Skip to content
/ Hypervisor-Phantom Public

A type 1 & 2 hypervisor setup guide for evading detection from Proctors and Anti-Cheats.

132 stars 25 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Scrut1ny/Hypervisor-Phantom

BranchesTags

Repository files navigation

Info & Guide

Exam Software
Software Browser Extension System Test Bypassed
Pafish Link
Al-Khaser Link
Safe Exam Browser Link
Pearson VUE Link
ProctorU FF Addon or Chrome Addon
ProctorU: Guardian Browser Link
Proctorio Link
Examity New Platform System Check or Chrome Addon or FF Addon
ExamSoft: Examplify ???
Respondus (LockDown Browser) Link & Download
Kryterion Link
Honorlock Link
Inspera Exam Portal Link - Demo Exam Instructions
Anti-Cheat Software
Type Engine Bypassed Used By
Anti-Cheat Anti-Cheat Expert (ACE) Primarily Mobile Games
Anti-Cheat BattlEye (BE) ✅ (With RDTSC VM Force Exit Kernal Patch) Desktop Games
Anti-Cheat Easy Anti-Cheat (EAC) Desktop Games
Anti-Cheat Gepard Shield ✅ (With RDTSC VM Force Exit Kernal Patch)
Anti-Cheat Hyperion Roblox
Anti-Cheat Mhyprot Genshin Impact
Anti-Cheat nProtect GameGuard (NP) Desktop Games
Anti-Cheat RICOCHET Call of Duty Games
Anti-Cheat Vanguard ‼️(1: Incorrect function) Valorant
Encrypt Enigma Protector
Encrypt Safegine Shielden
Encrypt Themida
Encrypt VMProtect
Encrypt VProtect
  • ‼️ Some games cannot run under this environment, but I'm not sure whether qemu has been detected. The game doesn't say "Virtual machine detected" specifically.
Bypassing HDCP

Bypassing HDCP Visual Graph:

bypass

Capture Card Format Support:

image

Cheapo Bypass Kit:

  • 1x2 HDMI Splitter $13 > OREI
  • EDID Emulator $7 > EVanlak
  • USB HDMI Capture Card $9 > AXHDCAP

Elegant Bypass Kit (Recommended):

Equipment

Virtual Video & Audio

Bring live video from your smartphone, remote computer, or friends directly into OBS or other studio software.

VB-CABLE Virtual Audio Device

Virtual Display Driver

VPN + Hypervisor
  • IMPORTANT: Ensure not to add a custom DNS configuration to the guest system on the hypervisor if your host system's VPN uses custom DNS block lists. Doing so may result in your guest hypervisor system losing its internet connection!

Mullvad VPN + QEMU

  • For the VPN connection to get properly natted/bridged you must enable the setting Local network sharing option!
    • How to: ⚙️ > VPN settings > Local network sharing

image image image

Proctoring Functions
Honorlock
Function Description
Record Webcam Record student's testing enviroment using webcam
Record Screen Record student's screen during exam
Record Web Traffic Log student's internet activity
Room Scan Record a 360 degree enviroment scan before the assessment begins
Disable Copy/Paste Block clipboard actions
Disable Printing Block printing exam content
Browser Guard Limit browser activity to exam content and allowed site URLs only
Allowed Site URLs Allow access to specific websites during an exam session
Student Photo Capture student photo before the assessment begins
Student ID Capture ID photo before the assessment begins
Proctorio
Recording Settings Verification Settings Lock Down Settings
Record Video Verify Video Force Full Screen
Record Audio Verify Audio Only One Screen
Record Screen Verify Identity Disable New Tabs
Record Web Traffic Verify Desktop Close Open Tabs
Record Desk Verify Signature Disable Printing
Disable Clipboard
Clear Cache
Disable Right Click
Prevent Re-Entry
Pearson VUE

BrowserLock

  • System Requirements Link

  • Exam Content & Special Configurations (SDS)

https://securedelivery-hs-prd-1.pearsonvue.com/SecureDeliveryService
  • Application location:
%APPDATA%\OnVUE\BrowserLock.exe
  • Log file location:
%LOCALAPPDATA%\BrowserLock\log
  • Commands it runs
# Obtains NetConnectionID
wmic nic where "NetConnectionStatus = 2" get NetConnectionID /value

# Obtains USB FriendlyName
powershell.exe Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match '^USB' }

# Obtains Display/Monitor FriendlyName
powershell.exe -Command "Get-WmiObject -Namespace 'root\WMI' -Class 'WMIMonitorID' | ForEach-Object -Process { if($_.UserFriendlyName) { ([System.Text.Encoding]::ASCII.GetString($_.UserFriendlyName)).Replace('$([char]0x0000)','') } }"

# Obtains running processes
powershell.exe /c Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath

# Obtains MachineGUID
powershell (Get-ItemProperty registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\ -Name MachineGuid).MachineGUID

