The crackdown is currently focused on Rainbow Six. But this proves Battleye’s true intentions are in mystery, because they go game by game. You may not be safe going forward.
What makes software detect qemu as VM anyway other than oddities as far as hardware displayed in Windows’ Device Manager goes?
Not 100% certain, but it might be timer differences that can throw off the AC thinking it’s in a VM.
Timer? I don’t think so, since the 1809 update or 1803 the timer actually is kinda screwy on Win 10.
I use virtual cables that actually have to have a constant timer to not get screwed over and the program sets a constant timer.
Would be weird if it’s detected based on that.
You can by looking at pointers for operating system tables that are relocated for a virtual machine. On real machines, the tables are located lower addresses in memory than on virtual machines. Tables include:
- Interrupt Descriptor Tables (IDT)
- Global Descriptor Table
- Local Descriptor Table
An example of this is Joanna Rutkowska’s red pill which:
- runs a SIDT instruction and then checks the results by looking at the first byte returned by SIDT
- If it’s greater than 0xd0, it’s a virtual machine; otherwise
- If it is less than or equal to 0xd0, the machine is physical.
You can also detect VMs using specific non processor based instruction sets that are used by VMs to allow guest to host communication.
There’s also ways of looking at how data is written to drives and a lot of other evil magic. I’d encourage you to read this SANS document on VM detection. It’s a little bit old now, but might open your eyes a little.
4 Likes
Looking for odd system configurations also, like i440 machines with PCIe devices. I know of several others but I don’t like to discuss them in the open as I don’t want to help the anti-cheat devs to cheat at their own job and just ban VMs.
It is pretty sad that it’s come to this, and that the game dev dictates such things based on player habits.
Any way to play games that are using Battleye in KVM? 
I cannot play Escape From Tarkov anymore
I mean there must be solution, look there are services like:
- ShadowPC
- Geforce NOW
- Stadia
Which are just VMs in cloud for gaming, they use same or similar technology as me (KVM with GPU Passthough), and as far as I know they are not banned.