Awesome
Info & Guide
<details> <summary>Exam Software</summary>Software | Browser Extension | System Test | Bypassed |
---|---|---|---|
VMAware | Link | ||
Pafish | Link | ✅ | |
Al-Khaser | Link | ❔ | |
Safe Exam Browser | Link | ✅ | |
Pearson VUE | Link | ✅ | |
ProctorU | ✅ | FF Addon or Chrome Addon | ✅ |
ProctorU: Guardian Browser | Link | ✅ | |
Proctorio | ✅ | Link | ✅ |
Examity | ✅ | New Platform System Check or Chrome Addon or FF Addon | ✅ |
ExamSoft: Examplify | ✅ | ??? | ✅ |
Respondus (LockDown Browser) | ✅ | Link & Download | ✅ |
Kryterion | Link | ✅ | |
Honorlock | ✅ | Link | ✅ |
Inspera Exam Portal | Link - Demo Exam Instructions | ✅ |
Type | Engine | Bypassed | Used By |
---|---|---|---|
Anti-Cheat | Anti-Cheat Expert (ACE) | ✅ | Primarily Mobile Games |
Anti-Cheat | BattlEye (BE) | ✅ (With RDTSC VM Force Exit Kernal Patch) | Desktop Games |
Anti-Cheat | Easy Anti-Cheat (EAC) | ✅ | Desktop Games |
Anti-Cheat | Gepard Shield | ✅ (With RDTSC VM Force Exit Kernal Patch) | |
Anti-Cheat | Hyperion | ✅ | Roblox |
Anti-Cheat | Mhyprot | ✅ | Genshin Impact |
Anti-Cheat | nProtect GameGuard (NP) | ✅ | Desktop Games |
Anti-Cheat | RICOCHET | ✅ | Call of Duty Games |
Anti-Cheat | Vanguard | ‼️(1: Incorrect function) | Valorant |
Encrypt | Enigma Protector | ✅ | |
Encrypt | Safegine Shielden | ✅ | |
Encrypt | Themida | ✅ | |
Encrypt | VMProtect | ✅ | |
Encrypt | VProtect | ✅ |
- ‼️ Some games cannot run under this environment, but I'm not sure whether qemu has been detected. The game doesn't say "Virtual machine detected" specifically.
Bypassing HDCP Visual Graph:
Capture Card Format Support:
Cheapo Bypass Kit:
Elegant Bypass Kit (Recommended):
- 1x2 HDMI Splitter
$20-30
> ViewHD - EDID Emulator
$20
> HD-EWB - USB HDMI Capture Card
$130-200
> Elgato HD60 X
Equipment
- Capture Card(s)
- 1x2 HDMI Splitter(s)
- EDID Emulator(s)
Bring live video from your smartphone, remote computer, or friends directly into OBS or other studio software.
VB-CABLE Virtual Audio Device
Virtual Display Driver
</details> <details> <summary>VPN + Hypervisor</summary>- IMPORTANT: Ensure not to add a custom DNS configuration to the guest system on the hypervisor if your host system's VPN uses custom DNS block lists. Doing so may result in your guest hypervisor system losing its internet connection!
Mullvad VPN + QEMU
- For the VPN connection to get properly natted/bridged you must enable the setting
Local network sharing
option!- How to:
⚙️
>VPN settings
>Local network sharing
✅
- How to:
</details> <details> <summary>Proctoring Functions</summary> <details> <summary>Honorlock</summary>
Function | Description |
---|---|
Record Webcam | Record student's testing enviroment using webcam |
Record Screen | Record student's screen during exam |
Record Web Traffic | Log student's internet activity |
Room Scan | Record a 360 degree enviroment scan before the assessment begins |
Disable Copy/Paste | Block clipboard actions |
Disable Printing | Block printing exam content |
Browser Guard | Limit browser activity to exam content and allowed site URLs only |
Allowed Site URLs | Allow access to specific websites during an exam session |
Student Photo | Capture student photo before the assessment begins |
Student ID | Capture ID photo before the assessment begins |
Recording Settings | Verification Settings | Lock Down Settings |
---|---|---|
Record Video | Verify Video | Force Full Screen |
Record Audio | Verify Audio | Only One Screen |
Record Screen | Verify Identity | Disable New Tabs |
Record Web Traffic | Verify Desktop | Close Open Tabs |
Record Desk | Verify Signature | Disable Printing |
Disable Clipboard | ||
Clear Cache | ||
Disable Right Click | ||
Prevent Re-Entry |
BrowserLock
-
System Requirements Link
-
Exam Content & Special Configurations (SDS)
https://securedelivery-hs-prd-1.pearsonvue.com/SecureDeliveryService
- Application location:
%APPDATA%\OnVUE\BrowserLock.exe
- Log file location:
%LOCALAPPDATA%\BrowserLock\log
- Commands it runs
# Obtains NetConnectionID
wmic nic where "NetConnectionStatus = 2" get NetConnectionID /value
# Obtains USB FriendlyName
powershell.exe Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match '^USB' }
# Obtains Display/Monitor FriendlyName
powershell.exe -Command "Get-WmiObject -Namespace 'root\WMI' -Class 'WMIMonitorID' | ForEach-Object -Process { if($_.UserFriendlyName) { ([System.Text.Encoding]::ASCII.GetString($_.UserFriendlyName)).Replace('$([char]0x0000)','') } }"
# Obtains running processes
powershell.exe /c Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath
# Obtains MachineGUID
powershell (Get-ItemProperty registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\ -Name MachineGuid).MachineGUID
# Obtains system hostname
C:\Windows\system32\cmd.exe /c hostname
- Hypervisor System Checks (in log file):
