A guide for spoofing KVM and making it undetectable
Hello. This is a repost of a KVM guide I wrote about a year ago where I made my Kernel-based virtual machine undetectable. This guide has been used by thousands of users across multiple sites, such as Reddit, malware analysis forums, gaming forums, and anti-cheat reverse engineering sites. I decided it was worth a repost and update because even a year later, I still get asked about it.
Modifying QEMU
Modify the following strings :
QEMU HARDDISK inside of /hw/ide/core.c & /hw/scsi/scsi-disk.c
QEMU DVD-ROM inside of /hw/ide/core.c & /hw/ide/atapi.c
QEMU CD-ROM inside of /hw/ide/core.c & /hw/scsi/scsi-disk.c
QEMU MICRODRIVE inside of /hw/ide/core.c QEMU PenPartner tablet inside of /hw/usb/dev-wacom.c & /hw/scsi/scsi-disk.c
padstr inside of /hw/ide/atapi.c
KVMKVMKVM\0\0\0 inside of /target/i386/kvm.c
bochs inside of /block/bochs.c
Bochs Pseudo inside of /roms/ipxe/src/drivers/net/pnic.c
Modify these to legitimate vendors, for example QEMUHARDDISK could be changed to something such like " Toshiba MQ01ABD " - It is unlikely that some system will actually check this on a deeper level, but try to use a disk model that comes in same size as your virtual disk. The truth is that most applications will simply check if Harddisk model string contains QEMU.
Modifying SMBIOS ( Seabios or OVMF )
If you are using Seabios, modify the following strings :
Bochs & BXPC inside of src/config.h ( multiple instances )
/QEMU/Bochs/ & qemu inside of vgasrc/Kconfig
/06/23/99/ inside ofsrc/misc.c
/04/01/2014/ inside of src/fw/biostables.c
s/01/01/2011 inside of src/fw/smbios.c
seabios inside of src/fw/biostables.c
If you are using OVMF, modify the following strings : // THIS IS NOT UP TO DATE
EFI Development Kit II / OVMF\0 inside of edk2/OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c
0.0.0\0 inside of edk2/OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c
02/06/2015\0 inside of edk2/OvmfPkg/SmbiosPlatformDxe/SmbiosPlatformDxe.c
Modifying the Linux Kernel to spoof VM_EXIT on RDTSC
VIM to /x86/kvm/vmx/vmx.c and create a function called handle_RDTSC
static int handle_rdtsc(struct kvm_vcpu *vcpu) { // This code only works for Intel CPUs. AMD CPUs will need their own function and exit handler in SVM.
uint32_t data;
data = 500;
printk("[vmkernel] handling fake rdtsc from cpl %i\n", vmx_get_cpl(vcpu));
vcpu->arch.regs[VCPU_REGS_RAX] = data & -1u;
vcpu->arch.regs[VCPU_REGS_RDX] = (data >> 32) & -1u;
skip_emulated_instruction(vcpu);
return 1;
}
After the previous function is created, create an exit handler for RDTSC :
[EXIT_REASON_RDTSC] = handle_rdtsc
This is the simplest way to handle 99% of VM_Exit checks that I use, however as this returns a static value, some software may check the actual timings, in which the example would fail. You may want to return a random number or emulate a clock cycle counter for additional security
Installing and modifying our Virtual Machine
After you're done modifying the previous files, recompile each package and install your KVM on virt machine manager. Install it with GPU passthrough. I am not going to explain how to install a KVM since it would be too long, but a good guide I recommend is https://github.com/vanities/GPU-Passthrough-Arch-Linux-to-Windows10
I must note that if you are using Seabios & a Debian based Linux distro, I recommend modifying QEMU and Seabios by using https://github.com/doomedraven/Tools/blob/master/Virtualization/kvm-qemu.sh - Personally, I can't use this as I use an Arch-based distro and OVMF
While installing a KVM, set realistic RAM and Harddisk sizes, ie for
8 GB RAM : 8192 MBs
16 GB RAM : 16384 MBs
32 GB RAM : 32768 MBs
Disk size is entirely upon the purpose of your KVM, but try to make the size equivalent to the model of your harddisk picked in /hw/ide/core.c Make the SN of the harddisk look realistic - Make sure it is of appropriate length, follows the format placed by the manufacturer, and that it follows the law of Luhn's algorithm!
For our last step, we will need to modify our KVM's XML file. In your XML, modify the following
Set: cpu mode = "host-passthrough" check="none" // Passes CPU Model
Set: type="raw" cache="none" io="native" discard="ignore" detect_zeroes="off" // Set disk interface to SATA
Set: vendor_id state="on" value="XXXX" // Spoofs vendor ID
Set: kvm hidden state="on" kvm // Hides KVM state
Set: feature policy="disable" name="hypervisor" // Disables Hyper-V Hypervisor enhancements. Will negatively impact gaming performance.
If all is done properly, your KVM should be completely undetectable! If your guest machine is on Windows, I recommend using PAFish to check.
RESULTS : 