Thursday, September 20, 2012

Modifying KVM (qemu-kvm) settings for malware analysis

This post is long overdue, but here it is.

How to make qemu-kvm a bit harder to detect for malware and pentesters alike (ex: fool Metasploit checkvm).

 I have found that using libvirt and virsh edit is a simple way to change the settings for the guest OS.

General guidelines: 

* Don't install guest additions

* Change MAC address
        <interface type='network'>
            <mac address='xx:xx:xx:xx:xx:xx'/>
            <source network='default'/>
            <model type='rtl8139'/>
           <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
         </interface>



* Copy the host CPU info into the guest. (can be done in the XML file or via virt-manager)
  
      Processor -> configuration -> Copy host CPU configuration

 * Change BIOS information

Start by retrieving  the dmidecode information for your host.

        <os>
          <smbios mode='sysinfo'/>
           ...
       </os>
     

      <sysinfo type='smbios'>
        <bios>
             <entry name='vendor'>XXXX</entry>
             <entry name='version'>XXXXXX</entry>
             <entry name='date'>XXXXX</entry>
             <entry name='release'>XXXXX</entry>

       </bios>
      <system>
          <entry name='manufacturer'>XXXXX</entry>
          <entry name='product'>XXXXX</entry>
          <entry name='version'>XXXXX</entry>
          <entry name='serial'>XXXXX</entry>
          <entry name='uuid'>XXXXXXXX</entry> <-- This values has to be the same as the other UUID variable found in the xml file
          <entry name='sku'>XXXXXX</entry>
          <entry name='family'>XXXXXX</entry>     
       </system>
     </sysinfo>


* Change Harddrive model

In my quest to find an easy way to change the harddrive model number from QEMU HARDDISK to something else, I stumble up on this patch:

    https://lists.gnu.org/archive/html/qemu-devel/2012-03/msg02272.html.

But the stock qemu-kvm shipped with Ubuntu does not support the "model=" setting. So I downloaded the latest qemu-kvm source, as I thought that the patch would be incorporated in that release. Sadly I did not get it to work quickly (adding it as a qdev option might have worked)

It could have been that libvirt version which is shipped with Ubuntu did not  support me adding the setting via virsh  ..anyway a quick fix to the problem was to edit core.c and replace "QEMU HARDDISK" with something else as I already had the source.

   Edit file:    qemu-kvm-1.2.0-rc2/hw/ide/core.c
  Org:           strcpy(s->drive_model_str, "QEMU HARDDISK");
  Change:     strcpy(s->drive_model_str, "XXXXXXX");
   

 * Registry edit

  Change "WOOT" to something more suitable. As with Virtualbox, if you are using Cuckoo this script has to be run only once. If you need to reboot, add the script to auto execute after reboot to change those pesky registry values that are reset after each reboot.   

 -- start of script ---


@reg copy HKLM\HARDWARE\ACPI\DSDT\BXPC HKLM\HARDWARE\ACPI\DSDT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\BXPC /f

@reg copy HKLM\HARDWARE\ACPI\DSDT\WOOT\BXDSDT HKLM\HARDWARE\ACPI\DSDT\WOOT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\WOOT\BXDSDT /f

@reg copy HKLM\HARDWARE\ACPI\FADT\BOCHS_ HKLM\HARDWARE\ACPI\FADT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\FADT\BOCHS_ /f

@reg copy HKLM\HARDWARE\ACPI\FADT\WOOT\BXPCFACP HKLM\HARDWARE\ACPI\FADT\WOOT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\FADT\WOOT\BXPCFACP /f

@reg copy HKLM\HARDWARE\ACPI\RSDT\BOCHS_ HKLM\HARDWARE\ACPI\RSDT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\RSDT\BOCHS_ /f

@reg copy HKLM\HARDWARE\ACPI\RSDT\WOOT\BXPCRSDT HKLM\HARDWARE\ACPI\RSDT\WOOT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\RSDT\WOOT\BXPCRSDT /f

@reg add HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion /t REG_MULTI_SZ /d "WOOT -1" /f


--- end of script ----

Update 1:  Modify the BIOS.

At the moment my blog posts reflects my research,  sporadic and a bit chaotic. Anyway I just noticed (it quite obvious really)  that the BIOS would reveal the presences of a virtual guest so here is a way to make it less obvious.

Download the BIOS (seabios) source:

   git clone git://git.seabios.org/seabios.git  

Edit the following file:

  seabios/src/config.h

Locate the following part:

#define CONFIG_APPNAME  "Bochs"
#define CONFIG_CPUNAME8 "BOCHSCPU"
#define CONFIG_APPNAME6 "BOCHS "
#define CONFIG_APPNAME4 "BXPC"


And change it to something appropriate

#define CONFIG_APPNAME  "DELL"
#define CONFIG_CPUNAME8 "DELLCPU"
#define CONFIG_APPNAME6 "DELL "
#define CONFIG_APPNAME4 "DELLS" (I don't know just change it to something..)


Run make and then replace the current one with the new one found in the "out" directory.

You can verify the change by using the Windows port of dmidecode, which contains a application called biosdecode.exe.

The value to look for is the OEM identifier. The change will also have some positive effect on the reg settings, in the sense that they will look more "natural"(?)


/Micke
@nsmfoo

5 comments:

  1. Hi!
    How do you create a VM using the edited core.c?
    I edited mine, did a make, and created a VM but the QEMU HARDDISK is still present!

    ReplyDelete
    Replies
    1. Hi,

      I don't have a quick answer. But can you verify that the qemu-kvm you edit and compiled is the one you are using by running kvm -version.

      Can you also try to start the VM from command line and not via virt-manager (if you are using that)

      What format is the created disk? I have only verified it with qcow2(not sure if it makes any difference ..)

      Let me know if it worked out for you or if it didn't

      /Micke

      Delete
  2. I add your parts and referer your blog, here more info
    http://doomedraven.github.io/KVM.html#modifying-kvm-qemu-kvm-settings-for-malware-analysis

    ReplyDelete
  3. Great work Andriy! Will read it more carefully over the weekend. Glad that old stuff could still be useful. If you are looking for a more up to date version of the script that is run inside the guest, you can get some inspiration from https://github.com/nsmfoo/antivmdetection /Mikael

    ReplyDelete
  4. Thanks. is basically my notes over kvm :) if you have some suggestion feel free to suggest/commit
    I have copy of that script, very good job, also have make small part of host patching with VBoxManage setextradata $1 "VBoxInternal/Devices..... and for VMware small part. I just added you on twitter, let me know your email and I will drop you them in case if you interested

    Best regards

    ReplyDelete