# LOG:
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM Allowed flag value from forensics is vmAllowedForensic=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Multiple Monitor Allowed flag value from forensics is multiMonitorAllowedForensic=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VPN Allowed flag value from forensics is vpnAllowedForensic=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Shutdown file monitor started
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM configuration received from SDS will be applied for validation
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM detection value is: vmDetectConfig=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Multiple monitor configuration received from SDS will be applied for validation
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Multiple monitor detection value is: multipleMonitorDetectConfig=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VPN configuration received from forensics will be applied for validation
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VPN detection value is: vpnDetectConfig=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] USB mass storage detection value is: usbDetectConfig=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Minimum browserlock version required: 2304
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Current browserlock version: 2402.1.1
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Check if Browserlock running on VM: {DMI type 1 (System Information) - Product Name}, {DMI type 2 (Base Board Information) - Serial Number}, runningOnVM=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM check: diskSize=499 GB
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Browserlock is not running on virtual machine
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Display HDCP supported check: hdcpSupported=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Number of display devices connected: AWT=1, Physical=1, Physical/Virtual=1, Duplicate=1
# BrowserLock Booleon Variables
- hdcpSupported
- multiMonitorAllowedForensic
- multipleMonitorDetectConfig
- runningOnVM
- usbDetectConfig
- vmAllowedForensic
- vmDetectConfig
- vpnAllowedForensic
- vpnDetectConfig
</details>
</details>
<details>
<summary>Hypervisor Setup Guide</summary>
<details>
<summary>VirtualBox</summary>
Virtual Box - VBoxManage Tool Location:
Linux: /usr/bin/VBoxManage
Mac OS X: /Applications/VirtualBox.app/Contents/MacOS/VBoxManage
Oracle Solaris: /opt/VirtualBox/bin/VBoxManage
Windows: C:\Program Files\Oracle\VirtualBox\VBoxManage.exe
Run these scripts:
- Configure the VM:
VM-External-Modifer.ps1
- Spoof Windows:
VM-Internal-Modifier.ps1
ExecutionPolicy Modifier:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
Building a Custom Version
Dependencies
sudo apt update && sudo apt upgrade -y && sudo apt autoremove -y && sudo apt install -y acpica-tools chrpath doxygen g++-multilib libasound2-dev libcap-dev libcurl4-openssl-dev libdevmapper-dev libidl-dev libopus-dev libpam0g-dev libpulse-dev libqt5opengl5-dev libqt5x11extras5-dev qttools5-dev libsdl1.2-dev libsdl-ttf2.0-dev libssl-dev libvpx-dev libxcursor-dev libxinerama-dev libxml2-dev libxml2-utils libxmu-dev libxrandr-dev make nasm python3-dev python-dev qttools5-dev-tools texlive texlive-fonts-extra texlive-latex-extra unzip xsltproc default-jdk libstdc++5 libxslt1-dev linux-kernel-headers makeself mesa-common-dev subversion yasm zlib1g-dev glslang-tools ia32-libs libc6-dev-i386 lib32gcc1 lib32stdc++6
Building VirtualBox
./configure --disable-hardening && source ./env.sh && kmk all &&
</details>
<details>
<summary>VMware</summary>
VMware PRO License Key:
MC60H-DWHD5-H80U9-6V85M-8280D
Patching BIOS ROM
- Locate file
BIOS.440.ROM
within%PROGRAMFILES(X86)%\VMware\VMware Workstation\x64
. - Utilize Phoenix BIOS Editor to modify compromising DMI Strings, like
VMware
orVirtual Platform
. - Once completed, go to
File
thenBuild BIOS
and save the patched BIOS somewhere. Don't overwrite the original file! - Now within the
*.vmx
config file, make sure to add the new patched BIOS location for thebios440.filename
argument line.
Set Custom CPUID (optional)
Add the following into your *.vmx
bios440.filename = "C:\<path_to_your_bios_file>\BIOS.440.PATCH.ROM"
hypervisor.cpuid.v0 = "FALSE"
smbios.reflectHost = "TRUE"
ethernet0.address = "00:C0:CA:A7:2B:9E"
isolation.tools.getPtrLocation.disable = "TRUE"
isolation.tools.setPtrLocation.disable = "TRUE"
isolation.tools.setVersion.disable = "TRUE"
isolation.tools.getVersion.disable = "TRUE"
monitor_control.restrict_backdoor = "TRUE"
monitor_control.virtual_rdtsc = "FALSE"
IMPORTANT
smbios.reflectHost
will NOT fully function properly if UEFI firmware is used without the BIOS ROM patch. If you use BIOS firmware instead, you don't have to worry about doing the BIOS ROM patch (you can still do it if you want though).
