Windows 10 VM - Fool the OS into thinking it's on Physical HW?

Discussion in 'Windows 10' started by ericgl, Aug 17, 2016.

  1. ericgl

    ericgl MDL Member

    Mar 10, 2011
    185
    130
    10
  2. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    6,787
    10,365
    210
    I'm not sure you can. It might have some commands that only run on non-vm that it tries.
    Or perhaps it's as simple as having a modded vm program.
    I really don't know.

    I am curious why you would want to, though.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. T-S

    T-S MDL Guru

    Dec 14, 2012
    3,988
    1,313
    120
    I think the os takes a look directly to some CPU register, flag, just like it does to understand if the CPU has the virtualization extensions enabled, or the SLAT support.

    I believe that a proper .sys would be needed to fool the OS, something like what the Daz loader does with the bios calls.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. ericgl

    ericgl MDL Member

    Mar 10, 2011
    185
    130
    10
    murphy78,
    If Windows 10 "knows" it's running virtualized, it may behave differently to a physically-installed OS in certain situations.
    I don't know in which situations this might happen, but I'm sure they exist.
    Anyway, I would very much like to accomplish this task. It isn't going to be easy...I tried a lot of googling and suggestions.
     
  5. T-S

    T-S MDL Guru

    Dec 14, 2012
    3,988
    1,313
    120
    The most obvious one is trying to install VMware or virtualbox inside of a virtual machine.

    Sure, recently the nested virtualizzation is allowed in some scenarios, but those scenarios needs a long list of checks as well, and are a relatively recent thing.

    Normally a vitualized OS must deny the installation of a virualizzation SW inside it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. murphy78

    murphy78 MDL DISM Enthusiast

    Nov 18, 2012
    6,787
    10,365
    210
    Sorry, man. Any advice I could offer would be pure speculation.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. ericgl

    ericgl MDL Member

    Mar 10, 2011
    185
    130
    10
    #7 ericgl, Aug 17, 2016
    Last edited: Aug 17, 2016
    (OP)
    Yep, this is one situation where virtual-awareness comes into play.

    I can think of something more serious than that, though:
    If a malware (virus, trojan, rootkit, etc) knows it's running on a VM, it could "lay low" and not act like malware, so it would remain undetectable...
     
  8. ha1o2surfer

    ha1o2surfer MDL Novice

    Jan 29, 2013
    5
    1
    0
    #8 ha1o2surfer, Aug 31, 2016
    Last edited: Aug 31, 2016
    go into VMWare and change the OS type to "HyperV -V Not Supported" this allows you to install Hyper-V without it complaining it's a VM. so this will work for all OSes as well.


    I can't post images... but this 100% works.


    Go to imgur.com /a/kQSZF
     
  9. Rakeesh

    Rakeesh MDL Novice

    Feb 25, 2012
    21
    34
    0
    #9 Rakeesh, Sep 3, 2016
    Last edited: Sep 3, 2016
    That's exactly what it is. A hypervisor CPUID register indicates that it is a hypervisor. VMware has an option to turn this off and just pass the CPUs actual CPUID register instead:

    hypervisor.cpuid.v0 = “FALSE”

    Some of you might note that without this setting, hyper-v won't run inside of VMware, however with this setting it runs fine.

    If you do that, in addition to enabling VT-x passthrough, windows can't tell that it's running in a VM unless Microsoft decided to do something like start second-guessing the hardware that its interacting with, which isn't exactly straightforward nor foolproof in the sense that it could get a false positive in some configurations.
     
  10. superciliousdude

    superciliousdude MDL Novice

    Dec 21, 2012
    15
    2
    0
    If you enable nested virtual machines in VMware Workstation and add the line
    monitor_control.restrict_backdoor = "true"

    to your VMX file then nothing can detect the VM. It will break all the fancy VM integration stuff though, since there will be no special treatment even for VMware's own tools and drivers.
     
  11. dobbelina

    dobbelina MDL Senior Member

    Apr 2, 2009
    425
    508
    10
    Use a moustache as a screensaver, then you know i's fake.:D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. superciliousdude

    superciliousdude MDL Novice

    Dec 21, 2012
    15
    2
    0
    #12 superciliousdude, Sep 3, 2016
    Last edited by a moderator: Apr 20, 2017
    A quick test confirms this is the case.

    I used the following lines in my VMX file, not sure if they are all necessary:
    Code:
    hypervisor.cpuid.v0 = "FALSE"
    monitor_control.restrict_backdoor = "TRUE"
    vhv.enable = "TRUE"
    VM.png