Hyper-V in Windows endpoint detection, has always been regarded as the crown jewel that is difficult for the red team to conquer. Therefore, in the underground economy, online game anti-cheat protection heavily utilize Intel VT as the last line of defense to avoid classic BYOVD kernel-level attacks to bypass the protection; However, SOTA anti-cheat protection, in order to achieve better system threat protection than Microsoft's standard design, gradually introduce Hyper-V technology to make numerous kernel-level protection via EXPLOIT AND MANIPULLATION to Windows 10+ NT Kernel objects, under the premise of "effectively bypassing Microsoft's kernel driver-level protection " to beawre the game cheating. But this technology as detection, malicious and effective?

Know yourself and your enemy, you will never be defeated in a hundred battles! In this session, we will guide the audience to play with the Hypervisor detection defences and the system's architectural relationship with them, from dismantling the architecture of Microsoft's VT-based Hyper-V platform to how the anti-cheat protection can manipulate Microsoft's VBS (Virtualisation-Based Security) and Patch Guard to achieve the desired results to forge memory pages in both user/kernel mode. In the end of the session, provides recommendations and guidance on the methods and risks of endpoint detection to introduce such kernel patches as endpoint detection.