Run these scripts:
- Spoof Windows:
VM-Internal-Modifier.ps1
ExecutionPolicy Modifier:
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process -Force
</details>
<details>
<summary>QEMU/KVM & PCIe Passthru</summary>
<details>
<summary>QEMU/KVM Guide</summary>
Make sure to install curl
Arch - sudo pacman -S --noconfirm curl
Debian - sudo apt install -y curl
Fedora - sudo dnf install -y curl
1. Required Virtualization Packages
Arch
sudo pacman -S --noconfirm qemu-base edk2-ovmf libvirt dnsmasq virt-manager
Debian
sudo apt -y install qemu-system-x86 ovmf virt-manager libvirt-clients libvirt-daemon-system libvirt-daemon-config-network
Fedora
sudo dnf -yq install @virtualization
2. Enabling libvirt
Configuring Libvirt
libvirtd_conf='/etc/libvirt/libvirtd.conf'
sudo sed -i '/unix_sock_group/s/^#//g' "$libvirtd_conf"
sudo sed -i '/unix_sock_rw_perms/s/^#//g' "$libvirtd_conf"
qemu_conf='/etc/libvirt/qemu.conf'
sudo sed -i "s/#user = \"root\"/user = \"$(whoami)\"/" "$qemu_conf"
sudo sed -i "s/#group = \"root\"/group = \"$(whoami)\"/" "$qemu_conf"
Setting up QEMU/KVM driver
sudo usermod -aG kvm,libvirt "$(whoami)"
sudo systemctl enable --now libvirtd.socket
sudo virsh net-autostart default
3. Dependencies
Arch
sudo pacman -S --noconfirm base-devel glib2 ninja python-sphinx python-sphinx_rtd_theme python-packaging dmidecode libusb
Debian
sudo apt -y install build-essential libglib2.0-dev libfdt-dev libpixman-1-dev zlib1g-dev ninja-build python3-venv libusb-1.0-0-dev
Fedora
sudo dnf -yq install glib2-devel libfdt-devel pixman-devel zlib-devel bzip2 ninja-build python3 libusb1-devel
4. Setting up QEMU
Download & Extract QEMU
cd $HOME/Downloads
curl -sSO "https://download.qemu.org/qemu-8.2.6.tar.xz"
tar xJf "qemu-8.2.6.tar.xz" && cd "qemu-8.2.6"
Download & Apply Custom Patch for QEMU
curl -sSO "https://raw.githubusercontent.com/Scrut1ny/Hypervisor-Phantom/main/v8.2.6.patch"
patch -fsp1 < "v8.2.6.patch"
Spoofing hardcoded USB Serial Numbers
find "$(pwd)/hw/usb" -type f -exec grep -lE '\[(STR|STRING)_SERIALNUMBER\]' {} + | while IFS= read -r file; do
# Generate a new random serial number
NEW_SERIAL=$(head /dev/urandom | tr -dc 'A-Z0-9' | head -c 10)
# Replace all serial number strings in the files
sed -i -E "s/(\[(STR|STRING)_SERIALNUMBER\] *= *\")[^\"]*/\1${NEW_SERIAL}/" "$file"
# Print the modification information
echo -e "\e[32m Modified:\e[0m '$file' with new serial: \e[32m$NEW_SERIAL\e[0m"
done
Spoofing Drive Model & Serial Numbers
# Define the core file path
core_file="$(pwd)/hw/ide/core.c"
# Generate a new random serial number
NEW_SERIAL=$(head /dev/urandom | tr -dc 'A-Z0-9' | head -c 15)
# Arrays of model strings
IDE_CD_MODELS=(
"HL-DT-ST BD-RE WH16NS60"
"HL-DT-ST DVDRAM GH24NSC0"
"HL-DT-ST BD-RE BH16NS40"
"HL-DT-ST DVD+-RW GT80N"
"HL-DT-ST DVD-RAM GH22NS30"
"HL-DT-ST DVD+RW GCA-4040N"
"Pioneer BDR-XD07B"
"Pioneer DVR-221LBK"
"Pioneer BDR-209DBK"
"Pioneer DVR-S21WBK"
"Pioneer BDR-XD05B"
"ASUS BW-16D1HT"
"ASUS DRW-24B1ST"
"ASUS SDRW-08D2S-U"
"ASUS BC-12D2HT"
"ASUS SBW-06D2X-U"
"Samsung SH-224FB"
"Samsung SE-506BB"
"Samsung SH-B123L"
"Samsung SE-208GB"
"Samsung SN-208DB"
"Sony NEC Optiarc AD-5280S"
"Sony DRU-870S"
"Sony BWU-500S"
"Sony NEC Optiarc AD-7261S"
"Sony AD-7200S"
"Lite-On iHAS124-14"
"Lite-On iHBS112-04"
"Lite-On eTAU108"
"Lite-On iHAS324-17"
"Lite-On eBAU108"
"HP DVD1260i"
"HP DVD640"
"HP BD-RE BH30L"
"HP DVD Writer 300n"
"HP DVD Writer 1265i"
)
IDE_CFATA_MODELS=(
"SanDisk Ultra microSDXC UHS-I"
"SanDisk Extreme microSDXC UHS-I"
"SanDisk High Endurance microSDXC"
"SanDisk Industrial microSD"
