Hide vm from guest

VitaleyUsa

New Member
May 26, 2017
3
0
1
36
Greetings everyone.
I'd like to thank the developers of this great server virtualization management solution, really love it.

Maybe somebody can help me with my questions.
My version of proxmox: 5 beta 1
Virtual machine: Windows 10 x64
My gpu: gtx1060 (passed to vm)
Config:
cpu: host, hidden=1
and i add to hostpci x-vga=1

I have virtio network + storage for best performance.

My win10 shows me (taskmanager, performance tab) that i have i5 7400 cpu, but also "Virtual machine: Yes", "Virtual cores: .."
Also steam blocks me from playing cs.go for example because it finds out that i'm using vm ("vac").

Is there something more i should do to hide my vm from guest system?

ps later i can add full config + my modprobe config + qm showcmd + something more if necessary
pps sorry for my english
 
Maybe you can use a biosstring. Under Options, SMBIOS-settings. Description is also in the local helppage. Search for smbios.
 
  • Like
Reactions: VitaleyUsa
No, not with stock Proxmox VE. One can try to compile qemu manually and edit all machine related strings, IDs and such stuff but I doubt it'll be easy.
If i understand right - i can edit QemuServer.pm which has all the necessary staff (i mean command line for starting qemu
But what exactly i should edit?
Or maybe

Thanks for the answer!

fireon said:
Maybe you can use a biosstring. Under Options, SMBIOS-settings. Description is also in the local helppage. Search for smbios.
Thank you! I will try to find out)

To be honest i thought it will be much easier (like "add vendor_id in ur config, or smthing else") :)
Anyway, i didn't find answer in google, so thank you guys for helping me.

My qm showcmd code:
Code:
/usr/bin/kvm -id 100 -chardev 'socket,id=qmp,path=/var/run/qemu-server/100.qmp,server,nowait' -mon 'chardev=qmp,mode=control' -pidfile /var/run/qemu-server/100.pid -daemonize -smbios 'type=1,uuid=82c8bb73-b007-4960-bee9-c410653e436c' -drive 'if=pflash,unit=0,format=raw,readonly,file=/usr/share/kvm/OVMF_CODE-pure-efi.fd ' -drive 'if=pflash,unit=1,id=drive-efidisk0,format=raw,file=/dev/pve/vm-100-disk-2' -name win10v -smp '1,sockets=1,cores=4,maxcpus=4' -device 'host-x86_64-cpu, id=cpu2,socket-id=0,core-id=1,thread-id=0' -device 'host-x86_64-cpu,id=cpu3,socket-id=0,core-id=2,thread-id=0' -device 'host-x86_64-cpu,id=cpu4,socket-id=0,core -id=3,thread-id=0' -nodefaults -boot 'menu=on,strict=on,reboot-timeout=1000,splash=/usr/share/qemu-server/bootsplash.jpg' -vga none -nographic -no-hpet -cpu 'ho st,+kvm_pv_unhalt,+kvm_pv_eoi,hv_vendor_id=proxmox,hv_spinlocks=0x1fff,hv_vapic, hv_time,hv_reset,hv_vpindex,hv_runtime,hv_relaxed,kvm=off' -m 4096 -k en-us -readconfig /usr/share/qemu-server/pve-q35.cfg -device 'usb-tablet,id=tablet,bus=ehci.0,port=1' -device 'vfio-pci,host=01:00.0,id=hostpci0,bus=ich9-pcie-port-1,addr=0x0,romfile=/usr/share/kvm/vbios.bin' -device 'vfio-pci,host=01:00.1,id=hostpci 1,bus=pci.0,addr=0x11' -device 'vfio-pci,host=00:1f.3,id=hostpci2,bus=pci.0,addr=0x1b' -device 'usb-host,hostbus=1,hostport=9,id=usb0' -device 'usb-host,hostbus=1,hostport=8,id=usb1' -device 'usb-host,hostbus=1,hostport=2,id=usb2' -iscsi 'initiator-name=iqn.1993-08.org.debian:01:eeb044fea6b' -drive 'file=/dev/pve/vm-100-disk-1,if=none,id=drive-virtio0,cache=writeback,format=raw,aio=threads,detect-zeroes=on' -device 'virtio-blk-pci,drive=drive-virtio0,id=virtio0,bus=pci.0,addr=0xa,bootindex=100' -drive 'file=/dev/pve_hdd/vm-100-disk-1,if=none,id=drive-virtio1,cache=writeback,format=raw,aio=threads,detect-zeroes=on' -device 'virtio-blk-pci,drive=drive-virtio1,id=virtio1,bus=pci.0,addr=0xb' -netdev 'type=tap,id=net1,ifname=tap100i1,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown' -device 'e1000,mac=4A:1B:32:2F:48:34,netdev=net1,bus=pci.0,addr=0x13,id=net1,bootindex=300' -rtc 'driftfix=slew,base=localtime' -machine 'type=q35' -global 'kvm-pit.lost_tick_policy=discard'

Something strange, when i add my code it says it's a spam.
 
