Creating a stealthy Virtual Machine for Malware Analysis, without using hardware passthrough from the host OS to minimize risk.
These modifications work for both Linux and Windows
Replace the <os></os>
tags with:
<sysinfo type="smbios">
<bios>
<entry name="vendor">Lenovo</entry>
<entry name="version">1.21</entry>
</bios>
<system>
<entry name="manufacturer">Lenovo</entry>
<entry name="product">ThinkPad X1 Carbon</entry>
<entry name="version">11</entry>
<entry name="serial">WZpzL8vq</entry>
</system>
</sysinfo>
<os>
<type arch="x86_64" machine="pc-q35-8.0">hvm</type>
<boot dev="hd"/>
<smbios mode="sysinfo"/>
</os>
Modify the CPU settings:
<cpu mode="host-model" check="none">
<feature policy="disable" name="hypervisor"/>
</cpu>
Enable KVM hidden status by adding this to features
tag:
<kvm>
<hidden state="on"/>
</kvm>
NOTE: the following configuration only works for SCSI disks!
In the devices
tag look for your disk, and add the following information:
<serial>AB1234ZEQS1321</serial>
<vendor>Samsung</vendor>
<product>500GB HDD</product>
To achieve nearly complete stealth, implementing a custom hypervisor which is designed for stealth is necessary. Here are some resources to make that possible.
In order to return false information from the CPUID instruction, we need to hook it on the hypervisor level. That needs to be implemented into a hypervisor itself. We could use SimpleVisor as a template for this.