You are not logged in.

#1 2021-01-13 22:10:17

tomsk
Member
Registered: 2016-12-17
Posts: 170

Spoof KVM and hide it from guest

Hello,

I don't know if this is right forum category to post this issue, but this issue can be solved by modifying kernel.

Background:
I use KVM with GPU Passthrough for gaming (running Windows 10), I was using this solution for over year now without issue but now I found problem with some games, in particular I was playing Escape From Tarkov, and I can't play because they kick me because they detect that I am in virtual machine, they use anticheat called Battleye. Battleye even posted official statement found here https://twitter.com/thebattleye/status/ … 89?lang=en, because they consider VM as untrusted environment. Even here is post about it https://forum.level1techs.com/t/warning … ban/160059, some players were banned in game Rainbow Six.

So I downloaded paranoia fish and this is my result:

[pafish] CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit
[pafish] CPU VM traced by checking hypervisor bit in cpuid feature bits
[pafish] Sandbox traced using mouse activity
[pafish] Bochs traced using Reg key HKLM\HARDWARE\Description\System “SystemBiosVersion”

I wonder how could I hide all these 4 traces, that I am in VM. What I read somewhere on reddit, I found that for Battleye it is enough to solve this:

[pafish] CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit

I found that there is solution how to change kernel code for solving "CPU VM traced by checking the difference between CPU timestamp counters (rdtsc) forcing VM exit" here: https://www.reddit.com/r/VFIO/comments/ … urce=share, they were modifying code inside arch/x86/kvm/vmx/vmx.c.

You can be asking why I am posting this question if I have already solution, I am asking because I don't trust some random code on reddit, and I am looking if there is somebody with experiences with it + that post on reddit is already multiple times edited and I am already lost big_smile

I didn't find anything how I could hide "CPU VM traced by checking hypervisor bit in cpuid feature bits".

In perfect scenario I would like to solve all 4 traces.

Side question:
Is there any disadvantage to hide information that guest is running in VM? Can be there some performance impact?

Last edited by tomsk (2021-01-13 22:10:40)


I use several linux distros like: Archlinux, Ubuntu, Fedora, Linux Mint

Offline

#2 2021-01-13 23:29:44

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,740

Re: Spoof KVM and hide it from guest

I am not a gamer.  What rights does their license grant you in permitting you to run their copyrighted code?  Is one of their conditions that you do not have permission to run it on a VM?


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#3 2021-01-14 10:38:37

tomsk
Member
Registered: 2016-12-17
Posts: 170

Re: Spoof KVM and hide it from guest

I don't think you don't have permissions to run game using Battleye in VM, technically you have permission, because there are services like Stadia, Geforce NOW and ShadowPC which uses VM for cloud gaming and as far as I know on ShadowPC it is working fine, so they made some workarounds or something, similar workaround I want to do too, these cloud gaming platforms technically use similar technology as me.

If you look at their statement https://twitter.com/TheBattlEye/status/ … 2186720263, they know that there is big Linux community which uses VM for gaming, and they just block them, because they cannot support us, instead of making their anticheat more intelligent like using some heuristic methods, they just block every single VM.

Last edited by tomsk (2021-01-14 10:39:49)


I use several linux distros like: Archlinux, Ubuntu, Fedora, Linux Mint

Offline

#4 2021-01-14 10:57:05

sabroad
Member
Registered: 2015-05-24
Posts: 242

Re: Spoof KVM and hide it from guest

tomsk wrote:

Battleye even posted official statement found here https://twitter.com/thebattleye/status/ … 89?lang=en, because they consider VM as untrusted environment.

As per the thread,

thebattleye wrote:

We want to emphasize that we do not ban anyone for simply running the game in a VM, but as always we will ban any users who actively try to bypass our measures.

That would, presumably, invite a ban if attempts were made to actively bypass VM detection measures.


--
saint_abroad

Offline

#5 2021-01-14 11:09:37

tomsk
Member
Registered: 2016-12-17
Posts: 170

Re: Spoof KVM and hide it from guest

I understand that I can be banned, but what is difference between being banned and not being able to play that game? It is same, by bypassing I have at least some chance to play. And as I said, they are not going to hunt down VM players, because look at cloud gaming platforms, they are fine for now, and lot of players use them, so they cannot ban just every VM and if they don't ban these cloud gaming providers too, there will be always some workaround.

I would be even willing to provide them some API for my VM, that they can check if I am cheating or not, because I never cheated, I don't want and I hate cheaters, I just want to play some games.

Last edited by tomsk (2021-01-14 11:15:45)


I use several linux distros like: Archlinux, Ubuntu, Fedora, Linux Mint

Offline

#6 2021-01-14 11:46:54

sabroad
Member
Registered: 2015-05-24
Posts: 242

Re: Spoof KVM and hide it from guest

tomsk wrote:

what is difference between being banned and not being able to play that game?

