5.0 KiB
+++ draft = false date = 2025-08-31T21:27:35+02:00 title = "How to create a stealthy VM" description = "How to create a hard to detect virtual machine using QEMU." +++
This article explains how to create a stealthy virtual machine that can be used for multiple things.
I made this for my personnal use so there is still room for improvement.
I'll explain what I personally use it for at the end.
Virtual machine detection can be done in a lot of ways however,
except for the most basic ones it always revolves around identifying markers that are hard coded into the hypervisor.
For example PCI ID's, plug and play devices names, etc
To defeat this in addition to configuring the VM so it doesn't appear like one we will have to patch and compile the hypervisor.
1. Compiling QEMU
⚠️ Always maintain an installation of QEMU managed by your package manager, because it may delete necessary runtime dependencies otherwise! The binaries you compile are saved in /usr/local/bin, so they will take precedence.
Build dependencies
Arch:
sudo pacman -S git wget base-devel glib2 ninja python
Ubuntu:
sudo apt install git build-essential ninja-build python-venv libglib2.0-0 flex bison
Patching and building QEMU
Go to the directory where you want to keep the sources and run
{{< highlight bash >}} wget https://raw.githubusercontent.com/furtest/furtest/refs/heads/main/qemu_patch/qemu-10.1.0.patch wget https://download.qemu.org/qemu-10.1.0.tar.xz tar xvJf qemu-10.1.0.tar.xz cd qemu-10.1.0 ../qemu-10.1.0.patch ./configure --disable-werror make -j$(nproc) sudo make install {{< /highlight >}}
For some reasons the build fails with Werror enabled so we disable it.
If you only need the x86_64 system hypervisor you can add --target-list=x86_64-softmmu to the configure command which will significantly shorten the compile time.
2. Creating the VM
You need to make the following changes to the configuration :
- Use BIOS not UEFI
- Change the MAC address (eg: 8c:1f:66:b8:67:84)
- Set the video to VGA
- Each of those snippets are things you need to have in your config, some of the text (like the
</hyperv>) is here for you to locate where to put the thing.
{{< highlight html >}} {{< /highlight >}}
{{< highlight html >}} {{< /highlight >}} {{< highlight html >}} <vendor_id state='on' value='blackmega'/> {{< /highlight >}}
In the uuid field below replace with your uuid (top of the file)
{{< highlight html >}} 6 Dell Inc. 2.5.2 01/28/2015 2.5 Dell Inc. PowerEdge R720 Not Specified H5DR542 SHOULD MATCH THE UUID OF THE DOMAIN .. CHECK THE ELEMENT uuid ABOVE SKU=NotProvided;ModelName=PowerEdge R720 Not Specified Dell Inc. 12NR12 A02 .5KT0B123.ABCDE000000001. Not Specified Null Location Lenovo none J30038ZR none Default string myappname:some arbitrary data otherappname:more arbitrary data {{< /highlight >}}
3. Installing windows
During the windows installation there are 2 annoying things
- Windows 11 hardware requirements.
- Microsoft forcing you to connect to a microsoft account.
Once the installer has started open a cmd with shift F10 and run regedit.
Then go to KEY_LOCAL_MACHINE\SYSTEM\Setup, create a new key called LabConfig and inside three DWORD values
- BypassTPMCheck = 1
- BypassSecureBootCheck = 1
- BypassRAMCheck = 1
To use a local account :
- Configure until the windows installation is done which is when you have to choose the language again.
- Then open a cmd again and run
OOBE\BYPASSNRO - Wait for reboot
- Once rebooted run
ipconfig /release(if you forget you will have to go from step 1 again)
Sources
- Most of this was inspired by : https://github.com/zhaodice/qemu-anti-detection
- Windows requirement bypass : https://www.tomshardware.com/how-to/bypass-windows-11-tpm-requirement
- Things about the VM configuration : https://r0ttenbeef.github.io/Deploy-Hidden-Virtual-Machine-For-VMProtections-Evasion-And-Dynamic-Analysis/