This tool provides an automated setup solution designed to evade detection from advanced malware, enabling thorough analysis. It employs a highly customized version of QEMU/KVM, EDK2, and the Linux Kernel. This also spoofs many unique hypervisor identifiers, effectively disguising the environment. This setup enhances the accuracy and reliability of malware analysis by minimizing the risk of detection.
- ✅ Automatic distro, bootloader, versions, etc detection
- ✅ Fully automates...
- VFIO configuration (PCIe Passthrough)
- Configures bootloader
- Regenerates ramdisks
- Custom patched QEMU install
- Spoofs all hardcoded serial numbers
- Custom patched EDK2/OVMF (UEFI Firmware) install
- Looking Glass setup & install
- Installation of all virtualization packages required
- VFIO configuration (PCIe Passthrough)
- ✅ Spoofs SMBIOS
- ✅ Spoofs Serial Numbers
- ✅ RAM
- ✅ Much more...
Expand for details...
# 1. Clone into the repository
git clone --single-branch --depth=1 https://github.com/Scrut1ny/Hypervisor-Phantom
# 2. CD into the repository
cd Hypervisor-Phantom
# 3. Set executable permissions
sudo chmod +x *.sh
Expand for details...
- Official
- General
- Unknowncheats
- Git Repos
- VirtualBox
- VirtualBox RDTSC Fix
- https://forums.virtualbox.org/viewtopic.php?t=78859
- https://forums.virtualbox.org/viewtopic.php?t=81600
- https://superuser.com/questions/625648/virtualbox-how-to-force-a-specific-cpu-to-the-guest
- https://berhanbingol.medium.com/virtualbox-detection-anti-detection-30614691f108
- https://github.com/d4rksystem/VBoxCloak
- https://github.com/nsmfoo/antivmdetection
- VMware
- https://sanbarrow.com/vmx.html
- https://sammwy.com/blog/hide-vm-from-detection
- https://www.hexacorn.com/blog/2014/08/25/protecting-vmware-from-cpuid-hypervisor-detection/
- https://rayanfam.com/topics/defeating-malware-anti-vm-techniques-cpuid-based-instructions/
- https://tulach.cc/bypassing-vmprotect-themida-vm-checks-in-vmware/
Expand for details...
- Opt for a VPN: Use a VPN to obscure all your internet traffic. However, be cautious with popular VPN services as their IP ranges may be blacklisted by certain exam proctoring or anti-cheat systems.
- Allocate Sufficient HV Storage: Equip your hypervisor with at least
128GB+of storage. Hypervisors with lower or insufficient storage are more susceptible to being identified or flagged by detection and monitoring systems. - System Up Time: Leave the hypervisor running for at least
12+minutes to bypass aGetTickCount()check in a hypervisor detection tool. (This check is honestly pointless, and isn't reliable to rely on.)
HV Detection, Anti-Cheat and Exam Software
| Rating | Software | System Test | Bypassed |
|---|---|---|---|
| 🥇 | VMAware | Repo Link <> Download - x64 - v2.0 <> Download - x32 - v2.0 | ❔ |
| 🥈 | Al-Khaser | Repo Link <> Download - x64 - v1.0.0 <> Download - x32 - v1.0.0 | ❔ |
| 🥉 | Pafish | Repo Link <> Download - x64 - v0.6 <> Download - x32 - v0.6 | ❔ |
| Software | Browser Extension | System Test | Bypassed |
|---|---|---|---|
| ExamSoft: Examplify | ✅ | ??? | ✅ |
| Examity | ✅ | New Platform System Check or Chrome Addon or FF Addon | ✅ |
| Honorlock | ✅ | Link | ✅ |
| Inspera Exam Portal | Link - Demo Exam Instructions | ✅ | |
| Kryterion | Link | ✅ | |
| Pearson VUE | Link | ✅ | |
| ProctorU | ✅ | FF Addon or Chrome Addon | ✅ |
| ProctorU: Guardian Browser | Link | ✅ | |
| Proctorio | ✅ | Link | ✅ |
| Respondus (LockDown Browser) | ✅ | Link & Download | ✅ |
| Safe Exam Browser | Link | ✅ |
| Engine | Used By | Bypassed |
|---|---|---|
| Anti-Cheat Expert (ACE) | Primarily Mobile Games | ✅ |
| BattlEye (BE) | Desktop Games | ✅ (w/Kernal Patch for R6, Destiny 2, Marvel Rivals...) |
| Easy Anti-Cheat (EAC) | Desktop Games | ✅ |
| Gepard Shield | PUBG: Battlegrounds | ✅ |
| Hyperion | Roblox | ✅ |
| Mhyprot | Genshin Impact | ✅ |
| nProtect GameGuard (NP) | Desktop Games | ✅ |
| RICOCHET | CoD Games | ❔ |
| Vanguard | Valorant & LoL | ❌ |
Exam Software Analysis: Reverse Engineering
| Function | Description |
|---|---|
| Record Webcam | Record student's testing enviroment using webcam |
| Record Screen | Record student's screen during exam |
| Record Web Traffic | Log student's internet activity |
| Room Scan | Record a 360 degree enviroment scan before the assessment begins |
| Disable Copy/Paste | Block clipboard actions |
| Disable Printing | Block printing exam content |