Unappealing as it sounds, you can always dual-boot to play... unless you get yourself perm-banned trying to actively bypass VM detection measures.

tomsk wrote:

I just want to play some games.

Personally, I just buy games that run on Linux. You'll need to make a choice on whether you want to continue to support their behaviour.


--
saint_abroad

Offline

#7 2021-01-14 15:48:09

tomsk
Member
Registered: 2016-12-17
Posts: 170

Re: Spoof KVM and hide it from guest

For me Escape From Tarkov is only game I play which uses Battleye anticheat, and I don't want to use dual boot, because I created KVM with GPU Passthrough because I don't want to use dual boot and for another system + game (through dual boot) I would have to buy another drive.

I know that I can be banned, but I take that risk, in my humble opinion they cannot just perm-ban every VM trying to baypass their VM detection measures, because as I said look at cloud gaming providers, then it means that they would ban these cloud gaming providers too, and I don't think they can, or they will make angry another gamers community.


I use several linux distros like: Archlinux, Ubuntu, Fedora, Linux Mint

Offline

#8 2021-01-14 20:16:01

Slithery
Administrator
From: Norfolk, UK
Registered: 2013-12-01
Posts: 5,776

Re: Spoof KVM and hide it from guest

tomsk wrote:

I know that I can be banned, but I take that risk, in my humble opinion they cannot just perm-ban every VM trying to baypass their VM detection measures, because as I said look at cloud gaming providers, then it means that they would ban these cloud gaming providers too, and I don't think they can, or they will make angry another gamers community.

You are assuming that the cloud-gaming providers have the same license and restrictions for the game that you do.

They don't.


No, it didn't "fix" anything. It just shifted the brokeness one space to the right. - jasonwryan
Closing -- for deletion; Banning -- for muppetry. - jasonwryan

aur - dotfiles

Offline

#9 2021-01-14 20:46:08

tomsk
Member
Registered: 2016-12-17
Posts: 170

Re: Spoof KVM and hide it from guest

Slithery wrote:
tomsk wrote:

I know that I can be banned, but I take that risk, in my humble opinion they cannot just perm-ban every VM trying to baypass their VM detection measures, because as I said look at cloud gaming providers, then it means that they would ban these cloud gaming providers too, and I don't think they can, or they will make angry another gamers community.

You are assuming that the cloud-gaming providers have the same license and restrictions for the game that you do.

They don't.

It is possible, so I would like to go back to topic. smile


I use several linux distros like: Archlinux, Ubuntu, Fedora, Linux Mint

Offline

#10 2021-01-14 23:45:29

rowdog
Member
From: East Texas
Registered: 2009-08-19
Posts: 118

Re: Spoof KVM and hide it from guest

I would think you could hide those "4 traces". I recommend that you study C, Linux, virtualization and, I'd imagine Windows too. Shouldn't take more than about 5 years. The bad news is that it's a fool's errand because there's always a way for a guest to determine that it's running in a hypervisor: cache timing, branch prediction, etc.

Offline

#11 2021-01-15 11:41:56

tomsk
Member
Registered: 2016-12-17
Posts: 170

Re: Spoof KVM and hide it from guest

I know that there will be always way to find out if guest is running in VM, for example even with memory latency. I know this issue, but I would like to solve at least these 4 things for now, and it is good against Malware Anti-VM techniques too like here: https://rayanfam.com/topics/defeating-m … tructions/


I use several linux distros like: Archlinux, Ubuntu, Fedora, Linux Mint

Offline

#12 2021-08-01 15:49:04

Simulacrum
Member
Registered: 2017-02-23
Posts: 28

Re: Spoof KVM and hide it from guest

Hey man,

after all the guys posting so many helpful replies, i wanted to ask if you got any solutions.
I've found the reddit a few days ago. I have the exact same problem as you (and the exact same reason to fix it). Mouse activity could be "solved" by just using the mouse while running pafish. The kernel modification mentioned in the reddit didn't solve it for me as the VM isn't booting with the modified kernel. This problem still persists if i add:

<qemu:arg value="-cpu"/>
<qemu:arg value="host,rdtscp=off,hv_time,kvm=off,hv_vendor_id=null,-hypervisor"/>

to the XML of the VM. I modified the kernel following this tutorial:
https://github.com/WCharacter/RDTSC-KVM-Handler

The VM boots now, but the pafish tests still fail.

I hide SystemBiosVersion using the (guest) registry values which works (at least for pafish, i haven't tried al-khaser yet)

If you want to, we can stay in touch. Maybe we find a solution together.


Best wishes
S.

Offline

Board footer

Powered by FluxBB