BattlEye detects virtual environment

[Samuil1337]

Dear @zhaodice,

I hope this message finds you well. I unfortunately have to inform you that BattlEye has had an update that improved their VM detection mechanisms to the point where they are able to unmask our patched QEMU.

After the new Fortnite season update there is an error message telling me to stop the process "Virtual Machine", indicating that the virtual machine is in fact at fault. This happens when I try to join a match, which means that EAC (which checks for VMs on game startup) is working, but BattlEye (which runs during matches) is not. It is also reasonable to assume that the new attack is timing based, because these type of methods need to be run a lot of times to accurately determine if the CPU is fake and I am stuck for minutes in the loading screen until the kick (that could be Fortnite being slow though). It is also possible that they added "ASUS HARDDISK" etc. and the default serial numbers of this patch to their black list. Last but not least I want to redirect to #77. There I described the imperfections of this patch and my exact setup.

I assume that the people at BattlEye just googled "hide qemu", which also resurfaces the moral question of maintaining a public Github repo that is 100% used by some if not most people to cheat (although I am not one of them). If you - Dice - or anybody else is willing to do dynamic analysis on BattlEye/Fornite, I would greatly appreciate it, because that would enable us to fix the root cause more precisely.

Yours sincerely, Samuil1337

[deprale]

shocker, I'm telling you...

[Weather-OS]

Do HyperV configurations still work with BattlEye?

[zhaodice]

Unfortunately, I clearly do not have any reverse technology on Windows, and in this case, it can only be analyzed by others. I am indeed powerless, and I just started by proposing a way to bypass detection. In fact, if you really want to get rid of it once and for all, it is better to get a cheap integrated graphics gpu computer

[Samuil1337]

@zhaodice why so dramatic lol. Even if we don't know the exact cause, we have a list of things we could improve. I would start there and when all checks on al-khazer are green, I would try again.

[Samuil1337]

@Weather-OS, the Hyper-V method will always work against timing based detections, but there are also other ways to deobfuscate VMs. It's worth a shot, but I doubt it will fix everything. Not only that, but nested-virtualization is kinda slow especially on AMD processors. To use it, set the hyperv mode to passthrough in your domain XML under the feature section, enable SVM (AMD) or VMX (Intel) as CPU features (you may not need it, if you are on host-passthrough mode) and run a Kernel without the RDTSC patch. Then in Windows completely enable the Hyper-V feature in "Turn Windows features on or off" or turn on memory integrity in Windows Defender. I think both work, but the latter is a lot slower.

[Scrut1ny]

I took inspiration from your project and improved a lot, I've made a very useful advanced script that automates multiple tasks. I try keeping it updated as much as I can and add as much as I can. My project is for bypassing Anti Cheats and Proctoring exam software. I just focus on the main branch for patching instead of indivisual versions.

https://github.com/Scrut1ny/Hypervisor-Phantom

[deprale]

I took inspiration from your project and improved a lot, I've made a very useful advanced script that automates multiple tasks. I try keeping it updated as much as I can and add as much as I can. My project is for bypassing Anti Cheats and Proctoring exam software. I just focus on the main branch for patching instead of indivisual versions.

https://github.com/Scrut1ny/Hypervisor-Phantom

It is by no means useful, you just re-edited some strings and added a beautiful README, that's about it...

Instead of adding compiletime randomization of the static strings, you instead just replaced them with "FUCKFUCKFUCKFUCK", anyone who will use that will also get banned, if they use it for evading exam software they will also get banned if manually reviewed and they see strings like FUCK... wtf is in your head?

[Weather-OS]

I took inspiration from your project and improved a lot, I've made a very useful advanced script that automates multiple tasks. I try keeping it updated as much as I can and add as much as I can. My project is for bypassing Anti Cheats and Proctoring exam software. I just focus on the main branch for patching instead of indivisual versions.

https://github.com/Scrut1ny/Hypervisor-Phantom

Didn't know assholes used qemu-anti-detection

[Samuil1337]

@deprale, I think you looked at the wrong patch. The v8.2.2.patch is the one I assume was created using regular expressions or a script and the master.patch has more real sounding names albeit without 100% coverage. It's still a great jump from ASUS HARDDISK, ASUS KEYBOARD, ASUS PROCESSOR etc. The "compile-time randomization" is a little bit difficult to implement for the hardware identifiers, because they have to be hardcoded one way or another, but serials are easy to change. I would suggest filtering for the default serial number like "FUCK" and changing it to a random number. I do agree with Weather Reporto that you could've delivered your criticism more politely.

[Scrut1ny]

The reason I added "FUCK" is because I was just messing around, also no AC or Proctoring software is gonna be looking for that string. You guys need to check out my Auto-Hypervisor.sh script I made, I believe it's very useful. I've also incorporated a fully automated randomization spoofing part for all USB serial numbers contained in the source code. I've fully automated the process of dependencies, downloading, customizing, building, installing, etc for QEMU, Virt-Manager, Looking Glass, grub.cfg + vfio.conf, and I'm working on automating the RDTSC Kernel Patch.

[deprale]

Didn't know assholes used qemu-anti-detection

That's where you're wrong, I don't waste my time with linux first of all, and second of all I wouldn't game in a VM becuase I'm not autistic, third of all apologies to @Scrut1ny as the rest of the repo is actually useful.

The only thing that linux will touch is my macbook, or my servers, I'm only here just for the laughs, let me know when your repo let's you run any serious software like vanguard anti-cheat.

