[virt-tools-list] Libvirt: problem with hidding that a VM is running

Antoine abyssal90 at hotmail.fr
Tue Apr 28 08:31:34 UTC 2015


Hello everyone,

I try to
strengthen my virtual machine against malware by trying, as much as I
can, to hide the fact that malware is running inside a virtual
machine. One possible way to do it is to suppress the string
“KVMKVMKVM” and the value 1 of the Qemu variable
'CPUID_EXT_HYPERVISOR', which are both specified in the file in

Step 1) I'm doing
the following modifications: 

- Original
unmodified version of kvm.c includes the following values:
ret |=
CPUID_EXT_HYPERVISOR; //line 219 in 'kvm.c'
"KVMKVMKVM\0\0\0", 12); //Line 538 in 'kvm.c'

- My objective is
to replace those values with the following :
ret |= 0; //line
219 in 'kvm.c'
"blablabla\0\0\0", 12); //Line 538 in 'kvm.c'

Step 2) I do “sudo
make” and “sudo make install” in the qemu-2.3.0-rc4 directory,
and then I replace the original file './usr/bin/qemu-system-x86_64'
with the new one.

While everything
works fine with qemu-kvm and sdl (following the command line that I'm
using) :
qemu-system-x86_64 -enable-kvm -m 4096 img.qcow2 -smp cores=2
With virt-manager
I'm not able to start correctly the virtual machine. I have the
following problems :

If I'm using a
Windows 7 .qcow2, Windows will start but right after windows starts
loading, It halts and I get the famous windows blue error screen
saying : 

*** STOP: 0x000000A5
(0x0001000A, 0x00000000, 0x00000000, 0x00000000). 

While it could be an
ACPI problem, I tried to uncheck the ACPI option in virt-manager VM
configuration but I still get the same error.

If I'm using a
WindowsXP .qcow2, I always have the message “We apologize for the
inconvenience, but Windows did not start successfully […] Start
Windows Normally […] “ and no way to dodge/escape it.

I will be gratefull
if someone may help me or have an idea about how to implement these
CPU modifications !

Running version:
Ubuntu 14.04
QEMU emulator
version 2.2.94
Libvirt 1.2.2


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20150428/c27f84be/attachment.htm>

More information about the virt-tools-list mailing list