# Obtains system hostname
C:\Windows\system32\cmd.exe /c hostname
  • Hypervisor System Checks (in log file):
# LOG:
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM Allowed flag value from forensics is vmAllowedForensic=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Multiple Monitor Allowed flag value from forensics is multiMonitorAllowedForensic=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VPN Allowed flag value from forensics is vpnAllowedForensic=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Shutdown file monitor started
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM configuration received from SDS will be applied for validation
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM detection value is: vmDetectConfig=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Multiple monitor configuration received from SDS will be applied for validation
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Multiple monitor detection value is: multipleMonitorDetectConfig=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VPN configuration received from forensics will be applied for validation
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VPN detection value is: vpnDetectConfig=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] USB mass storage detection value is: usbDetectConfig=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Minimum browserlock version required: 2304 
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Current browserlock version: 2402.1.1 
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Check if Browserlock running on VM: {DMI type 1 (System Information) - Product Name}, {DMI type 2 (Base Board Information) - Serial Number}, runningOnVM=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM check: diskSize=499 GB
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Browserlock is not running on virtual machine
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Display HDCP supported check: hdcpSupported=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Number of display devices connected: AWT=1, Physical=1, Physical/Virtual=1, Duplicate=1

# BrowserLock Booleon Variables
- hdcpSupported
- multiMonitorAllowedForensic
- multipleMonitorDetectConfig
- runningOnVM
- usbDetectConfig
- vmAllowedForensic
- vmDetectConfig
- vpnAllowedForensic
- vpnDetectConfig

image

Hypervisor Setup Guide
VirtualBox

Virtual Box - VBoxManage Tool Location:

Linux: /usr/bin/VBoxManage
Mac OS X: /Applications/VirtualBox.app/Contents/MacOS/VBoxManage
Oracle Solaris: /opt/VirtualBox/bin/VBoxManage
Windows: C:\Program Files\Oracle\VirtualBox\VBoxManage.exe

Run these scripts:

  • Configure the VM: VM-External-Modifer.ps1
  • Spoof Windows: VM-Internal-Modifier.ps1

ExecutionPolicy Modifier:

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force

Building a Custom Version

Dependencies

sudo apt update && sudo apt upgrade -y && sudo apt autoremove -y && sudo apt install -y acpica-tools chrpath doxygen g++-multilib libasound2-dev libcap-dev libcurl4-openssl-dev libdevmapper-dev libidl-dev libopus-dev libpam0g-dev libpulse-dev libqt5opengl5-dev libqt5x11extras5-dev qttools5-dev libsdl1.2-dev libsdl-ttf2.0-dev libssl-dev libvpx-dev libxcursor-dev libxinerama-dev libxml2-dev libxml2-utils libxmu-dev libxrandr-dev make nasm python3-dev python-dev qttools5-dev-tools texlive texlive-fonts-extra texlive-latex-extra unzip xsltproc default-jdk libstdc++5 libxslt1-dev linux-kernel-headers makeself mesa-common-dev subversion yasm zlib1g-dev glslang-tools ia32-libs libc6-dev-i386 lib32gcc1 lib32stdc++6

Building VirtualBox

./configure --disable-hardening && source ./env.sh && kmk all &&
VMware

VMware PRO License Key:

MC60H-DWHD5-H80U9-6V85M-8280D

Patching BIOS ROM

  1. Locate file BIOS.440.ROM within %PROGRAMFILES(X86)%\VMware\VMware Workstation\x64.
  2. Utilize Phoenix BIOS Editor to modify compromising DMI Strings, like VMware or Virtual Platform.
  3. Once completed, go to File then Build BIOS and save the patched BIOS somewhere. Don't overwrite the original file!
  4. Now within the *.vmx config file, make sure to add the new patched BIOS location for the bios440.filename argument line.

Set Custom CPUID (optional)

image

Add the following into your *.vmx

bios440.filename = "C:\<path_to_your_bios_file>\BIOS.440.PATCH.ROM"
hypervisor.cpuid.v0 = "FALSE"
smbios.reflectHost = "TRUE"
ethernet0.address = "00:C0:CA:A7:2B:9E"
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.restrict_backdoor = "TRUE"
monitor_control.virtual_rdtsc = "FALSE"

IMPORTANT

  • smbios.reflectHost will NOT fully function properly if UEFI firmware is used without the BIOS ROM patch. If you use BIOS firmware instead, you don't have to worry about doing the BIOS ROM patch (you can still do it if you want though).