| Browser Guard | Limit browser activity to exam content and allowed site URLs only |
| Allowed Site URLs | Allow access to specific websites during an exam session |
| Student Photo | Capture student photo before the assessment begins |
| Student ID | Capture ID photo before the assessment begins |
-
System Requirements Link
-
Exam Content & Special Configurations (SDS)
https://securedelivery-hs-prd-1.pearsonvue.com/SecureDeliveryService
- Application location:
%APPDATA%\OnVUE\BrowserLock.exe- Log file location:
%LOCALAPPDATA%\BrowserLock\log- Commands it runs
# Obtains NetConnectionID
wmic nic where "NetConnectionStatus = 2" get NetConnectionID /value
# Obtains USB FriendlyName
powershell.exe Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match '^USB' }
# Obtains Display/Monitor FriendlyName
powershell.exe -Command "Get-WmiObject -Namespace 'root\WMI' -Class 'WMIMonitorID' | ForEach-Object -Process { if($_.UserFriendlyName) { ([System.Text.Encoding]::ASCII.GetString($_.UserFriendlyName)).Replace('$([char]0x0000)','') } }"
# Obtains running processes
powershell.exe /c Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath
# Obtains MachineGUID
powershell (Get-ItemProperty registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\ -Name MachineGuid).MachineGUID
# Obtains system hostname
C:\Windows\system32\cmd.exe /c hostname- Hypervisor System Checks (in log file):
# LOG:
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM Allowed flag value from forensics is vmAllowedForensic=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Multiple Monitor Allowed flag value from forensics is multiMonitorAllowedForensic=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VPN Allowed flag value from forensics is vpnAllowedForensic=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Shutdown file monitor started
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM configuration received from SDS will be applied for validation
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM detection value is: vmDetectConfig=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Multiple monitor configuration received from SDS will be applied for validation
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Multiple monitor detection value is: multipleMonitorDetectConfig=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VPN configuration received from forensics will be applied for validation
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VPN detection value is: vpnDetectConfig=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] USB mass storage detection value is: usbDetectConfig=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Minimum browserlock version required: 2304
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Current browserlock version: 2402.1.1
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Check if Browserlock running on VM: {DMI type 1 (System Information) - Product Name}, {DMI type 2 (Base Board Information) - Serial Number}, runningOnVM=false
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] VM check: diskSize=499 GB
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Browserlock is not running on virtual machine
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Display HDCP supported check: hdcpSupported=true
XXXX-XX-XX XX:XX:XX.XXX-XXXX [BROWSER LOCK] [INFO] Number of display devices connected: AWT=1, Physical=1, Physical/Virtual=1, Duplicate=1
# BrowserLock Booleon Variables
- hdcpSupported
- multiMonitorAllowedForensic
- multipleMonitorDetectConfig
- runningOnVM
- usbDetectConfig
- vmAllowedForensic
- vmDetectConfig
- vpnAllowedForensic
- vpnDetectConfig
| Recording Settings | Verification Settings | Lock Down Settings |
|---|---|---|
| Record Video | Verify Video | Force Full Screen |
| Record Audio | Verify Audio | Only One Screen |
| Record Screen | Verify Identity | Disable New Tabs |
| Record Web Traffic | Verify Desktop | Close Open Tabs |
| Record Desk | Verify Signature | Disable Printing |
| Disable Clipboard | ||
| Clear Cache | ||
| Disable Right Click | ||
| Prevent Re-Entry |
Virtual Video & Audio
VPN + Hypervisor
- IMPORTANT: Ensure not to add a custom DNS configuration to the guest system on the hypervisor if your host system's VPN uses custom DNS block lists. Doing so may result in your guest hypervisor system losing its internet connection!
