-1

Knowing that some malware protects itself by restricting malicious functionality in VMs, and also for testing, I'd like to fake this protection on bare hardware, with little or no overhead (so not running real VM).

Are there any solutions for that? Or is it even a bad idea for some reason?

Improve this question
3
  • interesting to hear from those who didn't like the question – why?
    – LogicDaemon
    Commented Jan 23, 2019 at 16:24
  • You would need to identify the specific methods the malware uses to detect it is running on a VM and give it the information that makes it believe the computer is a VM. With this same effort you can just use regular antivirus. You'd have to know how each and every virus does this, and you'd have to keep up with updates as the virus writers learn of your efforts and work on their own to circumvent them. This question is a bad fit here because it is simply too broad to be able to be answered specifically and empirically.
    – music2myear
    Commented Feb 8, 2019 at 0:29
  • @music2myear it's only broad if there's no ready-made reasonable solution. Also, different VMs have different strings and detection methods, and badly written malware may just fail to detect even a proper unexpected VM (like if author only bothered to detect vmware and MS VPC, it may fail to detect VirtualBox), let alone the simulation. So that's implied in the question – there's no 100% reliability. It's actually similar to asking about something to fight viruses in general, only difference is there is existing group of software for that called antiviruses. I'd like to sim VM. Forget malware.
    – LogicDaemon
    Commented Feb 8, 2019 at 15:46

1 Answer 1

Reset to default
3

Probably you can't fake it in a generic way. There are too many places that a program could look to identify if Windows is running as a VM and it is not always easy or even possible to change them. For example they may look at systeminfo, or names of hardware devices.

If it was using wmic to check Win32_BaseBoard.Manufacturer as "Microsoft Corporation", "VMWARE" or "Oracle Corporation" for example then it is not possible to update this information.

For an individual program you could try to trace how it is identifying whether it is running as a VM and depending how you may be able to fool it (a MAC address for example) but for testing it would probably be easier (and safer) to just run in a VM.

Improve this answer
1
  • I agree about testing part. I also agree about 100% reliability – even if all current info is fake-able, different VMs have different strings and detection methods, and badly written malware may just fail to detect even a proper unexpected VM (like if author only bothered to detect vmware and MS VPC, it may fail to detect VirtualBox), let alone the simulation. The general question still stands in that case tho.
    – LogicDaemon
    Commented Jan 23, 2019 at 16:23

Not the answer you're looking for? Browse other questions tagged .