"SanDisk Mobile Ultra microSDHC"
"Samsung EVO Select microSDXC"
"Samsung PRO Endurance microSDHC"
"Samsung PRO Plus microSDXC"
"Samsung EVO Plus microSDXC"
"Samsung PRO Ultimate microSDHC"
"Kingston Canvas React Plus microSD"
"Kingston Canvas Go! Plus microSD"
"Kingston Canvas Select Plus microSD"
"Kingston Industrial microSD"
"Kingston Endurance microSD"
"Lexar Professional 1066x microSDXC"
"Lexar High-Performance 633x microSDHC"
"Lexar PLAY microSDXC"
"Lexar Endurance microSD"
"Lexar Professional 1000x microSDHC"
"PNY Elite-X microSD"
"PNY PRO Elite microSD"
"PNY High Performance microSD"
"PNY Turbo Performance microSD"
"PNY Premier-X microSD"
"Transcend High Endurance microSDXC"
"Transcend Ultimate microSDXC"
"Transcend Industrial Temp microSD"
"Transcend Premium microSDHC"
"Transcend Superior microSD"
"ADATA Premier Pro microSDXC"
"ADATA XPG microSDXC"
"ADATA High Endurance microSDXC"
"ADATA Premier microSDHC"
"ADATA Industrial microSD"
"Toshiba Exceria Pro microSDXC"
"Toshiba Exceria microSDHC"
"Toshiba M203 microSD"
"Toshiba N203 microSD"
"Toshiba High Endurance microSD"
)
DEFAULT_MODELS=(
"Samsung SSD 970 EVO 1TB"
"Samsung SSD 860 QVO 1TB"
"Samsung SSD 850 PRO 1TB"
"Samsung SSD T7 Touch 1TB"
"Samsung SSD 840 EVO 1TB"
"WD Blue SN570 NVMe SSD 1TB"
"WD Black SN850 NVMe SSD 1TB"
"WD Green 1TB SSD"
"WD My Passport SSD 1TB"
"WD Blue 3D NAND 1TB SSD"
"Seagate BarraCuda SSD 1TB"
"Seagate FireCuda 520 SSD 1TB"
"Seagate One Touch SSD 1TB"
"Seagate IronWolf 110 SSD 1TB"
"Seagate Fast SSD 1TB"
"Crucial MX500 1TB 3D NAND SSD"
"Crucial P5 Plus NVMe SSD 1TB"
"Crucial BX500 1TB 3D NAND SSD"
"Crucial X8 Portable SSD 1TB"
"Crucial P3 1TB PCIe 3.0 3D NAND NVMe SSD"
"Kingston A2000 NVMe SSD 1TB"
"Kingston KC2500 NVMe SSD 1TB"
"Kingston A400 SSD 1TB"
"Kingston HyperX Savage SSD 1TB"
"Kingston DataTraveler Vault Privacy 3.0 1TB"
"SanDisk Ultra 3D NAND SSD 1TB"
"SanDisk Extreme Portable SSD V2 1TB"
"SanDisk SSD PLUS 1TB"
"SanDisk Ultra 3D 1TB NAND SSD"
"SanDisk Extreme Pro 1TB NVMe SSD"
)
# Function to get a random element from an array
get_random_element() {
local array=("$@")
echo "${array[RANDOM % ${#array[@]}]}"
}
# Select random models
NEW_IDE_CD_MODEL=$(get_random_element "${IDE_CD_MODELS[@]}")
NEW_IDE_CFATA_MODEL=$(get_random_element "${IDE_CFATA_MODELS[@]}")
NEW_DEFAULT_MODEL=$(get_random_element "${DEFAULT_MODELS[@]}}")
# Replace the "QM" string with the new serial number in core.c
sed -i -E "s/\"[^\"]*%05d\", s->drive_serial\);/\"$NEW_SERIAL%05d\", s->drive_serial\);/" "$core_file"
# Spoof the IDE_CD drive model string
sed -i -E "s/\"HL-DT-ST BD-RE WH16NS60\"/\"$NEW_IDE_CD_MODEL\"/" "$core_file"
# Spoof the IDE_CFATA drive model string
sed -i -E "s/\"MicroSD J45S9\"/\"$NEW_IDE_CFATA_MODEL\"/" "$core_file"
# Spoof the default drive model string
sed -i -E "s/\"Samsung SSD 980 500GB\"/\"$NEW_DEFAULT_MODEL\"/" "$core_file"
# Print the modification information
echo -e "\e[32m Modified:\e[0m '$core_file' with new serial: \e[32m$NEW_SERIAL\e[0m"
echo -e "\e[32m Modified:\e[0m '$core_file' with new IDE_CD model: \e[32m$NEW_IDE_CD_MODEL\e[0m"
echo -e "\e[32m Modified:\e[0m '$core_file' with new IDE_CFATA model: \e[32m$NEW_IDE_CFATA_MODEL\e[0m"
echo -e "\e[32m Modified:\e[0m '$core_file' with new default model: \e[32m$NEW_DEFAULT_MODEL\e[0m"
Spoofing ACPI Table Strings
# Array of ACPI Pairs
pairs=(
'DELL ' 'Dell Inc' # Dell
'ALASKA' 'A M I ' # AMD
'INTEL ' 'U Rvp ' # Intel
' ASUS ' 'Notebook' # Asus
'MSI NB' 'MEGABOOK' # MSI
'LENOVO' 'TC-O5Z ' # Lenovo
'LENOVO' 'CB-01 ' # Lenovo
'SECCSD' 'LH43STAR' # ???
