While there are many techniques to detect a VM , we can also adopt certain strategy to avoid these detection. Let's look at  the GitHub - robsonfelix/VMDetector: Detect virtual machine environments using C#  code.

Let's inspect VirtualMachineDetector.cs

WMI Class being enumerated.

From Line 28-33, the app will enumerate few WMI Class in this case let's look at one parameter, in this example we start to trace _disks.

In VMWareMachine.cs we found the following snippets

As long as the strings contains "vmware"

If the WMI class returns a vmware string it's consider to be running under VM via this parameter.

Bypassing the Detection

Let's enumerate the Win32_Disk Drive using the Get-WmiObject  via Powershell and see the output.

The Strings is actually retrieve from the following Registry Entry:

HKLM\SYSTEM\ControlSet001\Enum\SCSI

Any attempt to change the Friendly Name will trigger a permission error.

The permission to edit the name is restricted , but this can be resolved by adding the current user with full access.

Permission Given

Change the name in my case to Handsomeware.

Requerying using powershell will return

Thus this will bypass one of VM Checks . On the next post we will going to talk about bypassing BIOS Detection.