This has applications for other kinds of malware. I used to work in ads, to put it mildly, and all this stuff about blocking the trackers at the DNS level or something? Very silly stuff.

If you want to fuck up surveillance capitalism, you send plausible but wrong information to the trackers. There are a zillion ways to do this: let one through now and again and replay it, do a P2P browser extension that proxies you and someone near you through each other, subtly corrupt it, bounce it off a mullvad node. The possibilities are endless.

If you got a fair number of people doing it, you could even have some collective bargaining, like let some of the extreme value conversion stuff through in return for concessions on the more egregious tracking-for-the-sake-of-tracking.

Sure they'll checksum and shit, but that's a cat-and-mouse game they lose: the typical tracker cookie fire isn't worth shit, it's Superman 2 fractions of a basis point, so even modest effort playing smart against it drives the effective CPM negative.

There's lots of interesting things in dmidecode, including the asset tag of the machine. If anyone is interested, on both Lenovo and Super micro servers you can set the asset tag. Lenovos do it with Redfish, with Supermicros, you have to use their "sum" tool.

Using it, you can also modify the model name and serial number of your Super micro motherboard. Which cam be useful when your idiot system integrator can't be assed to set them correctly themselves.

There are moments where I consider myself a good engineer and then I read posts like this and realize im a very little fish in a very big ocean

I guess that's a gap for a new tool to be developed. Emulate as much hardware as possible, to make a VM look like a real PC. Maybe also faking the CPU ID, to fake another CPU type with less performance (from the same series), so malware can't even detect the lower performance caused by virtualization, or lower core count.

Fascinating article. It prompted two questions for me:

1) With the level of expertise, would it be as easy, or easier, to modify the check in the malware itself?

2) How much work would it be for a something like KVM to fake absolutely everything about a PC so it was impossible to tell it was a VM?

I wonder if this could be used to throttle vms, like I'd like to set something like "this vm can only use at most x% of a cpu" measured over y time.

> Your first impulse might be to use DLL hooking and patch the cimwin32. But that’s smol pp way of thinking. We can do better.

What's wrong with DLL hooking though?

Pretty funny that a blog post talking about complex and innovative ways to help investigate malware has a block of the lowest quality, scummiest ads that probably lead to malware.

> Frankly, I did not miss this at first. I just hoped that what I was trying to do was not “overriding” the predefined structure.

> Because Xen (or rather hvmloader) does not define it.

> So, before defining it myself, I tried to find out if there was any other poor soul who tried to do the same thing before me. And to my disappointment, there was. Right in the xen-devel patch archive.

> Why it was my disappointment, you may ask? Because after reading the response to the patch, I felt the frustration of the author.

Specifically, the patch is annotated "SMBIOS tables like 7,8,9,26,27,28 are ne[c]essary to prevent sandbox detection by malware using WMI-queries."

And the rejection is in two points:

(1) Why is that valuable?

(2) What if there were other tables that also helped with that goal? Your patch doesn't include them.

Misread the title as "I made my VM think it WAS a CPU fan" and was a bit disappointed to find the actual article was not about a VM with an identity crisis.