'LGE ' 'ICL ' # LG
)
# Generate a random index to select a pair
total_pairs=$((${#pairs[@]} / 2))
random_index=$((RANDOM % total_pairs * 2))
# Extract the randomly selected pair
appname6=${pairs[$random_index]}
appname8=${pairs[$random_index + 1]}
# Replace the "BOCHS" "BXPC" strings in aml-build.h
file="$(pwd)/include/hw/acpi/aml-build.h"
sed -i "s/^#define ACPI_BUILD_APPNAME6 \".*\"/#define ACPI_BUILD_APPNAME6 \"$appname6\"/" "$file"
sed -i "s/^#define ACPI_BUILD_APPNAME8 \".*\"/#define ACPI_BUILD_APPNAME8 \"$appname8\"/" "$file"
# Print the modifications
echo -e "\e[32m Modified:\e[0m '$file' with new values:"
echo -e " \e[32m#define ACPI_BUILD_APPNAME6 \"$appname6\"\e[0m"
echo -e " \e[32m#define ACPI_BUILD_APPNAME8 \"$appname8\"\e[0m"
Spoofing CPUID Manufacturer Signature Strings
# Define the file path
kvm_file="$(pwd)/target/i386/kvm/kvm.c"
# Obtain the CPU Vendor ID
vendor_id=$(lscpu | awk -F': +' '/Vendor ID/ {print $2}')
# Replace the signature strings in kvm.c
sed -i -E "s/(memcpy\(signature, \")[^\"]*(\", 12\);)/\1$vendor_id\2/" "$kvm_file"
# Print the modification information
echo -e "\e[32m Modified:\e[0m '$kvm_file' with new signature: \e[32m$vendor_id\e[0m"
Spoofing CPUID Manufacturer Model Name Strings
# Define the file path
q35_file="$(pwd)/hw/i386/pc_q35.c"
# Obtain the CPU Model Name
manufacturer=$(sudo dmidecode -t 4 | grep 'Manufacturer:' | awk -F': +' '{print $2}')
# Replace the Manufacturer string in pc_q35.c
sed -i "s/smbios_set_defaults(\"[^\"]*\",/smbios_set_defaults(\"$manufacturer\",/" "$q35_file"
# Print the modification information
echo -e "\e[32m Modified:\e[0m '$q35_file' with new signature: \e[32m$manufacturer\e[0m"
5. Building & Installing QEMU
./configure --target-list=x86_64-softmmu --enable-libusb --disable-werror
sudo make install -j"$(nproc)"
6. Clean up (Optional)
cd .. && sudo rm -rf "qemu-8.2.6" "qemu-8.2.6.tar.xz"
</details>
<details>
<summary>PCIe Passthru Guide</summary>
Online PCIe Passthrough Guides
1. Make sure to enable the following in the host UEFI/BIOS
AMD CPU | Intel CPU |
---|---|
IOMMU | VT-D |
NX | VT-X |
SVM |
Requirements
- Virtualization Check
LC_ALL=C lscpu | grep Virtualization && egrep -c '(vmx|svm)' /proc/cpuinfo
- List PCI Devices
lspci -nn | grep "NVIDIA"
or
- List IOMMU Groups
#!/bin/bash
shopt -s nullglob
for g in /sys/kernel/iommu_groups/*; do
echo "IOMMU Group ${g##*/}:"
for d in $g/devices/*; do
echo -e "\t$(lspci -nns ${d##*/})"
done;
done;
Modify grub.cfg
- GRUB_CMDLINE_LINUX_DEFAULT="amd_iommu=on iommu=pt vfio-pci.ids=XXXX:XXXX,XXXX:XXXX,XXXX:XXXX,XXXX:XXXX"
sudo nano /etc/default/grub
Update grub.cfg & reboot
sudo update-grub && sudo reboot now
Modify vfio.conf (isolate GPU)
- options vfio-pci ids=XXXX:XXXX,XXXX:XXXX,XXXX:XXXX,XXXX:XXXX
- softdep nvidia pre: vfio-pci
sudo nano /etc/modprobe.d/vfio.conf
Update initramfs
sudo update-initramfs -c -k $(uname -r) && sudo reboot now
Check kernal driver in use for the isolated GPU (should be vfio-pci)
lspci -k | grep -E "vfio-pci|NVIDIA"
</details>
<details>
<summary>VMM Guide</summary>
Virtual Machine Manager Guide
- Create a new virtual machine
- Local install media (ISO image or CDROM)
- Select a Windows ISO and enter the OS you're using
- Set a realistic amount of RAM (make sure its half of the full amount)
GB | MBs |
---|---|
8 | 8192 |
16 | 16384 |
32 | 32768 |
- Set 1 less of the maximum amount of CPUs available
- Set a virtual disk size of above 250GB+
- Select "Customize configuration before install" and finish
- Select
UEFI x86_64:/usr/share/OVMF/OVMF_CODE_4M.ms.fd
for the Firmware, then apply 8a. If you want to use Windows 11 you need to useUEFI x86_64:/usr/share/qemu/edk2-x86_64-secure-code.fd
instead - Under
CPUs
, checkCopy host CPU configuration (host-passthrough)
9a. Drop downTopology
and checkManually set CPU topology
then input whatever works with your system, then apply
Sockets: | Cores: | Threads: |
---|---|---|
1 | X | X |
- Under
Boot Options
checkSATA CDROM 1
, then apply - Under
SATA Disk 1
andSATA CDROM 1
drop downAdvanced options
and set a random custom serial #, then apply - Under
NIC:XX:XX:XX
select the drop down menu and pickhypervisor default
12a. Set a custom MAC address, make sure the vendor isn't a hypervisor vendor! then apply - Select
Add Hardware
and underPCI Host Device
add ALL devices under the isolated GPU IOMMU group you figured out earlier - Now select
Begin Installation
, and enjoy your new undetectable windows system!
