How to bypass a program that knows it's running under a VM?


  1. Posts : 9
    Windows 10 64-bit
       21 Aug 2017 #1

    How to bypass a program that knows it's running under a VM?


    Currently using VMware Workstation Pro 12 and I was wondering what are some way/s that I can configure so that the program I'm trying to run doesn't think I'm running it under a VM?
      My ComputerSystem Spec

  2. Cliff S's Avatar
    Posts : 22,317
    Win10 Pro, Win10 Pro N, Win10 Home, Win10 Pro Insider Fast Ring, Windows 8.1 Pro, Ubuntu
       21 Aug 2017 #2

    I don't know if this helps, but, maybe these settings can help:

    As an analyst, however, it will not always be so easy to determine if VM-detection is occurring. Hardening your VM can be a lengthy process, and can involve a lot of work. In some cases, you may need other tools for hiding processes, files, and registry keys that are created by your VM.

    Lastly, if you use VMware, adding these options to your POWERED OFF .vmx file will be of great value if you perform malware analysis.
    isolation.tools.getPtrLocation.disable = “TRUE”
    isolation.tools.setPtrLocation.disable = “TRUE”
    isolation.tools.setVersion.disable = “TRUE”
    isolation.tools.getVersion.disable = “TRUE”
    monitor_control.disable_directexec = “TRUE”
    monitor_control.disable_chksimd = “TRUE”
    monitor_control.disable_ntreloc = “TRUE”
    monitor_control.disable_selfmod = “TRUE”
    monitor_control.disable_reloc = “TRUE”
    monitor_control.disable_btinout = “TRUE”
    monitor_control.disable_btmemspace = “TRUE”
    monitor_control.disable_btpriv = “TRUE”
    monitor_control.disable_btseg = “TRUE”
    These “undocumented” options are from a research paper done several years ago, but are still useful today in preventing some VM-detection techniques. Please note however, that this will break some VM functionality, as these options sever the communications channel between your host machine and guest VM.
    A Look at Malware with Virtual Machine Detection - Malwarebytes Labs | Malwarebytes Labs
      My ComputersSystem Spec

  3.    21 Aug 2017 #3

    It depends how the program checks. I check the BaseBoard like this
    Code:
    $Manufacturer=Get-WmiObject -Class Win32_BaseBoard | ForEach-Object {$_.Manufacturer}
    if (($Manufacturer -eq "Microsoft Corporation") -or ($Manufacturer -eq "VMWARE") -or ($Manufacturer -eq "Oracle Corporation")) {
    	$thisIsVirtualMachine=$true
    }
    Else { $thisIsVirtualMachine=$false }
    I don't know if (or how) you could change that from VMWARE to something else. The program could also check for presence of VMWare drivers, certain strings in memory etc.

    Depending how it checks you might be able hide the fact your system is a VM to but most likely detecting will win.
      My ComputerSystem Spec


  4. Posts : 9
    Windows 10 64-bit
    Thread Starter
       21 Aug 2017 #4

    lx07 said: View Post
    It depends how the program checks. I check the BaseBoard like this
    Code:
    $Manufacturer=Get-WmiObject -Class Win32_BaseBoard | ForEach-Object {$_.Manufacturer}
    if (($Manufacturer -eq "Microsoft Corporation") -or ($Manufacturer -eq "VMWARE") -or ($Manufacturer -eq "Oracle Corporation")) {
        $thisIsVirtualMachine=$true
    }
    Else { $thisIsVirtualMachine=$false }
    I don't know if (or how) you could change that from VMWARE to something else. The program could also check for presence of VMWare drivers, certain strings in memory etc.

    Depending how it checks you might be able hide the fact your system is a VM to but most likely detecting will win.
    Well I can try to run SMBCFG which edits the DMI Information for the baseboard/bios.
      My ComputerSystem Spec


 

Related Threads
I just installed windows 10 on my laptop ASUS ROG G751JM Laptop NVIDIA® GeForce® GTX860M with 2GB 1TB HDD 7200 RPM With 256 GB SSD 1.5TB HDD 5400 With 128 GB SSD 1TB HDD 5400 With 8 GB SSD Intel Core I7 HQ-4710 2.5 G Memory 8G
When an application is open, is there some way to tell if it's being run 'As Administrator'? Terry, East Grinstead, UK
Update earlier today has caused e-sword not to run. I updated from 7 to 10 in oct or nov and had no problems running e-sword I ran repair, no help, I uninstalled and reinstalled, no help. Windows says has problem and will notify me of a solution,...
I have an old XP program, xReminder Pro, that I have been using for many years. I am currently running it in Compatibility Mode on Windows 7 and it runs fine. On my Windows 10 test machine, this program will install and run from a "manual" start in...
Hello all, I just upgraded my 62 bit PC from Windows 7 to Windows 10. Unfortunately, Windows 10 now blocks todoUS backup "for my protection". It says "not trusted" and "incompatible". I've tried everything to override this, including importing the...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:38.
Find Us