3. Windows Kernel
KUSER_SHARED_DATA (Virtual Address- 0x07FFE0000)
KUSER_SHARED_DATA is a 4096-byte region of kernel memory that is mapped into every user-mode process at the fixed virtual address 0x7FFE0000. It was originally designed as a performant way for user-mode code to read frequently updated system values without needing to make a full syscall each time.
Some of the most important fields for DRM purposes are listed in the table below, and as we can see, there is quite a lot of useful information that Denuvo can extract from this single memory region:

Note: As of Windows 11 (and some hardened Win10 configs), large parts of KUSER_SHARED_DATA are no longer directly writable even from kernel mode, due to VBS/VTL protections. Hence spoofing what a target process reads via EPT hooks is the more robust approach compared to just patching the physical memory page. See Connor McGarr's blog for details: connormcgarr.github.io/kuser-shared-data-changes-win-11/
Process Environment Block (PEB)
The PEB is a per-process kernel structure that lives in user-accessible memory and contains a whole lot of process-specific information. Key fields include OS version info, the module load order lists (InLoadOrderModuleList, InMemoryOrderModuleList, etc.), and various loader flags. One thing to note here is that hypervisor bypass tools which inject proxy DLLs need to carefully hide their presence from PEB module enumeration, otherwise the loaded modules list would reveal the extra DLLs and the bypass would be easily detectable.
CPUID Instruction & Leaves
CPUID is arguably the most important single mechanism that Denuvo uses for hardware identification, and as per the CrackL@b analysis it is one of the primary targets for spoofing. When executed, the processor returns information about its capabilities and identity through the EAX, EBX, ECX, and EDX registers, depending on the 'leaf' value that is placed in EAX before execution. The hypervisor-present bit (leaf 0x1, ECX bit 31) is especially significant here — any hypervisor will set this bit, and hence any viable bypass implementation must clear it when intercepting CPUID, otherwise the whole spoofing effort becomes useless.

RDTSC/RDTSCP (Timing Sources)
The RDTSC instruction reads the processor's 64-bit timestamp counter and is used for performance measurement normally, but it also serves as a sensitive detector of VM-exit overhead — which is very relevant here. Every intercepted instruction in a hypervisor causes what is called a VM exit, which involves saving the full guest CPU state, running host code, and then restoring guest state before returning. All of this takes time, and it is measurable. So a program that checks RDTSC before and after a CPUID instruction (which causes a VM exit if the hypervisor intercepts it) will observe a much larger time delta as compared to bare metal hardware. Hence effective bypass implementations must also intercept RDTSC and return synthetic, consistently-timed timestamps to mask this overhead.
MSR Reads and XGETBV
Model Specific Registers (MSRs) are CPU registers that are normally only accessible from Ring 0 via RDMSR/WRMSR instructions. Key ones include IA32_LSTAR (0xC0000082) which holds the syscall handler address, and IA32_EFER (0xC0000080) which controls extended CPU features. Hypervisors intercept MSR access to prevent guests from detecting or modifying the virtualisation layer. XGETBV reads XCR0 (Extended Control Register 0), which indicates which extended processor state components like SSE, AVX, AVX-512 are enabled — and this value must always be consistent with the CPUID feature flags being spoofed, otherwise there will be a detectable miss-match.
NT Syscall Interfaces