Run these scripts:

  • Spoof Windows: VM-Internal-Modifier.ps1

ExecutionPolicy Modifier:

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
QEMU/KVM & PCIe Passthru
QEMU/KVM Guide

Make sure to install curl

Arch - sudo pacman -S --noconfirm curl
Debian - sudo apt install -y curl
Fedora - sudo dnf install -y curl

1. Required Virtualization Packages

Arch

sudo pacman -S --noconfirm qemu-base edk2-ovmf libvirt dnsmasq virt-manager

Debian

sudo apt -y install qemu-system-x86 ovmf virt-manager libvirt-clients libvirt-daemon-system libvirt-daemon-config-network

Fedora

sudo dnf -yq install @virtualization

2. Enabling libvirt

Configuring Libvirt

libvirtd_conf='/etc/libvirt/libvirtd.conf'
sudo sed -i '/unix_sock_group/s/^#//g' "$libvirtd_conf"
sudo sed -i '/unix_sock_rw_perms/s/^#//g' "$libvirtd_conf"

qemu_conf='/etc/libvirt/qemu.conf'
sudo sed -i "s/#user = \"root\"/user = \"$(whoami)\"/" "$qemu_conf"
sudo sed -i "s/#group = \"root\"/group = \"$(whoami)\"/" "$qemu_conf"

Setting up QEMU/KVM driver

sudo usermod -aG kvm,libvirt "$(whoami)"
sudo systemctl enable --now libvirtd.socket
sudo virsh net-autostart default

3. Dependencies

Arch

sudo pacman -S --noconfirm base-devel glib2 ninja python-sphinx python-sphinx_rtd_theme python-packaging dmidecode libusb

Debian

sudo apt -y install build-essential libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build python3-venv libusb-1.0-0-dev

Fedora

sudo dnf -yq install glib2-devel libfdt-devel pixman-devel zlib-devel bzip2 ninja-build python3 libusb1-devel

4. Setting up QEMU

Download & Extract QEMU

cd $HOME/Downloads
curl -sSO "https://download.qemu.org/qemu-8.2.6.tar.xz"
tar xJf "qemu-8.2.6.tar.xz" && cd "qemu-8.2.6"

Download & Apply Custom Patch for QEMU

curl -sSO "https://raw.githubusercontent.com/Scrut1ny/Hypervisor-Phantom/main/v8.2.6.patch"
patch -fsp1 < "v8.2.6.patch"

Spoofing hardcoded USB Serial Numbers

find "$(pwd)/hw/usb" -type f -exec grep -lE '\[(STR|STRING)_SERIALNUMBER\]' {} + | while IFS= read -r file; do
    # Generate a new random serial number
    NEW_SERIAL=$(head /dev/urandom | tr -dc 'A-Z0-9' | head -c 10)

    # Replace all serial number strings in the files
    sed -i -E "s/(\[(STR|STRING)_SERIALNUMBER\] *= *\")[^\"]*/\1${NEW_SERIAL}/" "$file"

    # Print the modification information
    echo -e "\e[32m  Modified:\e[0m '$file' with new serial: \e[32m$NEW_SERIAL\e[0m"
done

Spoofing Drive Model & Serial Numbers

# Define the core file path
core_file="$(pwd)/hw/ide/core.c"

# Generate a new random serial number
NEW_SERIAL=$(head /dev/urandom | tr -dc 'A-Z0-9' | head -c 15)

# Arrays of model strings
IDE_CD_MODELS=(
    "HL-DT-ST BD-RE WH16NS60"
    "HL-DT-ST DVDRAM GH24NSC0"
    "HL-DT-ST BD-RE BH16NS40"
    "HL-DT-ST DVD+-RW GT80N"
    "HL-DT-ST DVD-RAM GH22NS30"
    "HL-DT-ST DVD+RW GCA-4040N"
    "Pioneer BDR-XD07B"
    "Pioneer DVR-221LBK"
    "Pioneer BDR-209DBK"
    "Pioneer DVR-S21WBK"
    "Pioneer BDR-XD05B"
    "ASUS BW-16D1HT"
    "ASUS DRW-24B1ST"
    "ASUS SDRW-08D2S-U"
    "ASUS BC-12D2HT"
    "ASUS SBW-06D2X-U"
    "Samsung SH-224FB"
    "Samsung SE-506BB"
    "Samsung SH-B123L"
    "Samsung SE-208GB"
    "Samsung SN-208DB"
    "Sony NEC Optiarc AD-5280S"
    "Sony DRU-870S"
    "Sony BWU-500S"
    "Sony NEC Optiarc AD-7261S"
    "Sony AD-7200S"
    "Lite-On iHAS124-14"
    "Lite-On iHBS112-04"
    "Lite-On eTAU108"
    "Lite-On iHAS324-17"
    "Lite-On eBAU108"
    "HP DVD1260i"
    "HP DVD640"
    "HP BD-RE BH30L"
    "HP DVD Writer 300n"
    "HP DVD Writer 1265i"
)

