still be dectected with vmp 3.2+

[chenbowen9706]

after patch qemu7.0.0 and complie it and fix some rdtsc attacks my guest windows still got dectected with vmp3.2+ version

[chenbowen9706]

used al-hasker to got this dectected info: [] Checking Local Descriptor Table location [ BAD ] [] Checking power capabilities [ BAD ] [] Checking CPU fan using WMI [ BAD ] [] Checking Win32_CacheMemory with WMI [ BAD ] [] Checking Win32_MemoryDevice with WMI [ BAD ] [] Checking Win32_VoltageProbe with WMI [ BAD ] [] Checking Win32_PortConnector with WMI [ BAD ] [] Checking ThermalZoneInfo performance counters with WMI [ BAD ] [] Checking CIM_Memory with WMI [ BAD ] [] Checking CIM_Sensor with WMI [ BAD ] [] Checking CIM_NumericSensor with WMI [ BAD ] [] Checking CIM_TemperatureSensor with WMI [ BAD ] [] Checking CIM_VoltageSensor with WMI [ BAD ] [] Checking CIM_PhysicalConnector with WMI [ BAD ] [] Checking CIM_Slot with WMI [ BAD ] [] Checking for Hyper-V global objects [ BAD ]

[chenbowen9706]

exclude wmi check still got this: [] Checking Local Descriptor Table location [ BAD ]
[] Checking power capabilities [ BAD ]
[*] Checking for Hyper-V global objects [ BAD ]

[zhaodice]

can you give a simple exe(VMP exe)

[zhaodice]

works fine here, please check your vm config:

<domain xmlns:qemu="http://libvirt.org/schemas/domain/qemu/1.0" type="kvm">
...
  <qemu:commandline>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=0,version=UX305UA.201"/>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=1,manufacturer=ASUS,product=UX305UA,version=2021.1"/>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=2,manufacturer=Intel,version=2021.5,product=Intel i9-12900K"/>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=3,manufacturer=XBZJ"/>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=17,manufacturer=KINGSTON,loc_pfx=DDR5,speed=4800,serial=000000,part=0000"/>
    <qemu:arg value="-smbios"/>
    <qemu:arg value="type=4,manufacturer=Intel,max-speed=4800,current-speed=4800"/>
    <qemu:arg value="-cpu"/>
    <qemu:arg value="host,family=6,model=158,stepping=2,model_id=Intel(R) Core(TM) i9-12900K CPU @ 2.60GHz,vmware-cpuid-freq=false,enforce=false,host-phys-bits=true,hypervisor=off"/>
    <qemu:arg value="-machine"/>
    <qemu:arg value="q35,kernel_irqchip=on"/>
  </qemu:commandline>
</domain>

[chenbowen9706]

i think we use the same exe file packed with vmp protect

[chenbowen9706]

`

Entertainment 59854440-90fb-4761-bfc6-89bec8d7079a 1548288 1548288 12 hvm destroy restart destroy /usr/bin/qemu-system-x86_64

[zhaodice]

can I check your qemu xml fie?

[chenbowen9706]

i had upload before

[zhaodice]

i had upload before

I didn't see your xml config file ,are you using the command to start qemu?

[zhaodice]

add follows to your qemu args:

-cpu host,-hypervisor,kvm=off,hv_vendor_id='MiHoYo',vmware-cpuid-freq=false,enforce=false,host-phys-bits=true -smbios type=0,version=UX305UA.201 -smbios type=2,manufacturer=Intel,version=2021.5,product='MiHoYoSuperX' -smbios type=3,manufacturer=MiHoYo -smbios type=17,manufacturer=MiHoYo,loc_pfx=DDR5,speed=4800,serial=114514,part=1145 -smbios type=4,manufacturer=Intel,max-speed=4800,current-speed=4800 -acpitable oem_id=mhy,oem_table_id=mihoyo,asl_compiler_id=ASUS,asl_compiler_rev=114514,oem_rev=191981

[chenbowen9706]

actually im just copy your xml into my libvirt and just add some dev

[zhaodice]

actually im just copy your xml into my libvirt and just add some dev

run the command:

ps -ax | grep qemu

I want to see your process 's args

[zhaodice]

please click "Attach files by dragging & dropping, selecting or pasting them." to upload file

[chenbowen9706]

win10.txt

[zhaodice]

take a screenshot this

[chenbowen9706]

[chenbowen9706]

the network and disk is passthrou with pci

[zhaodice]

I think my "al-khaser.exe" is different to you ,can you upload here?

[zhaodice]

al-khaser.zip or you test it and report

[chenbowen9706]

KHASER.zip THIS IS MINE

[chenbowen9706]

pafish64 log:

[chenbowen9706]

“ [] Delay value is set to 10 minutes ... [] Performing a sleep using NtDelayExecution ... ” i think u should change 10 minute wait to 1 haha.. and this is my log which used your [al-khaser.zip] k-haser-log.txt

[zhaodice]

run the

ps -ax | grep qemu

on your host machine, and report

[chenbowen9706]

ps log.txt

[zhaodice]

ok, then , upload /usr/bin/qemu-system-x86_64 here

[chenbowen9706]

qemu-system-x86_64.zip

[chenbowen9706]

i had used 8.0.2 and 7.0.0 they are both dectected with vmp3.x

[zhaodice]

can you remove your rdtsc ? I know vmp didn't detect it.

[chenbowen9706]

yea i will reboot and do it wait me a few minute

[zhaodice]

did you enable hyper-v on your windows? if it is yes ,please close it

[zhaodice]

disable hyper-v

[chenbowen9706]

okay it works now when i dont patch rdtsc clock ,i will close the issu soon, can u send me your qq or wechat? i want to do more communication with you

[zhaodice]

q1619180854