If i understand right - i can edit QemuServer.pm which has all the necessary staff (i mean command line for starting qemu
But what exactly i should edit?

No, this is not a Proxmox VE problem. The KVM part, more precisely the QEMU part emulates the hardware and most of its hardware is named QEMU, so software normally uses this to determine if it runs on real hardware or not.

You need to change the C source code of qemu to get it of it all. Some of them can be changed without recompiling over the Proxmox GUI as @fireon pointed out, but not all.

You need to the these counts to zero and even then ... no guaranty that it works:

Code:
$ dmidecode | grep -ic qemu
5

$ lspci -v | grep -ic qemu
9

This is in general not an easy topic. In the security community, there are some attempts and tweaks because malware already included also a vm check such that it will not run on virtualised environments to be studied:

http://securitykitten.github.io/vm-checking-and-detecting/
http://vmpsoft.com/
 
  • Like
Reactions: VitaleyUsa
No, this is not a Proxmox VE problem. The KVM part, more precisely the QEMU part emulates the hardware and most of its hardware is named QEMU, so software normally uses this to determine if it runs on real hardware or not.

You need to change the C source code of qemu to get it of it all. Some of them can be changed without recompiling over the Proxmox GUI as @fireon pointed out, but not all.

You need to the these counts to zero and even then ... no guaranty that it works:

Code:
$ dmidecode | grep -ic qemu
5

$ lspci -v | grep -ic qemu
9

This is in general not an easy topic. In the security community, there are some attempts and tweaks because malware already included also a vm check such that it will not run on virtualised environments to be studied:
I thought that we can change all emulated devices from command line, not from sources.
I will try to check sources, but it seems like that the easiest way to handle with it - is to use windows without being virtualized.

Thanks for your help! Maybe in future there will be an option to hide vm from box :)
 
I thought that we can change all emulated devices from command line, not from sources.
I will try to check sources, but it seems like that the easiest way to handle with it - is to use windows without being virtualized.

Thanks for your help! Maybe in future there will be an option to hide vm from box :)

Hello. You can try to add in conf file:
Code:
args: -cpu 'host,-hypervisor,+kvm_pv_unhalt,+kvm_pv_eoi,hv_spinlocks=0x1fff,hv_vapic,hv_time,hv_reset,hv_vpindex,hv_runtime,hv_relaxed,kvm=off,hv_vendor_id=intel'
Guest operating systems can test bit 31 of ECX of CPUID leaf 0x1, so -hypervisor flag prevent this.
I can't add links :(. You can read more about virtual machine detection mechanism in vmware knowledge base. Article is called
Mechanisms to determine if software is running in a VMware virtual machine
 
Last edited:
You really don't want to have kvm=off, which disables hardware acceleration completely and slows everything down. Yet, this often yields in a working setup for a lot of stuff because you emulate really everything - including stuff that would normally not be there.
 
You really don't want to have kvm=off, which disables hardware acceleration completely and slows everything down. Yet, this often yields in a working setup for a lot of stuff because you emulate really everything - including stuff that would normally not be there.
kvm=off don't touch kvm acceleration, just changes visibility of KVM to guests.
 
There's no way you could hide it. There was long discussion about this on VMware-forum some year or two ago, with a few proof-of-concept apps able to detect very reliably if they are running on VM, or bare metal HW. IIRC, they were not based on some strings searching in hw/bios, but used timing of some instructions (which must be translated/emulated in VM) with respect to cpu-clock frequency.

And it is nothing new. 10 years ago Rutkowska wrote "red pill" software exactly for this (detecting VM environment). So if steam (or any other sw) wants, it will detect it is running in VM...
 
Anyway, Valve not right in his VACs policy. VitaleyUsa wants to play game on platform with hypervisor. If Steam uses another path to detect hypervisor, we always can to find ways that to get around it.
 
Anyone has conclusion on this topic? To hide virtual machine status to guess OS (windows )?
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!