[virt-tools-list] Libvirt: problem with hidding that a VM is running

Antoine abyssal90 at hotmail.fr
Wed Apr 29 14:28:05 UTC 2015 

> Date: Tue, 28 Apr 2015 20:20:18 -0400
> From: crobinso at redhat.com
> To: abyssal90 at hotmail.fr; virt-tools-list at redhat.com
> Subject: Re: [virt-tools-list] Libvirt: problem with hidding that a VM is running
> 
> On 04/28/2015 04:31 AM, Antoine wrote:
> > Hello everyone,
> > 
> > 
> > I try to strengthen my virtual machine against malware by trying, as much as I
> > can, to hide the fact that malware is running inside a virtual machine. One
> > possible way to do it is to suppress the string “KVMKVMKVM” and the value 1 of
> > the Qemu variable 'CPUID_EXT_HYPERVISOR', which are both specified in the file
> > in './qemu-2.3.0-rc4/target-i386/kvm.c'.
> > 
> > 
> > Step 1) I'm doing the following modifications:
> > 
> > 
> > - Original unmodified version of kvm.c includes the following values:
> > 
> > ret |= CPUID_EXT_HYPERVISOR; //line 219 in 'kvm.c'
> > 
> > memcpy(signature, "KVMKVMKVM\0\0\0", 12); //Line 538 in 'kvm.c'
> > 
> > 
> > - My objective is to replace those values with the following :
> > 
> > ret |= 0; //line 219 in 'kvm.c'
> > 
> > memcpy(signature, "blablabla\0\0\0", 12); //Line 538 in 'kvm.c'
> > 
> > 
> > Step 2) I do “sudo make” and “sudo make install” in the qemu-2.3.0-rc4
> > directory, and then I replace the original file './usr/bin/qemu-system-x86_64'
> > with the new one.
> > 
> > 
> > While everything works fine with qemu-kvm and sdl (following the command line
> > that I'm using) :
> > 
> > sudo qemu-system-x86_64 -enable-kvm -m 4096 img.qcow2 -smp cores=2
> > 
> > With virt-manager I'm not able to start correctly the virtual machine. I have
> > the following problems :
> > 
> > 
> > If I'm using a Windows 7 .qcow2, Windows will start but right after windows
> > starts loading, It halts and I get the famous windows blue error screen saying :
> > 
> > *** STOP: 0x000000A5 (0x0001000A, 0x00000000, 0x00000000, 0x00000000).
> > 
> > While it could be an ACPI problem, I tried to uncheck the ACPI option in
> > virt-manager VM configuration but I still get the same error.
> > 
> > 
> > If I'm using a WindowsXP .qcow2, I always have the message “We apologize for
> > the inconvenience, but Windows did not start successfully […] Start Windows
> > Normally […] “ and no way to dodge/escape it.
> > 
> > 
> > I will be gratefull if someone may help me or have an idea about how to
> > implement these CPU modifications !
> > 
> > 
> > Running version:
> > 
> > Ubuntu 14.04
> > 
> > QEMU emulator version 2.2.94
> > 
> > Libvirt 1.2.2
> 
> There's already a qemu option to hide the KVM CPUID, its qemu -cpu $model,kvm=off
> 
> Libvirt XML is:
> 
>     <domain type='kvm>
>       ...
>       <features>
>         ...
>         <kvm>
>           <hidden state='on'/>
>         </kvm>
>       </features>
>       ...
> 
> - Cole
> 
> 


Thank you for your answer.

I'll use the option "-cpu host,kvm=off" which is doing some good modifications.

If some people read this, they need to know that in order to implement the Libvirt XML solution, they need at least the Libvirt version 1.2.8 (currently with a basic "sudo apt-get install libvirt-bin" the version is only 1.2.2).

These 2 solutions don't fix the problem of the ' ret |= CPUID_EXT_HYPERVISOR ' but I don't need anymore virt-manager, so I'll implement the ' ret |= 0 ' to hide it in the VM.

Regards.
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20150429/13f25afb/attachment.htm>

More information about the virt-tools-list mailing list