How to bypass a program that knows it's running under a VM?


  1. Posts : 15
    Windows 10 64-bit
       #1

    How to bypass a program that knows it's running under a VM?


    Currently using VMware Workstation Pro 12 and I was wondering what are some way/s that I can configure so that the program I'm trying to run doesn't think I'm running it under a VM?
      My Computer

  2. Cliff S's Avatar
    Posts : 25,834
    Win10 Pro, Win10 Pro N, Win10 Home, Windows 8.1 Pro, Ubuntu
       #2

    I don't know if this helps, but, maybe these settings can help:

    As an analyst, however, it will not always be so easy to determine if VM-detection is occurring. Hardening your VM can be a lengthy process, and can involve a lot of work. In some cases, you may need other tools for hiding processes, files, and registry keys that are created by your VM.

    Lastly, if you use VMware, adding these options to your POWERED OFF .vmx file will be of great value if you perform malware analysis.
    isolation.tools.getPtrLocation.disable = “TRUE”
    isolation.tools.setPtrLocation.disable = “TRUE”
    isolation.tools.setVersion.disable = “TRUE”
    isolation.tools.getVersion.disable = “TRUE”
    monitor_control.disable_directexec = “TRUE”
    monitor_control.disable_chksimd = “TRUE”
    monitor_control.disable_ntreloc = “TRUE”
    monitor_control.disable_selfmod = “TRUE”
    monitor_control.disable_reloc = “TRUE”
    monitor_control.disable_btinout = “TRUE”
    monitor_control.disable_btmemspace = “TRUE”
    monitor_control.disable_btpriv = “TRUE”
    monitor_control.disable_btseg = “TRUE”
    These “undocumented” options are from a research paper done several years ago, but are still useful today in preventing some VM-detection techniques. Please note however, that this will break some VM functionality, as these options sever the communications channel between your host machine and guest VM.
    A Look at Malware with Virtual Machine Detection - Malwarebytes Labs | Malwarebytes Labs
      My Computers

  3. lx07's Avatar
    Posts : 5,479
    2004
       #3

    It depends how the program checks. I check the BaseBoard like this
    Code:
    $Manufacturer=Get-WmiObject -Class Win32_BaseBoard | ForEach-Object {$_.Manufacturer}
    if (($Manufacturer -eq "Microsoft Corporation") -or ($Manufacturer -eq "VMWARE") -or ($Manufacturer -eq "Oracle Corporation")) {
    	$thisIsVirtualMachine=$true
    }
    Else { $thisIsVirtualMachine=$false }
    I don't know if (or how) you could change that from VMWARE to something else. The program could also check for presence of VMWare drivers, certain strings in memory etc.

    Depending how it checks you might be able hide the fact your system is a VM to but most likely detecting will win.
      My Computer


  4. Posts : 15
    Windows 10 64-bit
    Thread Starter
       #4

    lx07 said:
    It depends how the program checks. I check the BaseBoard like this
    Code:
    $Manufacturer=Get-WmiObject -Class Win32_BaseBoard | ForEach-Object {$_.Manufacturer}
    if (($Manufacturer -eq "Microsoft Corporation") -or ($Manufacturer -eq "VMWARE") -or ($Manufacturer -eq "Oracle Corporation")) {
        $thisIsVirtualMachine=$true
    }
    Else { $thisIsVirtualMachine=$false }
    I don't know if (or how) you could change that from VMWARE to something else. The program could also check for presence of VMWare drivers, certain strings in memory etc.

    Depending how it checks you might be able hide the fact your system is a VM to but most likely detecting will win.
    Well I can try to run SMBCFG which edits the DMI Information for the baseboard/bios.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 21:33.
Find Us




Windows 10 Forums