[virt-tools-list] Libvirt: problem with hidding that a VM is running

Cole Robinson crobinso at redhat.com
Wed Apr 29 00:20:18 UTC 2015 

On 04/28/2015 04:31 AM, Antoine wrote:
> Hello everyone,
> 
> 
> I try to strengthen my virtual machine against malware by trying, as much as I
> can, to hide the fact that malware is running inside a virtual machine. One
> possible way to do it is to suppress the string “KVMKVMKVM” and the value 1 of
> the Qemu variable 'CPUID_EXT_HYPERVISOR', which are both specified in the file
> in './qemu-2.3.0-rc4/target-i386/kvm.c'.
> 
> 
> Step 1) I'm doing the following modifications:
> 
> 
> - Original unmodified version of kvm.c includes the following values:
> 
> ret |= CPUID_EXT_HYPERVISOR; //line 219 in 'kvm.c'
> 
> memcpy(signature, "KVMKVMKVM\0\0\0", 12); //Line 538 in 'kvm.c'
> 
> 
> - My objective is to replace those values with the following :
> 
> ret |= 0; //line 219 in 'kvm.c'
> 
> memcpy(signature, "blablabla\0\0\0", 12); //Line 538 in 'kvm.c'
> 
> 
> Step 2) I do “sudo make” and “sudo make install” in the qemu-2.3.0-rc4
> directory, and then I replace the original file './usr/bin/qemu-system-x86_64'
> with the new one.
> 
> 
> While everything works fine with qemu-kvm and sdl (following the command line
> that I'm using) :
> 
> sudo qemu-system-x86_64 -enable-kvm -m 4096 img.qcow2 -smp cores=2
> 
> With virt-manager I'm not able to start correctly the virtual machine. I have
> the following problems :
> 
> 
> If I'm using a Windows 7 .qcow2, Windows will start but right after windows
> starts loading, It halts and I get the famous windows blue error screen saying :
> 
> *** STOP: 0x000000A5 (0x0001000A, 0x00000000, 0x00000000, 0x00000000).
> 
> While it could be an ACPI problem, I tried to uncheck the ACPI option in
> virt-manager VM configuration but I still get the same error.
> 
> 
> If I'm using a WindowsXP .qcow2, I always have the message “We apologize for
> the inconvenience, but Windows did not start successfully […] Start Windows
> Normally […] “ and no way to dodge/escape it.
> 
> 
> I will be gratefull if someone may help me or have an idea about how to
> implement these CPU modifications !
> 
> 
> Running version:
> 
> Ubuntu 14.04
> 
> QEMU emulator version 2.2.94
> 
> Libvirt 1.2.2

There's already a qemu option to hide the KVM CPUID, its qemu -cpu $model,kvm=off

Libvirt XML is:

    <domain type='kvm>
      ...
      <features>
        ...
        <kvm>
          <hidden state='on'/>
        </kvm>
      </features>
      ...

- Cole

More information about the virt-tools-list mailing list