🕵️ Advanced Malware Analysis Tool 🕵️

This tool provides an automated setup solution designed to evade detection from advanced malware, enabling thorough analysis. It employs a highly customized version of QEMU/KVM, EDK2, and the Linux Kernel. This also spoofs many unique hypervisor identifiers, effectively disguising the environment. This setup enhances the accuracy and reliability of malware analysis by minimizing the risk of detection.

📖 Setup Instruction Guide

Expand for details...

# 1. Clone into the repository
git clone --single-branch --depth=1 https://github.com/Scrut1ny/Hypervisor-Phantom

# 2. CD into the repository
cd Hypervisor-Phantom/Hypervisor-Phantom/

# 3. Set executable permissions
chmod -R +x *

# 4. Run the script
./Auto-Hypervisor.sh

📝 Documentation & References

Expand for details...

• Official
  • QEMU’s documentation
    • Man Page (Args)
    • Hyper-V Enlightenments
  • KVM for x86 systems (Linux Kernel)
  • Domain XML format
  • ACPI System Management Bus Interface Specification - HTML - PDF Version
  • SMBIOS Reference Specification - PDF
  • PCILookup
• General
  • https://evasions.checkpoint.com/
  • https://r0ttenbeef.github.io/
  • https://secret.club/
    • how-anti-cheats-detect-system-emulation.html
    • battleye-hypervisor-detection.html
• Reddit
  • spoof_and_make_your_vm_undetectable_no_more
  • be_is_banning_kvm_on_r6
• Unknowncheats
  • 418885-kvm-detection-fixes.html
• Git Repos
  • pve-patch
  • pve-anti-detection
  • proxmox-ve-anti-detection
  • kvm-hidden
  • KVM-Spoofing
  • linux-5.15-hardened-kvm-svm-qemu-win10
  • sGPUpt
  • gpupt
• VirtualBox
  • VirtualBox RDTSC Fix
  • https://forums.virtualbox.org/viewtopic.php?t=78859
  • https://forums.virtualbox.org/viewtopic.php?t=81600
  • https://superuser.com/questions/625648/virtualbox-how-to-force-a-specific-cpu-to-the-guest
  • https://berhanbingol.medium.com/virtualbox-detection-anti-detection-30614691f108
  • https://github.com/d4rksystem/VBoxCloak
  • https://github.com/nsmfoo/antivmdetection
• VMware
  • https://sanbarrow.com/vmx.html
  • https://sammwy.com/blog/hide-vm-from-detection
  • https://www.hexacorn.com/blog/2014/08/25/protecting-vmware-from-cpuid-hypervisor-detection/
  • https://rayanfam.com/topics/defeating-malware-anti-vm-techniques-cpuid-based-instructions/
  • https://tulach.cc/bypassing-vmprotect-themida-vm-checks-in-vmware/

💾 Software

HV Detection, Anti-Cheat and Exam Software

Hypervisor Detection Software

⭐ Rating	💻 Software	🧪 System Test	✅ Bypassed
🥇	VMAware	Repository Link ⬇ Download - x64 - v2.4.1 ⬇ ⬇ Download - x32 - v2.4.1 ⬇ ⬇ Download - DEBUG - v2.4.1 ⬇	❌
🥈	Al-Khaser (Obsolete)	Repository Link ⬇ Download - x64 - v1.0.0 ⬇ ⬇ Download - x32 - v1.0.0 ⬇	✅
🥉	Pafish (Obsolete)	Repository Link ⬇ Download - x64 - v0.6 ⬇ ⬇ Download - x32 - v0.6 ⬇	✅

Exam Software

💻 Software	🌐 Browser Extension	🧪 System Test	⬇️ Download	✅ Bypassed
Bluebook			⬇ Download ⬇	✅
ExamSoft: Examplify			⬇ Download ⬇	✅
Examity	✅	System Test	• ⬇ Firefox ⬇ • ⬇ Chrome ⬇	✅
Honorlock	✅		• Honorlock • ⬇ Chrome ⬇	✅
Inspera Exam Portal		Demo Exam Instructions	⬇ Download ⬇	✅
Kryterion		System Test	⬇ Download ⬇	✅
Pearson VUE		• System Test • System Test		✅
ProctorU	✅		• ⬇ Firefox ⬇ • ⬇ Chrome ⬇	✅
ProctorU: Guardian Browser		System Test	• ⬇ Download ⬇ • Meazure Learning Page • ProctorU Page	✅
Proctorio	✅	System Test		✅
Respondus (LockDown Browser)	✅	System Test	⬇ Download ⬇	✅
Safe Exam Browser		System Test	⬇ Download ⬇	✅

Anti-Cheat Software

• areweanticheatyet

🛡️ Engine	🎮 Used By	✅ Bypassed
Anti-Cheat Expert (ACE)	Primarily Mobile Games	✅
BattlEye (BE)	Desktop Games	✅ (w/Windows Hyper-V + HVCI)
Easy Anti-Cheat (EAC)	Desktop Games	✅
Gepard Shield	PUBG: Battlegrounds	✅
NACE (Netease Anticheat Expert)	Marvel Rivals	✅
Hyperion	Roblox	✅
Mhyprot	Genshin Impact	❔ (HoYoKProtect.sys) 🪟 BSOD: ATTEMPTED_WRITE_TO_READONLY_MEMORY
nProtect GameGuard (NP)	Desktop Games	✅
RICOCHET	CoD Games	✅
Vanguard	Valorant & LoL	✅ (w/Windows Hyper-V + HVCI)

Virtual Video & Audio

Bring live video from your smartphone, remote computer, or friends directly into OBS or other studio software.

