Hello,
This is another post related to malware analysis and QEMU/KVM. I did a bit more research and found different older articles describing how to make pafish happy and how to evade malware that are aware of virtual machines.
Below is a screenshot from the output of pafish on Windows 7.

The Windows 7 system is running on a KVM host with the following kernel:
|
[root@virre ~]# uname -a Linux host.local 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux |
As you can see, it looks pretty good and we may be able to win over most malware, but there are still stuff that we want to remove. For instance, check out the device manager

As you can see there are devices called QEMU which indicates that this is not a laptop. Note that pafish did not detect this, but still, we should fix it. Our goal today is to make it say something else. Before we continue there are a lot of posts that I have used for reference (Check the end of this guide), but I wanted to start fresh and make a guide for everyone trying to do this on.. You guessed it, CentOS 7.
Before we start let me just explain a little. When you install qemu/kvm on CentOS 7 using yum it will be called qemu-kvm, but when you compile it will be called qemu-system-x86_64. This is important to understand. It is still the same, but it is called different depending on if it is compiled or not. Read more here
Also, make sure that you have the kvm module loaded. My laptop for this guide is an old laptop running a AMD CPU. Check with lsmod if the proper modules are loaded. For intel it should say kvm_intel.
|
[root@localhost qemu]# lsmod |grep kvm kvm_amd 60314 3 kvm 461126 1 kvm_amd |
1. Install a fresh CentOS 7 minimal.
I installed it with Gnome Desktop as I am using an old laptop. And update it:
|
yum update -y; yum upgrade -y |
After we finish it will look something like this (2015-06-25)
|
[root@localhost ~]# uname -a Linux localhost.localdomain 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux |
2. Install some more packages and development tools
Grab a coffee while you wait.
|
yum install python-devel perl-XML-XPath supermin python-ipaddr libvirt-python yum groupinstall "Development Tools" |
Before we continue we can do some tweaking to compile a little bit faster. Depending on how many cores your system has, you can change the jobs parameter for make. Execute the following command:
|
[root@localhost ~]# cat /proc/cpuinfo | grep processor | wc -l 2 |
This would give me the value of “make -j2”. Yea, this is an old laptop..
3. Cloning QEMU
|
#!/bin/bash yum-builddep qemu-kvm git clone git://git.qemu.org/qemu.git cd qemu |
4. Edit drivers and compiling
Now the fun stuff starts. We are going to rename the device from QEMU HARDDISK to something else. Make sure you are in the cloned qemu folder that we just cloned from the git repo (step 4)
|
[root@localhost qemu]# pwd /root/qemu-source/qemu |
Find the driver name (As seen in the device manager)
|
[root@localhost qemu]# grep -nr "HARDDISK" hw/* hw/ide/core.c:2284: strcpy(s->drive_model_str, "QEMU HARDDISK"); hw/scsi/scsi-disk.c:2303: s->product = g_strdup("QEMU HARDDISK"); |
These are the files that you need to edit. I will replace it with “WDC WD20EARS” that should simulate a 2TB disk from Western Digital (according to a Google search).
|
[root@localhost qemu]# sed -i 's/QEMU HARDDISK/WDC WD20EARS/g' hw/ide/core.c [root@localhost qemu]# sed -i 's/QEMU HARDDISK/WDC WD20EARS/g' hw/scsi/scsi-disk.c [root@localhost qemu]# grep -nr "WDC" hw/* hw/ide/core.c:2284: strcpy(s->drive_model_str, "WDC WD20EARS"); hw/scsi/scsi-disk.c:2303: s->product = g_strdup("WDC WD20EARS"); |
Also, let us not forget the DVD drive. Let us call it Toshiba DVD-ROM (because it was the only thing that popped up in my head)
|
[root@localhost qemu]# grep -nr "QEMU DVD" hw/* hw/ide/atapi.c:732: padstr8(buf + 16, 16, "QEMU DVD-ROM"); hw/ide/core.c:2278: strcpy(s->drive_model_str, "QEMU DVD-ROM"); |
And there are some more places that we need to edit:
|
[root@localhost qemu]# sed -i 's/QEMU DVD-ROM/DVD-ROM/g' hw/ide/core.c [root@localhost qemu]# sed -i 's/QEMU DVD-ROM/DVD-ROM/g' hw/ide/atapi.c [root@localhost qemu]# sed -i 's/s->vendor = g_strdup("QEMU");/s->vendor = g_strdup("Toshiba");/g' hw/scsi/scsi-disk.c [root@localhost qemu]# sed -i 's/QEMU CD-ROM/CD-ROM/g' hw/scsi/scsi-disk.c [root@localhost qemu]# sed -i 's/padstr8(buf + 8, 8, "QEMU");/padstr8(buf + 8, 8, "Toshiba");/g' hw/ide/atapi.c |
Time to build! Make sure you are root so you can install it.
|
#!/bin/bash ./configure --prefix=/usr --sysconfdir=/etc --docdir=/usr/share/doc/qemu --target-list=x86_64-softmmu make -j2 make install |
Fix a sympbolic link to make virt-manager happy.
|
ln -s /usr/bin/qemu-system-x86_64 /usr/libexec/qemu-kvm |
5. Time to compile libvirt
If you want to know more about compiling libvirt, and the arguments I am using with autogen you can read more here before you continue:
https://libvirt.org/compiling.html
|
#!/bin/bash yum-builddep libvirt git clone git://libvirt.org/libvirt.git cd libvirt ./autogen.sh --system --prefix=/usr --sysconfdir=/etc make -j2 make check make install |
Go ahead and start!
You should see something like this in /var/log/messages
|
Jun 26 08:32:06 localhost systemd: Starting Virtualization daemon... Jun 26 08:32:07 localhost systemd: Started Virtualization daemon. Jun 26 08:32:08 localhost journal: libvirt version: 1.3.0 |
6. Install virt-manager
|
git clone git://git.fedorahosted.org/virt-manager.git cd virt-manager python setup.py install |
You can now start virt-manager by executing ./virt-manager in the same directory. Or, if you do not want to use virt-manager and create the virtual machine, you can just continue to step 7.
7. Install the first virtual machine
Let us install a Windows XP SP0 and see whats what. I am using an old iso image which I placed in /root/
|
mkdir /vm/ #Create the disk /usr/bin/qemu-img create -f qcow2 /vm/winxp.qcow2 80G #Either create a machine through virt-manager or do it command line style /usr/libexec/qemu-kvm -enable-kvm -m 1024 -hda /vm/winxp.qcow2 -cdrom /root/en_winxp_pro_x86_build2600_iso.img -boot d |
When the installation is complete, go into the device manager and voilá:

Device Manager after QEMO modifications
Each time you want to modify something in the qemu code you can just rerun the make and make install steps and you will update the binary and drivers will be changed accordingly.
8. Changing The BIOS
This is the last step if you really would like to be sneaky. When you execute dmidecode it will also tell you that this is QEMU and not something else.

Notice QEMU after Manufacturer on the devices
QEMU uses seabios so we will start by performing a clone of the latest source and compile it.
|
git clone git://git.seabios.org/seabios.git cd seabios make |
The completed bios file will be located in the folder out and is called “bios.bin”. The next step is to execute it with some parameters set (“-k en” means english keyboard)
|
/usr/libexec/qemu-kvm -enable-kvm -m 1024 -drive file=/vm/winxp.qcow2,if=none,id=drive-ide0-0-0,format=qcow2 -device ide-hd,bus=ide.0,unit=0,drive=drive-ide0-0-0,id=ide0-0-0,bootindex=1 -k en -boot n -bios /root/bios/seabios/out/bios.bin -smbios type=1,manufacturer="Dell" -smbios type=0,vendor="Dell" -smbios type=4,manufacturer="Dell" -smbios type=17,manufacturer="Dell" -smbios type=3,manufacturer="Dell" |
Notice the parameter
|
-bios /root/bios/seabios/out/bios.bin |
This is where I specify the bios file we compiled.
The other parameters:
|
-smbios type=1,manufacturer="Dell" -smbios type=0,vendor="Dell" -smbios type=4,manufacturer="Dell" -smbios type=17,manufacturer="Dell" -smbios type=3,manufacturer="Dell" |
Is where I tell it to set Dell as a manufacturer and not QEMU. And your final product after running dmidecode should be something like this:

dmidecode after the parameter changes
You can also add the bios file using virsh edit and set the following.
|
<os> <type arch='x86_64' machine='pc-i440fx-2.4'>hvm</type> <loader type='rom'>/root/bios/seabios/out/bios.bin</loader> <boot dev='hd'/> </os> |
However, you still require the smbios arguments. You could also add the “-smbios type” parameters in the domain xml for the vm.
That was all!
References and links