I made my VM think it has a CPU fan

Summary

Why bother? Some malware samples are known to do various checks to determine if they are running in a virtual machine. One of the common checks is to look for the presence of certain hardware components that are typically not emulated in virtualized environments. One such component is the CPU fan. One of the observed ways malware checks for the presence of a CPU fan is by looking for the Win32_Fan class in WMI: wmic path Win32_Fan get * And the reason they do this is they want to avoid running in virtual machines, because they want to complicate the analysis process for security researchers. There are plenty of ways for malware to detect if it is running in a VM. In fact, there are plenty of WMI classes that can reveal the presence of virtual hardware, such as Win32_CacheMemory, Win32_VoltageProbe, and many others. In this post, I will be focusing on the CPU fan. Just because I like the idea making a virtual machine think it has it. However, the same approach can be applied to other hardware components and WMI classes as well. How the computer knows it has a CPU fan? The computer knows it has a CPU fan by reading the SMBIOS data. How do I know that? By googling. Win32_Fan instances are provided by Windows\System32\wbem\cimwin32.dll. If you disassemble it you will see that it reads SMBIOS data (specifically entries with type 27) to get fan device information. And indeed, if you disassemble cimwin32.dll, you will find exactly that: Your first impulse might be to use DLL hooking and patch the cimwin32. But that’s smol pp way of thinking. We can do better. Type 27 The SMBIOS type 27 is defined as “Cooling Device” in the System Management BIOS Reference Specification: We can dump the SMBIOS data using the dmidecode utility: root@host:/# dmidecode -t27 -u # dmidecode 3.3 Getting SMBIOS data from sysfs. SMBIOS 3.4 present. Handle 0x1B00, DMI type 27, 15 bytes Header and Data: 1B 0F 00 1B 00 1C 65 00 00 DD 00 00 E0 15 01 Strings: 43 50 55 20 46 61 6E 00 CPU Fan By default, ...