On 13/07/2022 20:48, Keith Busch wrote:
I guess I'm missing the bigger picture here. You are supposed to be able to retrieve these fields with ioctl's, so not sure what this has to do with malware. Why does the firmware revision matter to this program?
Oh I'm sorry, I forgot to explain properly. Malware usually checks if it is being run in a sandbox environment like a VM, and if it detects such a sandbox, it doesn't run or doesn't unleash its full potential. This makes my life as a researcher much harder.
Hiding the VM by overriding the model, firmware, and nqn strings to either random values or names of existing hardware in the hypervisor is a much cleaner solution than intercepting the IOCTLs in the VM and changing the result with a kernel driver.
Older qemu nvme wasn't reliably generating unique identifiers, so linux quirks them to ignore. They are reliable now, so the quirk can be changed to firmware specific when the version number updates with the next release.
If I understand you correctly, that means that changing the model and firmware version to something that doesn't identify the device as a qemu device would work just fine provided that you're running a recent qemu version?