search

WCharacter / RDTSC-KVM-Handler

my patches for linux kernel to spoof rdtsc and make vm exit undetected
209 stars 27 forks source link

Detection at Low CPU Utilization #2

Closed skinnypete001 closed 3 years ago

skinnypete001 commented 3 years ago

I have successfully applied your change to my current linux kernel being 5.8.14 on Manjaro. ParanoidFish detections are all but gone except for the rdrtsc forcing vm exit when at low cpu usage. When my cpu usage is above 10% this detection is gone but when I get below that usage it starts getting flagged. I am on an intel cpu, would chaning u64 fake_diff = diff / 16; (specifaclly the 16 number) help at all and if so should I increase or decrease it?

Now as a temp solution I had a stress tester running at 15% so I knew I wouldn't get flagged for that detection while playing. On Escape from Tarkov (battleye game) I didn't even need the kernel modification to get past the anticheat, all I had to do was change some stuff around in virt manager following this guide: https://www.reddit.com/r/VFIO/comments/i071qx/spoof_and_make_your_vm_undetectable_no_more/

For Siege I was getting detected which is why I've been trying your fix. Even with my stress tester running, making sure there were 0 detections on paranoidfish, I am still getting kicked. From the guide I listed above the only thing I haven't done is the qemu changes in source due to not being 100% sure what values I should use instead of the default ones they suggest to change. What I am asking here is if you have any guidance on what I can do to get past this darn anticheat so I can just play my game in peace.

Here is my virt manager xml and if you need any other sort of information let me know. Thanks in advance and if you're unable to help I understand. https://pastebin.com/7sMfcr2U

WCharacter commented 3 years ago

Try to set your cpu to Intel Core 2 Duo or disable AVX instructions. It will ban you in tarkov, but in siege it should work (check it on another account if you're on your main). I didn't play for two month, so i can't provide new information about their detection vectors. Right now i don't know for sure if they are still using rdtsc checks. About fake_diff: if you increase the number 16 it will send less ticks from fake rdtsc function, so you can set it to 32 and it will send 2 times less ticks every call then before.