Hi all,
I’ve been using qubes for a while now, but there’s a couple of things I’ve really been missing from windows (including but not limited to gaming), and I was wondering if anybody has thought about developing a guide to making a stealthy windows qube which is difficult to detect as one? I know guides exist out there for things like VMware, but I have no idea if/how those translate over.
Thanks!
I am not sure what does exactly mean “stealthy” Windows (qube). Can you elaborate, please?
Basically, a windows qube that has no indicators of being a VM (hyper-v status, drivers, hwids, etc.), since quite a lot of software, especially games, has started checking for these signs.
It’s not possible as for now because if you go to Computer management, you’ll see a bunch of Qubes/Xen references there. Is it doable? I’d advise you to ask the devs via Github.
This is not going to be easy, considering that one would need to hide its presence from several low and high level tricks, rather than only from human eye.
Some food for thought: GitHub - a0rtega/pafish: Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do
And related entries, e.g. from the most recent issue in that repository: How anti-cheats detect system emulation | secret club
1 Like
See also:
Not easily, and almost certainly not within the Qubes model/hypervisor.
A hypervisor (especially on Intel) cannot be stealthy if you set out to look for it. There’s simply no way to hide the mandatory exit latencies, no matter what you do. If you have an external wall clock (which a gaming VM would have access to over the network), just run a tight CPUID loop. It’s a few cycles on the iron, at best about 1000 cycles in a VM. You can trivially measure the difference, and there are a range of other things you can do that are also “fast on hardware, glacial in a VM.” Most OSes don’t do those things, but if you want to find out if you’re in a VM, they’re useful.
Build a separate gaming box and don’t trust it with anything important.
It’s not a thing that can be fixed, at least on Intel (I believe AMD can skip CPUID exits, but then it’s returning full hardware specs, which will not match the VM - so just a different way of detecting the environment - not familiar with SVM nearly as deeply as VMX, sorry).
CPUID is, on Intel hardware, a mandatory exit from virtualization. A world switch, from guest to host, is a few hundred cycles, before the hypervisor has a chance to execute anything, and the entry back into the VM is similar. Hypervisors tend to handle CPUID quickly, but they can’t do anything about the VMExit/VMEntry latencies. So it’s a pretty good way to detect a stealth hypervisor.
You can defeat most techniques used to detect hypervisors, one at a time, but if someone really wants to find out that they’re in a hypervisor, and you haven’t fooled the external time sources it uses (which if it can connect to literally anything on the internet, it can get in some way or another), it can detect that it’s in a guest.
I’ve no idea what modern games do to detect it, though. I don’t game.