Example PowerShell to remove registry traces (run as admin):
monitor_control.restrict_backdoor = "TRUE" isolation.tools.getPtrLocation.disable = "TRUE" isolation.tools.setPtrLocation.disable = "TRUE" isolation.tools.getVersion.disable = "TRUE" isolation.tools.setVersion.disable = "TRUE" vmware.tools.internalversion.disable = "TRUE" monitor_control.disable_directexec = "FALSE" – Disables the VMware backdoor interface (port 0x5658 ), which malware uses to query VM status. Without it, backdoor-based detection fails. VirtualBox VBoxManage setextradata "VM_Name" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemProduct" "MyProduct" VBoxManage setextradata "VM_Name" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVendor" "Dell Inc." VBoxManage setextradata "VM_Name" "VBoxInternal/Devices/pcbios/0/Config/DmiSystemVersion" "OptiPlex 7020" Customize DMI/SMBIOS strings to mimic a real OEM (Dell, Lenovo, HP). Also change the VirtualBox device IDs in VBoxManage. QEMU/KVM (Libvirt) Append to domain XML: vm detection bypass
__asm mov eax, 0x40000000 cpuid ; compare ebx, ecx, edx to "VMwareVMware" Example PowerShell to remove registry traces (run as
Introduction Virtual Machine (VM) detection has long been a cat-and-mouse game between malware authors and security researchers. For malware, identifying that it’s running inside a VM (like VirtualBox, VMware, or QEMU) allows it to alter its behavior—often lying dormant to evade automated sandbox analysis. For red teamers and penetration testers, bypassing VM detection is equally crucial: if an adversary’s malware refuses to run in your sandbox, you cannot study its behavior, extract indicators of compromise (IOCs), or develop effective signatures. Also change the VirtualBox device IDs in VBoxManage
Virtual machines suffer from instruction emulation overhead. Malware measures the time for rdtsc (Read Time-Stamp Counter) before and after a sensitive instruction like in (reading I/O port). A large delta indicates a VM. 2.4 Outbound Network & Shared Folders DNS queries to non-existent domains – if resolved quickly (via host cache), may indicate NAT or spoofed DNS. Also, checking for \\VBOXSVR\ (VirtualBox shared folder) or \\VMware-Host\ . 2.5 Indicator of Virtualization (IOV) via WMI Get-WmiObject -Class Win32_ComputerSystem | Select-Object Manufacturer, Model Output like "VMware Virtual Platform" triggers detection. Part 3: VM Detection Bypass – The Attacker’s Arsenal Now, the core of this article: how to make your VM appear as a physical machine. 3.1 Hardening Your Hypervisor VMware Workstation/Fusion Edit the .vmx configuration file (VM must be powered off):
HKLM\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer (e.g., "VMware, Inc.") HKLM\SOFTWARE\VMware, Inc.\ HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions\ – OUI prefixes like 00:0C:29 (VMware), 08:00:27 (VirtualBox), 00:1C:42 (Parallels).