IDE_CFATA_MODELS=(
    "SanDisk Ultra microSDXC UHS-I"
    "SanDisk Extreme microSDXC UHS-I"
    "SanDisk High Endurance microSDXC"
    "SanDisk Industrial microSD"
    "SanDisk Mobile Ultra microSDHC"
    "Samsung EVO Select microSDXC"
    "Samsung PRO Endurance microSDHC"
    "Samsung PRO Plus microSDXC"
    "Samsung EVO Plus microSDXC"
    "Samsung PRO Ultimate microSDHC"
    "Kingston Canvas React Plus microSD"
    "Kingston Canvas Go! Plus microSD"
    "Kingston Canvas Select Plus microSD"
    "Kingston Industrial microSD"
    "Kingston Endurance microSD"
    "Lexar Professional 1066x microSDXC"
    "Lexar High-Performance 633x microSDHC"
    "Lexar PLAY microSDXC"
    "Lexar Endurance microSD"
    "Lexar Professional 1000x microSDHC"
    "PNY Elite-X microSD"
    "PNY PRO Elite microSD"
    "PNY High Performance microSD"
    "PNY Turbo Performance microSD"
    "PNY Premier-X microSD"
    "Transcend High Endurance microSDXC"
    "Transcend Ultimate microSDXC"
    "Transcend Industrial Temp microSD"
    "Transcend Premium microSDHC"
    "Transcend Superior microSD"
    "ADATA Premier Pro microSDXC"
    "ADATA XPG microSDXC"
    "ADATA High Endurance microSDXC"
    "ADATA Premier microSDHC"
    "ADATA Industrial microSD"
    "Toshiba Exceria Pro microSDXC"
    "Toshiba Exceria microSDHC"
    "Toshiba M203 microSD"
    "Toshiba N203 microSD"
    "Toshiba High Endurance microSD"
)

DEFAULT_MODELS=(
    "Samsung SSD 970 EVO 1TB"
    "Samsung SSD 860 QVO 1TB"
    "Samsung SSD 850 PRO 1TB"
    "Samsung SSD T7 Touch 1TB"
    "Samsung SSD 840 EVO 1TB"
    "WD Blue SN570 NVMe SSD 1TB"
    "WD Black SN850 NVMe SSD 1TB"
    "WD Green 1TB SSD"
    "WD My Passport SSD 1TB"
    "WD Blue 3D NAND 1TB SSD"
    "Seagate BarraCuda SSD 1TB"
    "Seagate FireCuda 520 SSD 1TB"
    "Seagate One Touch SSD 1TB"
    "Seagate IronWolf 110 SSD 1TB"
    "Seagate Fast SSD 1TB"
    "Crucial MX500 1TB 3D NAND SSD"
    "Crucial P5 Plus NVMe SSD 1TB"
    "Crucial BX500 1TB 3D NAND SSD"
    "Crucial X8 Portable SSD 1TB"
    "Crucial P3 1TB PCIe 3.0 3D NAND NVMe SSD"
    "Kingston A2000 NVMe SSD 1TB"
    "Kingston KC2500 NVMe SSD 1TB"
    "Kingston A400 SSD 1TB"
    "Kingston HyperX Savage SSD 1TB"
    "Kingston DataTraveler Vault Privacy 3.0 1TB"
    "SanDisk Ultra 3D NAND SSD 1TB"
    "SanDisk Extreme Portable SSD V2 1TB"
    "SanDisk SSD PLUS 1TB"
    "SanDisk Ultra 3D 1TB NAND SSD"
    "SanDisk Extreme Pro 1TB NVMe SSD"
)

# Function to get a random element from an array
get_random_element() {
    local array=("$@")
    echo "${array[RANDOM % ${#array[@]}]}"
}

# Select random models
NEW_IDE_CD_MODEL=$(get_random_element "${IDE_CD_MODELS[@]}")
NEW_IDE_CFATA_MODEL=$(get_random_element "${IDE_CFATA_MODELS[@]}")
NEW_DEFAULT_MODEL=$(get_random_element "${DEFAULT_MODELS[@]}}")

# Replace the "QM" string with the new serial number in core.c
sed -i -E "s/\"[^\"]*%05d\", s->drive_serial\);/\"$NEW_SERIAL%05d\", s->drive_serial\);/" "$core_file"

# Spoof the IDE_CD drive model string
sed -i -E "s/\"HL-DT-ST BD-RE WH16NS60\"/\"$NEW_IDE_CD_MODEL\"/" "$core_file"

# Spoof the IDE_CFATA drive model string
sed -i -E "s/\"MicroSD J45S9\"/\"$NEW_IDE_CFATA_MODEL\"/" "$core_file"

# Spoof the default drive model string
sed -i -E "s/\"Samsung SSD 980 500GB\"/\"$NEW_DEFAULT_MODEL\"/" "$core_file"

# Print the modification information
echo -e "\e[32m  Modified:\e[0m '$core_file' with new serial: \e[32m$NEW_SERIAL\e[0m"
echo -e "\e[32m  Modified:\e[0m '$core_file' with new IDE_CD model: \e[32m$NEW_IDE_CD_MODEL\e[0m"
echo -e "\e[32m  Modified:\e[0m '$core_file' with new IDE_CFATA model: \e[32m$NEW_IDE_CFATA_MODEL\e[0m"
echo -e "\e[32m  Modified:\e[0m '$core_file' with new default model: \e[32m$NEW_DEFAULT_MODEL\e[0m"