[Scrut1ny]

vanguard anti-cheat could be detecting something that hides in plain site, like Windows Installed on date. When you create a new Windows system via a hypervisor the date will be new as hell. Not saying this is the issue, I'm just giving an example. I believe some software will look for this thing one day; this is why I scripted a powershell script to spoof this to make it legit. @deprale also I'm glad you found it useful, I've been working long and hard on it. Next I'm adding more automatic spoofing for the custom QEMU build for the MAC Address, Drive Serial Number String, ACPI Table Strings, and CPUID Manufacturer Signature Strings. I'm going to have an array setup so the build is unique everytime!

# Generating a random date between Jan 1, 2011, and Dec 31, 2022
$start = [datetime]::new(2011, 1, 1)
$end = [datetime]::new(2022, 12, 31)
$randomDate = $start.AddSeconds((Get-Random -Maximum (($end - $start).TotalSeconds)))

# Converting the DateTime object to Unix timestamp
$unixTimestamp = [int][double]::Parse(($randomDate.ToUniversalTime() - [datetime]'1970-01-01T00:00:00').TotalSeconds)

# Calculating LDAP/FILETIME timestamp directly
$LDAP_FILETIME_timestamp = ($unixTimestamp + 11644473600) * 10000000

Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "InstallDate" -Value "$unixTimestamp" -Force
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "InstallTime" -Value "$LDAP_FILETIME_timestamp" -Force

if ((Get-Service w32time).Status -eq 'Stopped') {
    Start-Service -Name w32time
}

w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /update
Restart-Service -Name w32time -Force ; w32tm /resync

[Samuil1337]

Bro, you are 20 years of age. Instead of working, studying or helping people, you are calling the users of this repo names. Isn't that an "autistic" waste of time and depraVed 😉😉😉 (the name speaks of itself).

[deprale]

Bro, you are 20 years of age. Instead of working, studying or helping people, you are calling the users of this repo names. Isn't that an "autistic" waste of time and depraVed 😉😉😉 (the name speaks of itself).

You use qemu anti detection to cheat in KVM VFIO setups. I love reading blogposts about how people exploit drivers, and other windows os QUIRKS to do stuff they shouldn't be able to, we are not the same.

Yes, you are an autist, and all of you that use this to cheat (95%), the other 5% using this is probably just a homelab enthusiast that wants to make a gaming pc hidden in a closet somewhere because space is a concern for their home, so their kid can play fortnite. There's 0 reason for this thing to exist outside avoiding anti-cheats, proctoring software, exam software, and so on.

[Samuil1337]

Fan fictions upon fan fictions, wow. How did you deduce that I were (hides sign of disagreement clevery like my VM (fedora tap)) a hacker? If you would've read my original issue, you would understand that I stand strongly against any form of computer manipulation. I flat out said that I think it's a bad idea to make a project usable for video game hacking completely free to the public, because it would be used by skids (like you cough, cough), which would then get our efforts patched. Let's not pretend that you didn't star and write issues on cheat repos for CS. You can't find anything like that on my Github, can you? And even if you say that you didn't use that for disturbing other people's fun (which might be true), how is it fair to call me a cheater even without having any evidence to prove it? You see, thinking in boxes like that is easy but wrong and something a child would do. I myself believe in the concept of compartmentalization too (albeit not with people). I keep all the closed-source stuff - primarely GAMES - in the VM, while open-source stuff stays on the host. Wouldn't that mean I'm part of the 5%? Maybe without the weird imaginary story, but a "homelab enthusiast" nonetheless; we are the same. If there were no reasons for this oh so abominable thing to exist (which you already learnt isn't true), why are you even here? This project isn't even about using Windows in a qUrKiY way or anything. It's for Lunix, which you alreay explained isn't something you really appreciate. Last but not least, you didn't react maturely to a message pointing out that you didn't act maturely. Spot the mistake. Please stop it, contribute or go away.

PS: I think you shouldn't use "acoustic" as an insult as it is discriminating and shows bad character. Would you also use "gay" as a synonym of "lame"? I already edited my message using a similar word (I'm not a native speaker btw, so I didn't know the exact meaning, but now I do)

[deprale]

The way you write makes me have suicidal thoughts, please stop... go back on reddit... thanks... God save us all...

[Samuil1337]

Either respond to my points, contribute to this issue or stfu

[ProgrammedInsanity]

The way you write makes me have suicidal thoughts, please stop... go back on reddit... thanks... God save us all...

Jesus Christ you are insufferable. Get a life and stop being a nuisance.

Anyway: There exist also other timing methods that they maybe using to detect hyperviser presence. I advise you read into these resources:

• https://secret.club/2020/01/12/battleye-hypervisor-detection.html This one also contains a old decompiled rdtsc cpuid check
• https://secret.club/2020/04/13/how-anti-cheats-detect-system-emulation.html

[Scrut1ny]

@ProgrammedInsanity add me on discord, want to talk. null068975

[fleeco]

This thread is wild. Your repo is useful Scrut1ny, thanks for the work. Have you tried your patch on 9.1 yet with Fortnite? If not, I'm going to create a patch (I'll kick over a PR) and compile / give it a go.

[PaulDotSH]

This thread is wild. Your repo is useful Scrut1ny, thanks for the work. Have you tried your patch on 9.1 yet with Fortnite? If not, I'm going to create a patch (I'll kick over a PR) and compile / give it a go.

Did you manage to get it working?