QEMU XML Config
<domain xmlns:qemu="http://libvirt.org/schemas/domain/qemu/1.0" type="kvm">
<!-- You should keep the RAM amount at a realistic value: 16, 12, 8, 6, 4 GiB are all more or less common -->
<memory unit="G">12</memory>
<currentMemory unit="G">12</currentMemory>
<!-- ... -->
<os>
<smbios mode="host"/>
</os>
<features>
<acpi/>
<apic/>
<!-- set mode to "passthrough" if you use nested-virtualization to protect against timing attacks -->
<hyperv mode="custom">
<relaxed state="on"/>
<vapic state="on"/>
<spinlocks state="on" retries="8191"/>
<vpindex state="on"/>
<runtime state="on"/>
<synic state="on"/>
<stimer state="on"/>
<reset state="on"/>
<vendor_id state="on" value=""/>
<frequencies state="on"/>
</hyperv>
<kvm>
<hidden state="on"/>
</kvm>
<vmport state="off"/>
</features>
<cpu mode="host-passthrough" check="none">
<topology sockets="1" dies="1" cores="8" threads="2"/>
<cache mode="passthrough"/>
<feature policy="disable" name="hypervisor"/>
<feature policy="require" name="invtsc"/>
<feature policy="require" name="topoext"/>
<feature policy="require" name="svm"/> <!-- If you use Intel CPU, change "svm" to "vmx" -->
</cpu>
<clock offset="localtime">
<timer name="tsc" present="yes" mode="native"/>
<timer name="hypervclock" present="yes"/>
</clock>
<!-- Emulates suspend functionality present on real hardware -->
<pm>
<suspend-to-mem enabled="yes"/>
<suspend-to-disk enabled="yes"/>
</pm>
<devices>
<!-- You can compile QEMU multiple times with different patches
as long as you point libvirt to the correct one -->
<emulator>/root/spoofed/qemu-system-x86_64</emulator>
<!-- If you have a second drive and a little bit of luck,
you could pass through the SATA/NVMe controller and have better performance than VirtIO + stay hidden -->
<disk type="file" device="disk"> <!-- Use block devices (partitons) for better performance -->
<driver name="qemu" type="raw" cache="none" io="native" discard="unmap"/> <!-- use io="threads" in block mode: https://events19.lfasiallc.com/wp-content/uploads/2017/11/Storage-Performance-Tuning-for-FAST-Virtual-Machines_Fam-Zheng.pdf -->
<source file="/var/lib/libvirt/images/win10.img"/>
<!-- Use SATA to avoid using the VirtIO driver -->
<target dev="sda" bus="sata"/>
<!-- Set a custom serial for every VM -->
<serial>590347474223828</serial>
<boot order="1"/>
<address type="drive" controller="0" bus="0" target="0" unit="0"/>
</disk>
<interface type="network">
<!-- Set a custom MAC address for every VM -->
<mac address="f0:bc:8e:cd:6e:ec"/>
<source network="default"/>
<!-- Again, don't use VirtIO -->
<model type="e1000e"/>
<address type="pci" domain="0x0000" bus="0x01" slot="0x00" function="0x0"/>
</interface>
<!-- TPM in passthrough mode is the most well hidden option for Windows 11 -->
<tpm model="tpm-tis">
<backend type="passthrough">
<device path="/dev/tpm0"/>
</backend>
</tpm>
<!-- Other devices -->
<memballoon model="none"/>
</devices>
<qemu:commandline>
<qemu:arg value="-smbios"/>
<!-- Replace with your output of `# dmidecode -t 17` -->
<qemu:arg value="type=17,manufacturer=KINGSTON,loc_pfx=DDR4,speed=3200,serial=XXXXXX,part=XXXX"/>
</qemu:commandline>
<qemu:override>
<qemu:device alias="sata0-0-0">
<qemu:frontend>
<qemu:property name="rotation_rate" type="unsigned" value="1"/>
</qemu:frontend>
</qemu:device>
</qemu:override>
</domain>
</details>
<details>
<summary>Looking Glass Guide</summary>
Looking Glass Setup Guide
- Client usage
- KVM (Kernel-based Virtual Machine) configured for VGA PCI Pass-through without an attached physical monitor, keyboard or mouse.
