As an analyst, however,
it will not always be so easy to determine if VM-detection is occurring. Hardening your VM can be a lengthy process, and can involve a lot of work. In some cases, you may need other tools for hiding processes, files, and registry keys that are created by your VM.
Lastly, if you use VMware, adding these options to your POWERED OFF .vmx file will be of great value if you perform malware analysis.
isolation.tools.getPtrLocation.disable = “TRUE”
isolation.tools.setPtrLocation.disable = “TRUE”
isolation.tools.setVersion.disable = “TRUE”
isolation.tools.getVersion.disable = “TRUE”
monitor_control.disable_directexec = “TRUE”
monitor_control.disable_chksimd = “TRUE”
monitor_control.disable_ntreloc = “TRUE”
monitor_control.disable_selfmod = “TRUE”
monitor_control.disable_reloc = “TRUE”
monitor_control.disable_btinout = “TRUE”
monitor_control.disable_btmemspace = “TRUE”
monitor_control.disable_btpriv = “TRUE”
monitor_control.disable_btseg = “TRUE”
These “undocumented” options are from
a research paper done several years ago, but are still useful today in preventing some VM-detection techniques. Please note however, that this will break some VM functionality, as these options sever the communications channel between your host machine and guest VM.