Add hidden vm post

2025-09-02 15:24:20 +02:00
parent 6afc45c3b9
commit 8265c529e3
1 changed files with 137 additions and 0 deletions
--- a/content/posts/hidden_vm.md
+++ b/content/posts/hidden_vm.md
@@ -0,0 +1,137 @@
 +++ 
 draft = false 
 date = 2025-08-31T21:27:35+02:00
 title = "How to create a stealthy VM"
 description = "How to create a hard to detect virtual machine using QEMU."
 +++
 This article explains how to create a stealthy virtual machine that can be used for multiple things.  
 I made this for my personnal use so there is still room for improvement.  
 I'll explain what I personally use it for at the end.
 Virtual machine detection can be done in a lot of ways however,
 except for the most basic ones it always revolves around identifying markers that are hard coded into the hypervisor.
 For example [PCI ID's](https://en.wikipedia.org/wiki/PCI_configuration_space#Standardized_registers), plug and play devices names, etc  
 To defeat this in addition to configuring the VM so it doesn't appear like one we will have to patch and compile the hypervisor.
 ## 1. Compiling QEMU
 ⚠️ *Always maintain an installation of QEMU managed by your package manager, because it may delete necessary runtime dependencies otherwise! The binaries you compile are saved in **/usr/local/bin**, so they will take precedence.*
 ### Build dependencies
 **Arch**:
 `sudo pacman -S git wget base-devel glib2 ninja python`
 **Ubuntu**:
 `sudo apt install git build-essential ninja-build python-venv libglib2.0-0 flex bison`
 ### Patching and building QEMU
 Go to the directory where you want to keep the sources and run
 {{< highlight bash >}}
 wget https://raw.githubusercontent.com/furtest/furtest/refs/heads/main/qemu_patch/qemu-10.1.0.patch
 wget https://download.qemu.org/qemu-10.1.0.tar.xz
 tar xvJf qemu-10.1.0.tar.xz
 cd qemu-10.1.0
 ../qemu-10.1.0.patch
 ./configure --disable-werror
 make -j$(nproc)
 sudo make install
 {{< /highlight >}}
 For some reasons the build fails with Werror enabled so we disable it.  
 If you only need the x86_64 system hypervisor you can add `--target-list=x86_64-softmmu` to the configure command which will significantly shorten the compile time.  
 ## 2. Creating the VM
 You need to make the following changes to the configuration :
 - Use **BIOS** not UEFI
 - Change the MAC address (eg: 8c:1f:66:b8:67:84)
 - Set the video to VGA
 - Each of those snippets are things you need to have in your config, some of the text (like the `</hyperv>` ) is here for you to locate where to put the thing.
 {{< highlight html >}}
  <cpu mode='host-model' >
    <feature policy='disable' name='hypervisor'/>
  </cpu>
 {{< /highlight >}}
 {{< highlight html >}}
 <kvm>
  <hidden state='on'/>
 </kvm>
 </features>
 {{< /highlight >}}
 {{< highlight html >}}
 <vendor_id state='on' value='blackmega'/>
 </hyperv>
 {{< /highlight >}}
 **In the uuid field below replace with your uuid (top of the file)**
 {{< highlight html >}}
 <vcpu placement='static'>6</vcpu>
 <sysinfo type='smbios'>
 <bios>
  <entry name='vendor'>Dell Inc.</entry>
  <entry name='version'>2.5.2</entry>
  <entry name='date'>01/28/2015</entry>
  <entry name='release'>2.5</entry>
 </bios>
 <system>
  <entry name='manufacturer'>Dell Inc.</entry>
  <entry name='product'>PowerEdge R720</entry>
  <entry name='version'>Not Specified</entry>
  <entry name='serial'>H5DR542</entry>
  <entry name='uuid'>SHOULD MATCH THE UUID OF THE DOMAIN .. CHECK THE ELEMENT uuid ABOVE</entry>
  <entry name='sku'>SKU=NotProvided;ModelName=PowerEdge R720</entry>
  <entry name='family'>Not Specified</entry>
 </system>
 <baseBoard>
  <entry name='manufacturer'>Dell Inc.</entry>
  <entry name='product'>12NR12</entry>
  <entry name='version'>A02</entry>
  <entry name='serial'>.5KT0B123.ABCDE000000001.</entry>
  <entry name='asset'>Not Specified</entry>
  <entry name='location'>Null Location</entry>
 </baseBoard>
 <chassis>
  <entry name='manufacturer'>Lenovo</entry>
  <entry name='version'>none</entry>
  <entry name='serial'>J30038ZR</entry>
  <entry name='asset'>none</entry>
  <entry name='sku'>Default string</entry>
 </chassis>
 <oemStrings>
  <entry>myappname:some arbitrary data</entry>
  <entry>otherappname:more arbitrary data</entry>
 </oemStrings>
 </sysinfo>
 {{< /highlight >}}
 ## 3. Installing windows
 During the windows installation there are 2 annoying things
 - Windows 11 hardware requirements.
 - Microsoft forcing you to connect to a microsoft account.
 Once the installer has started open a cmd with `shift F10` and run `regedit`.  
 Then go to `KEY_LOCAL_MACHINE\SYSTEM\Setup`, create a new key called `LabConfig` and inside three DWORD values 
 - BypassTPMCheck = 1
 - BypassSecureBootCheck = 1
 - BypassRAMCheck = 1  
 To use a local account :
 1. Configure until the windows installation is done which is when you have to choose the language again.
 2. Then open a cmd again and run `OOBE\BYPASSNRO`
 3. Wait for reboot
 4. Once rebooted run `ipconfig /release` (if you forget you will have to go from step 1 again)
 ## Sources
 - Most of this was inspired by : https://github.com/zhaodice/qemu-anti-detection
 - Windows requirement bypass : https://www.tomshardware.com/how-to/bypass-windows-11-tpm-requirement
 - Things about the VM configuration : https://r0ttenbeef.github.io/Deploy-Hidden-Virtual-Machine-For-VMProtections-Evasion-And-Dynamic-Analysis/