This post is long overdue, but here it is.
How to make qemu-kvm a bit harder to detect for malware and pentesters alike (ex: fool Metasploit checkvm).
I have found that using libvirt and virsh edit is a simple way to change the settings for the guest OS.
* Don't install guest additions
* Change MAC address
<address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0'/>
Copy the host CPU info into the guest. (can be done in the XML file or
Processor -> configuration -> Copy host CPU
* Change BIOS information
Start by retrieving the dmidecode information for your host.
<entry name='uuid'>XXXXXXXX</entry> <-- This values has to be the same as the other UUID variable found in the xml file
* Change Harddrive model
In my quest to find an easy way to change the harddrive model number from QEMU HARDDISK to something else, I stumble up on this patch:
But the stock qemu-kvm shipped with Ubuntu does not support the "model=" setting. So I downloaded the latest qemu-kvm source, as I thought that the patch would be incorporated in that release. Sadly I did not get it to work quickly (adding it as a qdev option might have worked)
It could have been that libvirt version which is shipped with Ubuntu did not support
me adding the setting via virsh ..anyway a quick fix to the problem was to edit
core.c and replace "QEMU HARDDISK" with something else as I already had the source.
Edit file: qemu-kvm-1.2.0-rc2/hw/ide/core.c
Org: strcpy(s->drive_model_str, "QEMU HARDDISK");
Change: strcpy(s->drive_model_str, "XXXXXXX");
* Registry edit
Change "WOOT" to something more suitable. As with Virtualbox, if you are using Cuckoo this script has to be run only once. If you need to reboot, add the script to auto execute after reboot to change those pesky registry values that are reset after each reboot.
-- start of script ---
@reg copy HKLM\HARDWARE\ACPI\DSDT\BXPC HKLM\HARDWARE\ACPI\DSDT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\BXPC /f
@reg copy HKLM\HARDWARE\ACPI\DSDT\WOOT\BXDSDT HKLM\HARDWARE\ACPI\DSDT\WOOT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\DSDT\WOOT\BXDSDT /f
@reg copy HKLM\HARDWARE\ACPI\FADT\BOCHS_ HKLM\HARDWARE\ACPI\FADT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\FADT\BOCHS_ /f
@reg copy HKLM\HARDWARE\ACPI\FADT\WOOT\BXPCFACP HKLM\HARDWARE\ACPI\FADT\WOOT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\FADT\WOOT\BXPCFACP /f
@reg copy HKLM\HARDWARE\ACPI\RSDT\BOCHS_ HKLM\HARDWARE\ACPI\RSDT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\RSDT\BOCHS_ /f
@reg copy HKLM\HARDWARE\ACPI\RSDT\WOOT\BXPCRSDT HKLM\HARDWARE\ACPI\RSDT\WOOT\WOOT /s /f
@reg delete HKLM\HARDWARE\ACPI\RSDT\WOOT\BXPCRSDT /f
@reg add HKLM\HARDWARE\DESCRIPTION\System /v SystemBiosVersion /t REG_MULTI_SZ /d "WOOT -1" /f
--- end of script ----
Update 1: Modify the BIOS.
At the moment my blog posts reflects my research, sporadic and a bit chaotic. Anyway I just noticed (it quite obvious really) that the BIOS would reveal the presences of a virtual guest so here is a way to make it less obvious.
Download the BIOS (seabios) source:
git clone git://git.seabios.org/seabios.git
Edit the following file:
Locate the following part:
#define CONFIG_APPNAME "Bochs"
#define CONFIG_CPUNAME8 "BOCHSCPU"
#define CONFIG_APPNAME6 "BOCHS "
#define CONFIG_APPNAME4 "BXPC"
And change it to something appropriate
#define CONFIG_APPNAME "DELL"
#define CONFIG_CPUNAME8 "DELLCPU"
#define CONFIG_APPNAME6 "DELL "
#define CONFIG_APPNAME4 "DELLS" (I don't know just change it to something..)
Run make and then replace the current one with the new one found in the "out" directory.
You can verify the change by using the Windows port of dmidecode, which contains a application called biosdecode.exe.
The value to look for is the OEM identifier. The change will also have some positive effect on the reg settings, in the sense that they will look more "natural"(?)