How to hide VirtualBox, Virtual PC and VMware from Detection

[ZeNiX]

I use VirtualBox more often then VMWare.
And some times, I use XP Mod from Win7, which claims to be Microsoft Virtual PC.

However, some protectors detect the Virtual Machines.

So, maybe we can collect some tips or tools that can make our Virtual Machines invisible to those protectors.

[metr0]

These settings (for VMWare VMs) will disable some useful guest integration features but you can remove them at any time if it's not necessary to evade detection anymore.

Taken from some PDF, don't remember the author though. :/

Quote:

isolation.tools.getPtrLocation.disable ="TRUE"
isolation.tools.setPtrLocation.disable ="TRUE"
isolation.tools.setVersion.disable ="TRUE"
isolation.tools.getVersion.disable ="TRUE"
monitor_control.disable_directexec ="TRUE"
monitor_control.disable_chksimd ="TRUE"
monitor_control.disable_ntreloc ="TRUE"
monitor_control.disable_selfmod ="TRUE"
monitor_control.disable_reloc ="TRUE"
monitor_control.disable_btinout ="TRUE"
monitor_control.disable_btmemspace ="TRUE"
monitor_control.disable_btpriv ="TRUE"
monitor_control.disable_btseg ="TRUE"

[Silkut]

Hi,

metr0, I believe the source of those tips are this blog hXXp://vrt-sourcefire.blogspot.com/2009/10/how-does-malware-know-difference.html

I think defeating VM detection goes through suming up all the detection techniques and finding a workaround for each of them.

EvilCry got a C file on his blog, referencing lots of functions to detect emulation/sandbox/virtualization, maybe some ideas to pick up there.

Ed Skoudis also wrote something about VM detection thwarts, for SANS Institute I believe.

[ZeNiX]

As VirtualBox is my favorite,
I am still looking for a solution for it.