From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:33992) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ab2zB-0007tL-VG for qemu-devel@nongnu.org; Wed, 02 Mar 2016 04:22:26 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ab2z8-00071I-OQ for qemu-devel@nongnu.org; Wed, 02 Mar 2016 04:22:25 -0500 Received: from mail-wm0-x230.google.com ([2a00:1450:400c:c09::230]:34551) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ab2z8-00071B-GK for qemu-devel@nongnu.org; Wed, 02 Mar 2016 04:22:22 -0500 Received: by mail-wm0-x230.google.com with SMTP id p65so70779302wmp.1 for ; Wed, 02 Mar 2016 01:22:22 -0800 (PST) Sender: Paolo Bonzini References: From: Paolo Bonzini Message-ID: <56D6B0CA.4080703@redhat.com> Date: Wed, 2 Mar 2016 10:22:18 +0100 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] Making Qemu/KVM more undetectable to malwares List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Yang Luo , qemu-devel On 02/03/2016 04:07, Yang Luo wrote: > And how about this idea. I found out that lots of malware will detect > the presence of hypervisors and refuse to refuse to execute their real > code in a VM. The malwares do this to prevent security engineers from > analyzing their code under a VM. Lots of detection methods have been > proposed for many years. But hypervisors seem to not care about this issue. > > So what do you think about making Qemu/KVM more undetectable to > malwares? Is this idea viable? KVM already allows you to disable CPUID leaves specific to hypervisors. As you said, other detection methods for hypervisors exist, and patches are welcome to thwart them. :) However, while it is definitely a nice project and we would appreciate it, it doesn't sound like the kind of research that you would publish in academic venues. Paolo