- For the VPN connection to get properly natted/bridged you must enable the setting
Local network sharingoption!- How to:
⚙️>VPN settings>Local network sharing✅
- How to:
Recommended Tools
- OCR Powered Screen-Capture Tools
- Linux:
- Windows:
- RAT (Remote Access/Administration Trojan)
- RDP (Remote Desktop Protocal)
- Monitor Asset Manager
Bypassing HDCP
- 1x2 HDMI Splitter <> ViewHD -
~$21.95 - EDID Emulator <> 4K-EWB - HDMI 2.1 4K EDID Emulator -
~$25.00 - USB HDMI Capture Card <> Elgato HD60 X -
~$159.99
- 1x2 HDMI Splitter <> OREI -
~$13 - EDID Emulator <> EVanlak -
~$7 - USB HDMI Capture Card <> AXHDCAP -
~$9
- Capture Card(s)
- Elgato HD60 X -
~$159.99 - Elgato Cam Link -
~$97.99 - AXHDCAP 4K HDMI Video Capture Card -
~$9.98
- Elgato HD60 X -
- 1x2 HDMI Splitter(s)
- EDID Emulator(s)
- HDMI
- Brand: THWT
- 4K-EW2 - HDMI 2.1 4K EDID Emulator PRO -
~$90.00 - 4K-EWB - HDMI 2.1 4K EDID Emulator -
~$25.00 - HD-EW2 - HDMI 2.0 EDID Emulator 4K PRO -
~$90.00 - HD-EWB - HDMI 2.0 4K EDID Emulator -
~$20.00
- 4K-EW2 - HDMI 2.1 4K EDID Emulator PRO -
- Brand: THWT
- DP
- Brand: THWT
- DP to HDMI
- Brand: THWT
- HDMI
Elgato Capture Cards
- Some of Elgato's capture cards, leveraging UVC (USB Video Class) technology, operate seamlessly without requiring additional drivers. As UVC devices, they adhere to a standard protocol for transmitting video and audio data over USB connections. This plug-and-play functionality ensures compatibility with various operating systems, enabling effortless setup and use for capturing high-quality video content.
| Device | Driver Status |
|---|---|
| Elgato Cam Link | No driver since it's a UVC device |
| Elgato Cam Link 4K | No driver since it's a UVC device |
| Elgato Game Capture HD60 S+ | No driver since it's a UVC device |
| Elgato Game Capture HD60 X | No driver since it's a UVC device |
Download and Install the latest 4K CAPTURE UTILITY software from Elgato downloads page on a WINDOWS OS.
Open Elgato 4K Capture Utility and let the software initialize the UVC capture card.
Select the settings icon on the top right corner of the software utility, and select Check for Updates.... (It should update automatically already, but just make sure the firmware is on the latest version available.)
Now, connect the capture card device back to your Linux host system now and open OBS, you should now see an output from your GPU instead of a black screen.
⚠️ Legal Disclaimer
By using this tool, you agree to the following:
- This tool is intended only for educational, research, and security analysis purposes.
- The author is not liable for any damages, legal consequences, or misuse arising from your use of this tool.
- You are responsible for ensuring your use complies with all applicable laws.
- Misuse, including cheating or illegal activities, is strictly prohibited.
Use at your own risk. The tool is provided "as-is" without any warranties.
