Virtualization and Systems Engineering — Stealth VM

Project

Custom-patched QEMU/KVM stealth VM with hardware passthrough and hypervisor-level identity spoofing. Built for Linux-hosted high-performance Windows environments requiring bare-metal performance and indistinguishability from physical hardware.

Techniques

• Building QEMU from source with custom patches to modify emulator behavior at the source level
• OVMF/EDK2 firmware customization for specialized VM initialization
• VFIO management: host hardware isolation, vfio-pci driver binding, IOMMU group handling to safely detach hardware from the host
• PCI passthrough for discrete GPU (RTX 2070) achieving bare-metal graphics performance
• evdev input passthrough for raw low-latency keyboard and mouse routing
• ACPI table extraction, decompilation, patching, and recompilation to align guest-visible firmware with spoofed hardware identity
• SMBIOS spoofing — hardware serials, motherboard vendors, system UUIDs
• CPUID hypervisor bit masking and other guest-visible virtualization marker handling
• CPU pinning, hugepages, and I/O isolation for deterministic performance

Open-source contribution

Pull requests merged to VMAware, the open-source VM detection library, working on the defensive side of this research.

Why this matters for the portfolio

Stealth VM work sits at the intersection of kernel-level systems engineering, firmware manipulation, and security research. The techniques transfer directly to malware analysis sandboxes, cloud security (sandbox escape detection), red team tooling, and high-performance virtualization for regulated workloads.