The Best way to hide KVM from Guest OS - Wendell method?

Hello lovely community,

at the end of this Video ( level1techs.com/video/seamless-mode-microsoft-office-linux-windows-vm-threadripper-pro )
Wendell mentions that he has less problems with VMs & AntiCheat since he is good at hiding the KVM.

What are those things?

at the moment i read of the following:
<feature policy="disable" name="hypervisor"/>
(on github another line is mentioned ( GitHub - bryansteiner/gpu-passthrough-tutorial ):

<features>
    ...
    <hyperv>
        <relaxed state="on"/>
        <vapic state="on"/>
        <spinlocks state="on" retries="8191"/>
        <vendor_id state="on" value="kvm hyperv"/>
    </hyperv>
    ...
</features>

also:

<hidden state="on"/>

and to close in this forums you can read about:

monitor_control.virtual_rdtsc = “FALSE”
monitor_control.restrict_backdoor = “TRUE”
isolation.tools.getPtrLocation.disable = “TRUE”
isolation.tools.setPtrLocation.disable = “TRUE”
isolation.tools.setVersion.disable = “TRUE”
isolation.tools.getVersion.disable = “TRUE”
monitor_control.disable_directexec = “TRUE”
hypervisor.cpuid.v0 = “FALSE”

where ever this goes ?

Does anyone know which are correct? Or if Wendell uses something else?

Maybe we can even build a comprehensive guide of all tweaks to hide the KVM
so we can use a VM instead of dualboot without the fear of randomly loosing hundreds of dollars
worth of accounts due to random gamedevs mind changes?

with kind regards

//EDIT: sorry i cant include links … so they are botched

2 Likes

even you try to fully hide the hypervisor the dev can still detect you run in vm its a mater of time before they found out ! the only solution is like finding the ultimate type zero hypervisor that can share hardware directly between os without any type of virtualisation lets say like sriov but full hardware sharing like a bios level hypervisor that you can configure HVM(hardware VM) pining cpu core passthrough portion of gpu and pcie storage controller directly to OS even the io and chipset all that before booting to system … seem like alien dream to go live in another planet :sweat_smile:

Any update on this? @wendell said recently he is still able to fool the games into letting him play in a VM

install/enable hyperv in the guest, mainly, and pass through the real cpu and hide other aspects of virtualization. There can be more tricky stuff you can do. But it’s a bit of an arms race, sadly. Lot of misinformed companies out there combating virtualization when in reality it does little to stop cheaters.

5 Likes

one of the best guides to my knowledge still is this one:

or the wayback machine version of it

and a good tool to check is this one:

but be aware you dont need pafish to 100%

My Result looked like that:

(without too much work)
afaik the hypervisor bit as well as the reg key can be circumvented.
mouse and keyboard timing is not feasible to do

also the best way is to activate windows anti ransomware feature where it self visualizes the windows kernel

iirc it was this one: Virtualization-based Security (VBS) | Microsoft Learn

if that is activated vm detection is somewhat broken because they cant differentiate the security feature from virtualization.

so nested virtualization + hyperv stuff and nearly all anti cheat is working.

to be warned: some consider that “anti cheat circumvention” and therefore a bannable offense so it wont just kick you … (escape from tarkov desteny 2 etc … all the ***** devs )

tbh i just stopped playing most games tho … nearly all the devs only make games for money now days. Not games which also earn money.

(Path of exile currently is the last game which i find worthy to put a few hours in to ^^)

2 Likes

Kernel mode rootkit AC that runs 24/7 is malware that needs to be virtualized to protect the host.

Here is a fairly thorough catalog of VM detection techniques which includes the already mentioned pafish:

GOT THIS WORKING!!
Followed the guide here: Using VRChat in a Virtual Machine
and also add this to the XML:

<features>
  <kvm>
    <hidden state="on"/>
  </kvm>
</features>

Every game is working now!

3 Likes

Id recommed picking your own vendor id as well.

1 Like

is there a reason to go for a “custom” id over the one from a bare metal windows install?
I always looked at what the vendor id is in windows and than put it into the vm config