Re: [Qemu-devel] Making Qemu/KVM more undetectable to malwares

qemu-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] Making Qemu/KVM more undetectable to malwares

From:	Paolo Bonzini
Subject:	Re: [Qemu-devel] Making Qemu/KVM more undetectable to malwares
Date:	Wed, 2 Mar 2016 10:22:18 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0

On 02/03/2016 04:07, Yang Luo wrote:
> And how about this idea. I found out that lots of malware will detect
> the presence of hypervisors and refuse to refuse to execute their real
> code in a VM. The malwares do this to prevent security engineers from
> analyzing their code under a VM. Lots of detection methods have been
> proposed for many years. But hypervisors seem to not care about this issue.
> 
> So what do you think about making Qemu/KVM more undetectable to
> malwares? Is this idea viable?

KVM already allows you to disable CPUID leaves specific to hypervisors.
 As you said, other detection methods for hypervisors exist, and patches
are welcome to thwart them. :)

However, while it is definitely a nice project and we would appreciate
it, it doesn't sound like the kind of research that you would publish in
academic venues.

Paolo

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-devel] Making Qemu/KVM more undetectable to malwares, Yang Luo, 2016/03/01
- Re: [Qemu-devel] Making Qemu/KVM more undetectable to malwares, Paolo Bonzini <=

Prev by Date: Re: [Qemu-devel] [QEMU] Windows XP / Windows 95 / MS-DOS 6 regressions
Next by Date: Re: [Qemu-devel] [PATCH] ui/cocoa.m: Replace pc/xt keyboard keycode array with QKeyCode
Previous by thread: [Qemu-devel] Making Qemu/KVM more undetectable to malwares
Next by thread: Re: [Qemu-devel] [V6 1/4] hw/i386: Introduce AMD IOMMU
Index(es):
- Date
- Thread