Add this to your .XML file in the devices section:
<shmem name='looking-glass'>
<model type='ivshmem-plain'/>
<size unit='M'>32</size>
</shmem>
Dependencies
sudo apt update && sudo apt upgrade -y && sudo apt autoremove -y && sudo apt install -y binutils-dev cmake fonts-dejavu-core libfontconfig-dev gcc g++ pkg-config libegl-dev libgl-dev libgles-dev libspice-protocol-dev nettle-dev libx11-dev libxcursor-dev libxi-dev libxinerama-dev libxpresent-dev libxss-dev libxkbcommon-dev libwayland-dev wayland-protocols libpipewire-0.3-dev libpulse-dev libsamplerate0-dev
Create a new file
sudo nano /etc/tmpfiles.d/10-looking-glass.conf
- Give it the following contents
# Type Path Mode UID GID Age Argument
f /dev/shm/looking-glass 0660 user kvm -
Granting Permissions
touch /dev/shm/looking-glass && chown $USER:kvm /dev/shm/looking-glass && chmod 660 /dev/shm/looking-glass
Download/Build/Install LookingGlass
curl -sSL https://looking-glass.io/artifact/stable/source -o latest.tar.gz && tar -zxvf latest.tar.gz && rm -rf latest.tar.gz
cd looking-glass-* && mkdir client/build && cd client/build && cmake ../ && make && sudo make install
./looking-glass-client
Testing it out...
- VFIO - EDID Emulator Review
- DP/HDMI/DVI/VGA Dummy Plug (EDID Emulator)
- USB Type C to DP Adapter <---> DP/HDMI/DVI/VGA Dummy Plug (EDID Emulator)
- Connect an additional DisplayPort or HDMI cable from your spare/isolated GPU to your monitor. Alternatively, you can utilize a DisplayPort or HDMI Bidirectional Switch Splitter for convenience.
- Encrypt DNS Queries: Utilize DNS-over-HTTPS (DoH) to encrypt your DNS queries. Unlike unencrypted DNS, DoH conceals the websites you visit, leaving only the external IP address visible to observers.
- Opt for a VPN: Use a VPN to obscure all your internet traffic. However, be cautious with popular VPN services as their IP ranges may be blacklisted by certain proctoring or anti-cheat systems.
- Allocate Sufficient VM Storage: Equip your VM with at least 128GB of storage. VMs with lower storage capacities may be more easily identified or flagged by monitoring systems.
- System Up Time: Leave the hypervisor running for at least 12+ minutes to bypass the
GetTickCount()
check.
- OCR (Optical Character Recognition)
- RAT (Remote Access/Administration Trojan)
- RDP (Remote Desktop Protocal)
References & Help
<details> <summary>General</summary>- https://evasions.checkpoint.com/
- https://r0ttenbeef.github.io/Deploy-Hidden-Virtual-Machine-For-VMProtections-Evasion-And-Dynamic-Analysis/
- https://bannedit.github.io/Virtual-Machine-Detection-In-The-Browser.html
- VirtualBox RDTSC Fix
- https://forums.virtualbox.org/viewtopic.php?t=78859
- https://forums.virtualbox.org/viewtopic.php?t=81600
- https://superuser.com/questions/625648/virtualbox-how-to-force-a-specific-cpu-to-the-guest
- https://berhanbingol.medium.com/virtualbox-detection-anti-detection-30614691f108
- https://github.com/d4rksystem/VBoxCloak
- https://github.com/nsmfoo/antivmdetection
- https://sanbarrow.com/vmx.html
- https://www.hexacorn.com/blog/2014/08/25/protecting-vmware-from-cpuid-hypervisor-detection/
- https://rayanfam.com/topics/defeating-malware-anti-vm-techniques-cpuid-based-instructions/
- https://tulach.cc/bypassing-vmprotect-themida-vm-checks-in-vmware/
- Spoof and make your VM Undetectable - No more bullsh*t bans
- BE is banning KVM on R6
- Deploy Hidden Virtual Machine For VMProtections Evasion And Dynamic Analysis
- KVM Detection fixes
Common Error Solutions
<details> <summary>Unable to complete install: 'internal error: cannot load AppArmor profile '{UUID}''</summary>- Set security_driver = "none" in /etc/libvirt/qemu.conf
# security_driver = [ "selinux", "apparmor" ]
#security_driver = "selinux"
security_driver = "none"
- restart libvirtd service
systemctl restart libvirtd.service
</details>
<details>
<summary>NVIDIA Error 43</summary>
- Add this line in the
<hyperv/>
section in the QEMU XML:
<vendor_id state="on" value="AuthenticAMD"/>
</details>
<details>
<summary>Error starting domain: internal error: qemu unexpectedly closed the monitor:</summary>
Error starting domain: internal error: qemu unexpectedly closed the monitor: 2021-08-02T17:52:25.005284Z qemu-system-x86_64: backing store size 0x2000000 does not match ‘size’ option 0x4000000
Step 1:
rm /dev/shm/looking-glass
Step 2:
<shmem name="looking-glass">
<model type="ivshmem-plain"/>
<size unit="M">128</size>
<address type="pci" domain="0x0000" bus="0x10" slot="0x01" function="0x0"/>
</shmem>
- Change memory number size to 32, 64, 128, etc. (whatever needed)
Step 3:
touch /dev/shm/looking-glass && sudo chown $USER:kvm /dev/shm/looking-glass && chmod 660 /dev/shm/looking-glass
- Now try to run your hypervisor again.
