Example PowerShell to remove registry traces (run as admin):
Virtual machines suffer from instruction emulation overhead. Malware measures the time for rdtsc (Read Time-Stamp Counter) before and after a sensitive instruction like in (reading I/O port). A large delta indicates a VM. 2.4 Outbound Network & Shared Folders DNS queries to non-existent domains – if resolved quickly (via host cache), may indicate NAT or spoofed DNS. Also, checking for \\VBOXSVR\ (VirtualBox shared folder) or \\VMware-Host\ . 2.5 Indicator of Virtualization (IOV) via WMI Get-WmiObject -Class Win32_ComputerSystem | Select-Object Manufacturer, Model Output like "VMware Virtual Platform" triggers detection. Part 3: VM Detection Bypass – The Attacker’s Arsenal Now, the core of this article: how to make your VM appear as a physical machine. 3.1 Hardening Your Hypervisor VMware Workstation/Fusion Edit the .vmx configuration file (VM must be powered off): vm detection bypass
HKLM\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer (e.g., "VMware, Inc.") HKLM\SOFTWARE\VMware, Inc.\ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions\ – OUI prefixes like 00:0C:29 (VMware), 08:00:27 (VirtualBox), 00:1C:42 (Parallels). Example PowerShell to remove registry traces (run as
monitor_control.restrict_backdoor = "TRUE" isolation.tools.getPtrLocation.disable = "TRUE" isolation.tools.setPtrLocation.disable = "TRUE" isolation.tools.getVersion.disable = "TRUE" isolation.tools.setVersion.disable = "TRUE" vmware.tools.internalversion.disable = "TRUE" monitor_control.disable_directexec = "FALSE" – Disables the VMware backdoor interface (port 0x5658 ), which malware uses to query VM status. Without it, backdoor-based detection fails. VirtualBox VBoxManage setextradata "VM_Name" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyProduct" VBoxManage setextradata "VM_Name" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Dell Inc." VBoxManage setextradata "VM_Name" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "OptiPlex 7020" Customize DMI/SMBIOS strings to mimic a real OEM (Dell, Lenovo, HP). Also change the VirtualBox device IDs in VBoxManage. QEMU/KVM (Libvirt) Append to domain XML: Part 3: VM Detection Bypass – The Attacker’s
Remember: The goal is not to make a VM perfectly identical to bare metal (which is impossible given microarchitectural differences), but to make detection enough that malware chooses to run normally. And for malware analysts, once you successfully bypass detection, always re-test with multiple detection tools (Pafish, Al-khaser, custom scripts) to ensure you haven’t missed a subtle leak.