Spoofing ACPI Table Strings

# Array of ACPI Pairs
pairs=(
    'DELL  ' 'Dell Inc' # Dell
    'ALASKA' 'A M I '   # AMD
    'INTEL ' 'U Rvp   ' # Intel
    ' ASUS ' 'Notebook' # Asus
    'MSI NB' 'MEGABOOK' # MSI
    'LENOVO' 'TC-O5Z  ' # Lenovo
    'LENOVO' 'CB-01   ' # Lenovo
    'SECCSD' 'LH43STAR' # ???
    'LGE   ' 'ICL     ' # LG
)

# Generate a random index to select a pair
total_pairs=$((${#pairs[@]} / 2))
random_index=$((RANDOM % total_pairs * 2))

# Extract the randomly selected pair
appname6=${pairs[$random_index]}
appname8=${pairs[$random_index + 1]}

# Replace the "BOCHS" "BXPC" strings in aml-build.h
file="$(pwd)/include/hw/acpi/aml-build.h"
sed -i "s/^#define ACPI_BUILD_APPNAME6 \".*\"/#define ACPI_BUILD_APPNAME6 \"$appname6\"/" "$file"
sed -i "s/^#define ACPI_BUILD_APPNAME8 \".*\"/#define ACPI_BUILD_APPNAME8 \"$appname8\"/" "$file"

# Print the modifications
echo -e "\e[32m  Modified:\e[0m '$file' with new values:"
echo -e "  \e[32m#define ACPI_BUILD_APPNAME6 \"$appname6\"\e[0m"
echo -e "  \e[32m#define ACPI_BUILD_APPNAME8 \"$appname8\"\e[0m"

Spoofing CPUID Manufacturer Signature Strings

# Define the file path
kvm_file="$(pwd)/target/i386/kvm/kvm.c"

# Obtain the CPU Vendor ID
vendor_id=$(lscpu | awk -F': +' '/Vendor ID/ {print $2}')

# Replace the signature strings in kvm.c
sed -i -E "s/(memcpy\(signature, \")[^\"]*(\", 12\);)/\1$vendor_id\2/" "$kvm_file"

# Print the modification information
echo -e "\e[32m  Modified:\e[0m '$kvm_file' with new signature: \e[32m$vendor_id\e[0m"

Spoofing CPUID Manufacturer Model Name Strings

# Define the file path
q35_file="$(pwd)/hw/i386/pc_q35.c"

# Obtain the CPU Model Name
manufacturer=$(sudo dmidecode -t 4 | grep 'Manufacturer:' | awk -F': +' '{print $2}')

# Replace the Manufacturer string in pc_q35.c
sed -i "s/smbios_set_defaults(\"[^\"]*\",/smbios_set_defaults(\"$manufacturer\",/" "$q35_file"

# Print the modification information
echo -e "\e[32m  Modified:\e[0m '$q35_file' with new signature: \e[32m$manufacturer\e[0m"

5. Building & Installing QEMU

./configure --target-list=x86_64-softmmu --enable-libusb --disable-werror
sudo make install -j"$(nproc)"

6. Clean up (Optional)

cd .. && sudo rm -rf "qemu-8.2.6" "qemu-8.2.6.tar.xz"
PCIe Passthru Guide

Online PCIe Passthrough Guides

1. Make sure to enable the following in the host UEFI/BIOS

AMD CPU Intel CPU
IOMMU VT-D
NX VT-X
SVM

Requirements

  • Virtualization Check
LC_ALL=C lscpu | grep Virtualization && egrep -c '(vmx|svm)' /proc/cpuinfo
  • List PCI Devices
lspci -nn | grep "NVIDIA"

or

  • List IOMMU Groups
#!/bin/bash
shopt -s nullglob
for g in /sys/kernel/iommu_groups/*; do
    echo "IOMMU Group ${g##*/}:"
    for d in $g/devices/*; do
        echo -e "\t$(lspci -nns ${d##*/})"
    done;
done;

Modify grub.cfg

  • GRUB_CMDLINE_LINUX_DEFAULT="amd_iommu=on iommu=pt vfio-pci.ids=XXXX:XXXX,XXXX:XXXX,XXXX:XXXX,XXXX:XXXX"
sudo nano /etc/default/grub

image

Update grub.cfg & reboot

sudo update-grub && sudo reboot now

Modify vfio.conf (isolate GPU)