- Some of Elgato's capture cards, leveraging UVC (USB Video Class) technology, operate seamlessly without requiring additional drivers. As UVC devices, they adhere to a standard protocol for transmitting video and audio data over USB connections. This plug-and-play functionality ensures compatibility with various operating systems, enabling effortless setup and use for capturing high-quality video content.
Step 1:
Download & Install the latest 4K CAPTURE UTILITY
software from Elgato downloads page
Step 2:
Open Elgato 4K Capture Utility
software and let the software initialize the UVC device and firmware.
Step 3:
Now select the settings icon on the top right of the software utility, and select Check for Updates...
. (It should do it automatically already, but just make sure the firmware is on the latest version available.)
Step 4 (for Linux users):
Connect the capture card device back to your Linux host system now and open OBS, you should now see a valid output instead of a black screen.
Elgato Gaming Hardware Drivers
Device | Driver Status |
---|---|
Elgato Cam Link | No driver since it's a UVC device |
Elgato Cam Link 4K | No driver since it's a UVC device |
Elgato Cam Link Pro | Latest Elgato Cam Link Pro Drivers for Windows |
Elgato Game Capture HD | Latest Elgato Game Capture HD Drivers for Windows |
Elgato Game Capture HD60 | Latest Elgato Game Capture HD60 Drivers for Windows |
Elgato Game Capture HD60 S | Latest Elgato Game Capture HD60 S Drivers for Windows |
Elgato Game Capture HD60 S+ | No driver since it's a UVC device |
Elgato Game Capture HD60 Pro | Latest Elgato Game Capture HD60 Pro Drivers |
Elgato Game Capture HD60 X | No driver since it's a UVC device |
Elgato Game Capture 4K60 Pro | Latest Elgato Game Capture 4K60 Pro Drivers |
Elgato Game Capture 4K60 Pro MK.2 | Latest Elgato Game Capture 4K60 Pro MK.2 Drivers |
Elgato Game Capture 4K60 S+ | Latest Elgato Game Capture 4K60 S+ Drivers |
Elgato 4K Pro | Latest Elgato 4K Pro Drivers |
Misc. Stuff
<details> <summary>CompTIA Certification Stuff</summary>CompTIA Certification Information:
Valid Coupon Codes:
- One time use for all. (10%)
MCGRAW10
- Just for Sec+
SECURITYVUE
Exam Study Resource Websites
Exam Dump Websites
Security+
ChatGPT Prompt
I'll provide questions with possible answers, I need you to reply with only the correct answer(s). Just state the answer; no explanations.
Search Engine Prompts
Security+
CompTIA Security+ SY0-701 Quizlet
Network+
CompTIA Network+ N10-008 Quizlet
A+
CompTIA A+ 220-1101 Quizlet
CompTIA A+ 220-1102 Quizlet
</details>
<details>
<summary>Pearson VUE (OnVUE)</summary>
Pearson OnVUE Online Exam Tips
Before Your Exam:
- Know the Exam Rules: Ignorance isn't an excuse for breaking rules.
- Room Setup: A clean, quiet space is ideal. Open spaces are fine if you ensure privacy. Background noise like alarms or construction is generally okay, but voices may prompt a room check.
- Preparation: Clear your desk except for necessary items. Apply for accommodations if needed for health reasons. Use the restroom and moderate your water intake before starting. Avoid using work computers due to potential restrictions. Ensure your computer has an external microphone, as headphones are not allowed.
Common Mistakes:
- Strict Rule Enforcement: Proctors strictly follow rules; personal circumstances (e.g., needing a restroom break) aren't considered exceptions.
- Technical Readiness: Have your laptop charger plugged in. Starting your exam means you cannot leave for any reason, including to grab your charger.
- Exam Start: The exam is considered started once you see the "Welcome" screen. Don’t leave your seat, use your phone, or fetch items after this point.
- Avoid Distractions: Don’t touch your phone or read questions aloud to prevent suspicion of cheating.
- Proper Closure: After finishing, ensure you exit the application completely to end the exam session.
General Info:
- Proctors can't assist with exam content or scoring.
- When unsure about rules, use the chat feature to ask.
- Proctors do monitor you with help from AI to detect unusual behaviors.
- Note taking is not allowed with pen and paper.
- Your exam session is recorded.
Example video of the OnVUE setup process:
https://github.com/Scrut1ny/Hypervisor-Phantom/assets/53458032/c7f0901b-bb61-4806-9efc-655ea50b5547
</details> <details> <summary>Schedule an exam (OnVUE) Steps</summary>Step 1
Step 2