• VDO.Ninja
• meshcast.io

VB-CABLE Virtual Audio Device

• VB-AUDIO Software
  • Windows Download
  • macOS Download

Virtual Display Driver

• Virtual-Display-Driver
• memflow-mirror

Webcam Manipulation

• Deep-Live-Cam

VPN + Hypervisor

• IMPORTANT: Ensure not to add a custom DNS configuration to the guest system on the hypervisor if your host system's VPN uses custom DNS block lists. Doing so may result in your guest hypervisor system losing its internet connection!

Mullvad VPN + QEMU

• For the VPN connection to get properly natted/bridged you must enable the setting Local network sharing option!
  • How to: ⚙️ > VPN settings > Local network sharing ✅

Recommended Tools

• OCR Powered Screen-Capture Tools
  • Linux:
    • NormCap
    • TextSnatcher
  • Windows:
    • ShareX
• RAT (Remote Access/Administration Trojan)
  • Quasar
    • Resource Hacker
• RDP (Remote Desktop Protocal)
  • Ammyy Admin
  • MeshCentral
• Monitor EDID Modifiers
  • Monitor Asset Manager
    • Dell Article
    • Using an INF file to override EDIDs
  • Custom Resolution Utility (CRU)
• UEFI/BIOS Editors
  • Phoenix BIOS Editor
  • UEFITool

🔩 Hardware

Bypassing HDCP

HDCP (High-bandwidth Digital Content Protection) Stuff

• Wikipedia - HDCP
• NVIDIA - To verify if your system is HDCP-capable

Bypassing HDCP Hardware/Software Diagram:

Bypass Kits

Expensive Bypass Kit (Recommended):

• 1x2 HDMI Splitter <> ViewHD - ~$22.00
• EDID Emulator <> 4K-EWB - HDMI 2.1 4K EDID Emulator - ~$25.00
• USB HDMI Capture Card <> Elgato HD60 X - ~$160.00

Cheap Bypass Kit (Not recommended):

• 1x2 HDMI Splitter <> OREI - ~$13.00
• EDID Emulator <> EVanlak - ~$7.00
• USB HDMI Capture Card <> AXHDCAP - ~$9.00

Equipment List

• External USB Capture Card(s)
  • Elgato
    • HD60 X | 10GBE9901 - ~$140.00
    • 4K X | 20GBH9901 - ~$200.00
    • Game Capture Neo | 20GBI9901 - ~$110.00
    • Cam Link - ~$90.00
  • AXHDCAP 4K HDMI Video Capture Card - ~$9.98
• 1x2 HDMI Splitter(s)
  • U9 / ViewHD
    • VHD-1X2MN3D -
    • VHD-1X2MN3D - ~$18.00
  • HBAVLINK
    • HB-SP102B
    • HB-SP102C
  • CORSAHD
    • CO-SP12H2
    • ?????????
  • EZCOO
    • EZ-SP12H2
    • EZ-EX11HAS-PRO
• EDID Emulator(s)
  • HDMI
    • Brand: THWT
      • 4K-EW2 - HDMI 2.1 4K EDID Emulator PRO - ~$90.00
      • 4K-EWB - HDMI 2.1 4K EDID Emulator - ~$25.00
      • HD-EW2 - HDMI 2.0 EDID Emulator 4K PRO - ~$90.00
      • HD-EWB - HDMI 2.0 4K EDID Emulator - ~$20.00
  • DP
    • Brand: THWT
      • DPH-EW2 - Displayport 1.2 EDID Emulator 4K PRO - ~$90.00
  • DP to HDMI
    • Brand: THWT
      • DPH-EWB - Displayport 1.2 to HDMI 2.0 EDID Emulator - ~$20.00

Elgato Capture Cards

• Some of Elgato's capture cards, leveraging UVC (USB Video Class) technology, operate seamlessly without requiring additional drivers. As UVC devices, they adhere to a standard protocol for transmitting video and audio data over USB connections. This plug-and-play functionality ensures compatibility with various operating systems, enabling effortless setup and use for capturing high-quality video content.

UVC Elgato Capture Cards

• Article

Device	Driver Status
Elgato Cam Link	No driver since it's a UVC device
Elgato Cam Link 4K	No driver since it's a UVC device
Elgato Game Capture HD60 S+	No driver since it's a UVC device
Elgato Game Capture HD60 X	No driver since it's a UVC device
Game Capture 4K X	No driver since it's a UVC device
Game Capture Neo	No driver since it's a UVC device

Linux - OBS Black Screen Issue Solution

Step 1:

Download and Install the latest 4K CAPTURE UTILITY software from Elgato downloads page on a WINDOWS OS.

Step 2:

Open Elgato 4K Capture Utility and let the software initialize the UVC capture card.

Step 3:

Select the settings icon on the top right corner of the software utility, and select Check for Updates.... (It should update automatically already, but just make sure the firmware is on the latest version available.)

Step 4:

Now, connect the capture card device back to your Linux host system now and open OBS, you should now see an output from your GPU instead of a black screen.

---

⚠️ Legal Disclaimer
By using this tool, you agree to the following:

• This tool is intended only for educational, research, and security analysis purposes.
• The author is not liable for any damages, legal consequences, or misuse arising from your use of this tool.
• You are responsible for ensuring your use complies with all applicable laws.
• Misuse, including cheating or illegal activities, is strictly prohibited.

Use at your own risk. The tool is provided "as-is" without any warranties.

---

Star History