  • options vfio-pci ids=XXXX:XXXX,XXXX:XXXX,XXXX:XXXX,XXXX:XXXX
  • softdep nvidia pre: vfio-pci
sudo nano /etc/modprobe.d/vfio.conf

image

Update initramfs

sudo update-initramfs -c -k $(uname -r) && sudo reboot now

Check kernal driver in use for the isolated GPU (should be vfio-pci)

lspci -k | grep -E "vfio-pci|NVIDIA"
VMM Guide

Virtual Machine Manager Guide

  1. Create a new virtual machine
  2. Local install media (ISO image or CDROM)
  3. Select a Windows ISO and enter the OS you're using
  4. Set a realistic amount of RAM (make sure its half of the full amount)
GB MBs
8 8192
16 16384
32 32768
  1. Set 1 less of the maximum amount of CPUs available
  2. Set a virtual disk size of above 250GB+
  3. Select "Customize configuration before install" and finish
  4. Select UEFI x86_64:/usr/share/OVMF/OVMF_CODE_4M.ms.fd for the Firmware, then apply 8a. If you want to use Windows 11 you need to use UEFI x86_64:/usr/share/qemu/edk2-x86_64-secure-code.fd instead
  5. Under CPUs, check Copy host CPU configuration (host-passthrough) 9a. Drop down Topology and check Manually set CPU topology then input whatever works with your system, then apply
Sockets: Cores: Threads:
1 X X
  1. Under Boot Options check SATA CDROM 1, then apply
  2. Under SATA Disk 1 and SATA CDROM 1 drop down Advanced options and set a random custom serial #, then apply
  3. Under NIC:XX:XX:XX select the drop down menu and pick hypervisor default 12a. Set a custom MAC address, make sure the vendor isn't a hypervisor vendor! then apply
  4. Select Add Hardware and under PCI Host Device add ALL devices under the isolated GPU IOMMU group you figured out earlier
  5. Now select Begin Installation, and enjoy your new undetectable windows system!

QEMU XML Config

<domain xmlns:qemu="http://libvirt.org/schemas/domain/qemu/1.0" type="kvm">
   <!-- You should keep the RAM amount at a realistic value: 16, 12, 8, 6, 4 GiB are all more or less common -->
  <memory unit="G">12</memory>
  <currentMemory unit="G">12</currentMemory>
  <!-- ... -->

  <os>
    <smbios mode="host"/>
  </os>

  <features>
    <acpi/>
    <apic/>
    <!-- set mode to "passthrough" if you use nested-virtualization to protect against timing attacks -->
    <hyperv mode="custom">
      <relaxed state="on"/>
      <vapic state="on"/>
      <spinlocks state="on" retries="8191"/>
      <vpindex state="on"/>
      <runtime state="on"/>
      <synic state="on"/>
      <stimer state="on"/>
      <reset state="on"/>
      <vendor_id state="on" value=""/>
      <frequencies state="on"/>
    </hyperv>
    <kvm>
      <hidden state="on"/>
    </kvm>
    <vmport state="off"/>
  </features>

  <cpu mode="host-passthrough" check="none">
    <topology sockets="1" dies="1" cores="8" threads="2"/>
    <cache mode="passthrough"/>
    <feature policy="disable" name="hypervisor"/>
    <feature policy="require" name="invtsc"/>
    <feature policy="require" name="topoext"/>
    <feature policy="require" name="svm"/> <!-- If you use Intel CPU, change "svm" to "vmx" -->
  </cpu>

  <clock offset="localtime">
    <timer name="tsc" present="yes" mode="native"/>
    <timer name="hypervclock" present="yes"/>
  </clock>

  <!-- Emulates suspend functionality present on real hardware -->
  <pm>
    <suspend-to-mem enabled="yes"/>
    <suspend-to-disk enabled="yes"/>
  </pm>

  <devices>
    <!-- You can compile QEMU multiple times with different patches
      as long as you point libvirt to the correct one -->
    <emulator>/root/spoofed/qemu-system-x86_64</emulator>
    <!-- If you have a second drive and a little bit of luck,
     you could pass through the SATA/NVMe controller and have better performance than VirtIO + stay hidden -->
    <disk type="file" device="disk"> <!-- Use block devices (partitons) for better performance -->
      <driver name="qemu" type="raw" cache="none" io="native" discard="unmap"/> <!-- use io="threads" in block mode: https://events19.lfasiallc.com/wp-content/uploads/2017/11/Storage-Performance-Tuning-for-FAST-Virtual-Machines_Fam-Zheng.pdf -->
      <source file="/var/lib/libvirt/images/win10.img"/>
      <!-- Use SATA to avoid using the VirtIO driver -->
      <target dev="sda" bus="sata"/>
      <!-- Set a custom serial for every VM -->
      <serial>590347474223828</serial>
      <boot order="1"/>
      <address type="drive" controller="0" bus="0" target="0" unit="0"/>
    </disk>

    <interface type="network">
      <!-- Set a custom MAC address for every VM -->
      <mac address="f0:bc:8e:cd:6e:ec"/>
      <source network="default"/>
      <!-- Again, don't use VirtIO -->
      <model type="e1000e"/>
      <address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
    </interface>

