](docs/documentation.md). All the details such a
 
 > I would've made it strictly MIT so proprietary software can make use of the library, but some of the techniques employed are from GPL 3.0 projects, and I have no choice but to use the same license for legal reasons. 
 > 
-> This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open-source. It should be noted that the MIT version removes <b>9</b> techniques out of 120 (as of 2.0 version), and the lesser the number of techniques, the less accurate the overall result might be.
+> This gave me an idea to make an MIT version without all of the GPL code so it can also be used without forcing your code to be open-source. It should be noted that the MIT version removes <b>9</b> techniques out of 128 (as of 2.0 version), and the lesser the number of techniques, the less accurate the overall result might be.
 
 </details>
 

docs/documentation.md

@@ -457,7 +457,7 @@ VMAware provides a convenient way to not only check for VMs, but also have the f
 | `VM::HYPERV_QUERY` | Checks if a call to NtQuerySystemInformation with the 0x9f leaf fills a _SYSTEM_HYPERVISOR_DETAIL_INFORMATION structure | Windows | 50% |  |  |  |  |
 | `VM::BAD_POOLS` | Checks for system pools allocated by hypervisors | Windows | 80% |  |  |  |  |
 | `VM::AMD_SEV` | Check for AMD-SEV MSR running on the system | Linux and MacOS | 50% | Admin |  |  |  |
-| `VM::AMD_RESERVED` | Check for bits that should be reserved in leaf 8000000Ah | 50% |  |  |  |  |
+| `VM::AMD_RESERVED` | Check for bits that should be reserved in leaf 8000000Ah |  | 50% |  |  |  |
 | `VM::AMD_THREAD_MISMATCH` | Check for AMD CPU thread count database if it matches the system's thread count |  | 100% |  |  |  |  |
 | `VM::NATIVE_VHD` | Checks if the OS was booted from a VHD container |  | 100% |  |  |  |  |
 | `VM::VIRTUAL_REGISTRY` | Checks for particular object directory which is present in Sandboxie virtual environment but not in usual host systems |  | 65% |  |  |  |  |
@@ -520,7 +520,6 @@ This is the table of all the brands the lib supports.
 | Hyper-V artifact (not an actual VM) | `VM::brands::HYPERV_ARTIFACT` | Unknown |  |
 | User-mode Linux | `VM::brands::UML` | Paravirtualised/Hypervisor (type 2) |  |
 | IBM PowerVM | `VM::brands::POWERVM` | Hypervisor (type 1) |  |
-| Google Compute Engine (KVM) | `VM::brands::GCE` | Hypervisor (type 1) |  |
 | OpenStack (KVM) | `VM::brands::OPENSTACK` | Hypervisor (type 1) |  |
 | KubeVirt (KVM) | `VM::brands::KUBEVIRT` | Hypervisor (type 1) |  |
 | AWS Nitro System EC2 (KVM-based) | `VM::brands::AWS_NITRO` | Hypervisor (type 1) |  |
@@ -537,6 +536,7 @@ This is the table of all the brands the lib supports.
 | AMD SEV-ES | `VM::brands::AMD_SEV_ES` | VM encryptor |  |
 | AMD SEV-SNP | `VM::brands::AMD_SEV_SNP` | VM encryptor |  |
 | Neko Project II | `VM::brands::NEKO_PROJECT` | Emulator |  | 
+| Google Compute Engine (KVM) | `VM::brands::GCE` | Cloud VM service |  |
 
 <br>
 

src/vmaware.hpp

@@ -24,14 +24,14 @@
  *
  *
  * ================================ SECTIONS ==================================
- * - enums for publicly accessible techniques  => line 328
- * - struct for internal cpu operations        => line 603
- * - struct for internal memoization           => line 1059
- * - struct for internal utility functions     => line 1449
- * - struct for internal core components       => line 9714
- * - start of internal VM detection techniques => line 2861
- * - start of public VM detection functions    => line 10116
- * - start of externally defined variables     => line 10987
+ * - enums for publicly accessible techniques  => line 338
+ * - struct for internal cpu operations        => line 620
+ * - struct for internal memoization           => line 1078
+ * - struct for internal utility functions     => line 1472
+ * - struct for internal core components       => line 10709
+ * - start of internal VM detection techniques => line 2831
+ * - start of public VM detection functions    => line 11113
+ * - start of externally defined variables     => line 12018
  *
  *
  * ================================ EXAMPLE ==================================
@@ -9021,6 +9021,19 @@ struct VM {
                 }
             }
         }
+
+        query = L"SELECT Model FROM Win32_ComputerSystem";
+        properties = { L"Model" };
+        results = wmi::execute(query, properties);
+
+        for (const auto& result : results) {
+            if (result.type == wmi::result_type::String) {
+                if (result.strValue == "Google Compute Engine") {
+                    return core::add(brands::GCE);
+                }
+            }
+        }
+
         return false;
 #endif
     }
@@ -11824,7 +11837,6 @@ static bool rdtsc() {
             { brands::INTEL_HAXM, "Hypervisor (type 1)" },
             { brands::INTEL_KGT, "Hypervisor (type 1)" },
             { brands::SIMPLEVISOR, "Hypervisor (type 1)" },
-            { brands::GCE, "Hypervisor (type 1)" },
             { brands::OPENSTACK, "Hypervisor (type 1)" },
             { brands::KUBEVIRT, "Hypervisor (type 1)" },
             { brands::POWERVM, "Hypervisor (type 1)" },
@@ -11868,16 +11880,14 @@ static bool rdtsc() {
             { brands::LMHS, "Hypervisor (unknown type)" },
             { brands::WINE, "Compatibility layer" },
             { brands::INTEL_TDX, "Trusted Domain" },
-            { brands::AMD_SEV, "" },
-            { brands::AMD_SEV_ES, "" },
-            { brands::AMD_SEV_SNP, "" },
             { brands::APPLE_VZ, "Unknown" },
             { brands::HYPERV_ARTIFACT, "Unknown" },
             { brands::UML, "Paravirtualised/Hypervisor (type 2)" },
             { brands::WSL, "Hybrid Hyper-V (type 1 and 2)" }, // debatable tbh
             { brands::AMD_SEV, "VM encryptor" },
             { brands::AMD_SEV_ES, "VM encryptor" },
             { brands::AMD_SEV_SNP, "VM encryptor" },
+            { brands::GCE, "Cloud VM service" },
         };
 
         auto it = type_table.find(brand_str.c_str());