On Wed, Jul 13, 2022 at 09:11:41PM +0200, Mauricio Sandt wrote: > On 13/07/2022 20:48, Keith Busch wrote: > > I guess I'm missing the bigger picture here. You are supposed to be able to > > retrieve these fields with ioctl's, so not sure what this has to do with > > malware. Why does the firmware revision matter to this program? > Oh I'm sorry, I forgot to explain properly. Malware usually checks if it is > being run in a sandbox environment like a VM, and if it detects such a > sandbox, it doesn't run or doesn't unleash its full potential. This makes my > life as a researcher much harder. > > Hiding the VM by overriding the model, firmware, and nqn strings to either > random values or names of existing hardware in the hypervisor is a much > cleaner solution than intercepting the IOCTLs in the VM and changing the > result with a kernel driver.
IIUC, this program is trying to avoid being studied, and uses indicators like nvme firmware to help determine if it is running in such an environment. If so, I suspect defeating all possible indicators will be a fun and time consuming process. :)