    <!-- TPM in passthrough mode is the most well hidden option for Windows 11 -->
    <tpm model="tpm-tis">
      <backend type="passthrough">
        <device path="/dev/tpm0"/>
      </backend>
    </tpm>

    <!-- Other devices -->

    <memballoon model="none"/>
  </devices>

  <qemu:commandline>
    <qemu:arg value="-smbios"/>
    <!-- Replace with your output of `# dmidecode -t 17` -->
    <qemu:arg value="type=17,manufacturer=KINGSTON,loc_pfx=DDR4,speed=3200,serial=XXXXXX,part=XXXX"/>
  </qemu:commandline>
  <qemu:override>
    <qemu:device alias="sata0-0-0">
      <qemu:frontend>
        <qemu:property name="rotation_rate" type="unsigned" value="1"/>
      </qemu:frontend>
    </qemu:device>
  </qemu:override>
</domain>
Looking Glass Guide

Looking Glass Setup Guide

  • Client usage
  • KVM (Kernel-based Virtual Machine) configured for VGA PCI Pass-through without an attached physical monitor, keyboard or mouse.

Add this to your .XML file in the devices section:

    <shmem name='looking-glass'>
      <model type='ivshmem-plain'/>
      <size unit='M'>32</size>
    </shmem>

image

Dependencies

sudo apt update && sudo apt upgrade -y && sudo apt autoremove -y && sudo apt install -y binutils-dev cmake fonts-dejavu-core libfontconfig-dev gcc g++ pkg-config libegl-dev libgl-dev libgles-dev libspice-protocol-dev nettle-dev libx11-dev libxcursor-dev libxi-dev libxinerama-dev libxpresent-dev libxss-dev libxkbcommon-dev libwayland-dev wayland-protocols libpipewire-0.3-dev libpulse-dev libsamplerate0-dev

Create a new file

sudo nano /etc/tmpfiles.d/10-looking-glass.conf
  • Give it the following contents
# Type Path               Mode UID  GID Age Argument

f /dev/shm/looking-glass 0660 user kvm -

Granting Permissions

touch /dev/shm/looking-glass && chown $USER:kvm /dev/shm/looking-glass && chmod 660 /dev/shm/looking-glass

Download/Build/Install LookingGlass

curl -sSL https://looking-glass.io/artifact/stable/source -o latest.tar.gz && tar -zxvf latest.tar.gz && rm -rf latest.tar.gz

cd looking-glass-* && mkdir client/build && cd client/build && cmake ../ && make && sudo make install

./looking-glass-client

Testing it out...

Important Tips
  • Encrypt DNS Queries: Utilize DNS-over-HTTPS (DoH) to encrypt your DNS queries. Unlike unencrypted DNS, DoH conceals the websites you visit, leaving only the external IP address visible to observers.
  • Opt for a VPN: Use a VPN to obscure all your internet traffic. However, be cautious with popular VPN services as their IP ranges may be blacklisted by certain proctoring or anti-cheat systems.
  • Allocate Sufficient VM Storage: Equip your VM with at least 128GB of storage. VMs with lower storage capacities may be more easily identified or flagged by monitoring systems.
  • System Up Time: Leave the hypervisor running for at least 12+ minutes to bypass the GetTickCount() check.
Useful Software

References & Help

General
VirtualBox
VMware
QEMU

Common Error Solutions

Unable to complete install: 'internal error: cannot load AppArmor profile '{UUID}''
  • Set security_driver = "none" in /etc/libvirt/qemu.conf
#       security_driver = [ "selinux", "apparmor" ]
#security_driver = "selinux"
security_driver = "none"
  • restart libvirtd service
systemctl restart libvirtd.service
NVIDIA Error 43
  • Add this line in the <hyperv/> section in the QEMU XML:
<vendor_id state="on" value="AuthenticAMD"/>
Error starting domain: internal error: qemu unexpectedly closed the monitor: 
Error starting domain: internal error: qemu unexpectedly closed the monitor: 2021-08-02T17:52:25.005284Z qemu-system-x86_64: backing store size 0x2000000 does not match ‘size’ option 0x4000000

Step 1:

rm /dev/shm/looking-glass

Step 2:

    <shmem name="looking-glass">
      <model type="ivshmem-plain"/>
      <size unit="M">128</size>
      <address type="pci" domain="0x0000" bus="0x10" slot="0x01" function="0x0"/>
    </shmem>
  • Change memory number size to 32, 64, 128, etc. (whatever needed)

Step 3:

touch /dev/shm/looking-glass && sudo chown $USER:kvm /dev/shm/looking-glass && chmod 660 /dev/shm/looking-glass
  • Now try to run your hypervisor again.
Elgato Capture Card - OBS Black Screen
  • Some of Elgato's capture cards, leveraging UVC (USB Video Class) technology, operate seamlessly without requiring additional drivers. As UVC devices, they adhere to a standard protocol for transmitting video and audio data over USB connections. This plug-and-play functionality ensures compatibility with various operating systems, enabling effortless setup and use for capturing high-quality video content.

Step 1:

Download & Install the latest 4K CAPTURE UTILITY software from Elgato downloads page

Step 2:

Open Elgato 4K Capture Utility software and let the software initialize the UVC device and firmware.

Step 3:

Now select the settings icon on the top right of the software utility, and select Check for Updates.... (It should do it automatically already, but just make sure the firmware is on the latest version available.)

Step 4 (for Linux users):

Connect the capture card device back to your Linux host system now and open OBS, you should now see a valid output instead of a black screen.

Elgato Gaming Hardware Drivers

Device Driver Status
Elgato Cam Link No driver since it's a UVC device
Elgato Cam Link 4K No driver since it's a UVC device
Elgato Cam Link Pro Latest Elgato Cam Link Pro Drivers for Windows
Elgato Game Capture HD Latest Elgato Game Capture HD Drivers for Windows
Elgato Game Capture HD60 Latest Elgato Game Capture HD60 Drivers for Windows
Elgato Game Capture HD60 S Latest Elgato Game Capture HD60 S Drivers for Windows
Elgato Game Capture HD60 S+ No driver since it's a UVC device
Elgato Game Capture HD60 Pro Latest Elgato Game Capture HD60 Pro Drivers
Elgato Game Capture HD60 X No driver since it's a UVC device
Elgato Game Capture 4K60 Pro Latest Elgato Game Capture 4K60 Pro Drivers
Elgato Game Capture 4K60 Pro MK.2 Latest Elgato Game Capture 4K60 Pro MK.2 Drivers
Elgato Game Capture 4K60 S+ Latest Elgato Game Capture 4K60 S+ Drivers
Elgato 4K Pro Latest Elgato 4K Pro Drivers

Misc. Stuff

CompTIA Certification Stuff

CompTIA Certification Information:

image

Valid Coupon Codes:

  • One time use for all. (10%)
MCGRAW10
  • Just for Sec+
SECURITYVUE

Exam Study Resource Websites

Exam Dump Websites

Security+

ChatGPT Prompt

I'll provide questions with possible answers, I need you to reply with only the correct answer(s). Just state the answer; no explanations.

Search Engine Prompts

Security+

CompTIA Security+ SY0-701 Quizlet

Attack Description Network Infection

Network+

CompTIA Network+ N10-008 Quizlet

A+

CompTIA A+ 220-1101 Quizlet

CompTIA A+ 220-1102 Quizlet
Pearson VUE (OnVUE)

Pearson OnVUE Online Exam Tips

Before Your Exam:

  • Know the Exam Rules: Ignorance isn't an excuse for breaking rules.
  • Room Setup: A clean, quiet space is ideal. Open spaces are fine if you ensure privacy. Background noise like alarms or construction is generally okay, but voices may prompt a room check.
  • Preparation: Clear your desk except for necessary items. Apply for accommodations if needed for health reasons. Use the restroom and moderate your water intake before starting. Avoid using work computers due to potential restrictions. Ensure your computer has an external microphone, as headphones are not allowed.

Common Mistakes:

  • Strict Rule Enforcement: Proctors strictly follow rules; personal circumstances (e.g., needing a restroom break) aren't considered exceptions.
  • Technical Readiness: Have your laptop charger plugged in. Starting your exam means you cannot leave for any reason, including to grab your charger.
  • Exam Start: The exam is considered started once you see the "Welcome" screen. Don’t leave your seat, use your phone, or fetch items after this point.
  • Avoid Distractions: Don’t touch your phone or read questions aloud to prevent suspicion of cheating.
  • Proper Closure: After finishing, ensure you exit the application completely to end the exam session.

General Info:

  • Proctors can't assist with exam content or scoring.
  • When unsure about rules, use the chat feature to ask.
  • Proctors do monitor you with help from AI to detect unusual behaviors.
  • Note taking is not allowed with pen and paper.
  • Your exam session is recorded.

Example video of the OnVUE setup process:

onvue.mp4
Schedule an exam (OnVUE) Steps

Step 1

image

Step 2

image image

Step 3

image

Step 4

image

Step 5

image

Step 6

image

Step 7

image

Step 8

image

Taking an exam (OnVUE) Steps

Step 1

image

Step 2

image

Step 3

image

Step 4

image

Step 5

image

Step 6

image

Step 7

image

Step 8

image

Step 9

image

Step 10

image

Step 11

image

Step 12

image

Renewing Multiple Certifications Steps

image

About

A type 1 & 2 hypervisor setup guide for evading detection from Proctors and Anti-Cheats.

Topics

vm virtualbox vmware guide hypervisor kvm qemu anticheat spoofing spoof bypass qemu-kvm vboxmanage vbox undetected proctor

Resources

Readme
Activity

Stars

132 stars

Watchers

7 watching

Forks

25 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages