While there are many techniques to detect a VM , we can also adopt certain strategy to avoid these detection. Let's look at the GitHub - robsonfelix/VMDetector: Detect virtual machine environments using C# code.
Let's inspect VirtualMachineDetector.cs
From Line 28-33, the app will enumerate few WMI Class in this case let's look at one parameter, in this example we start to trace _disks.
In VMWareMachine.cs we found the following snippets
If the WMI class returns a vmware string it's consider to be running under VM via this parameter.
Bypassing the Detection
Let's enumerate the Win32_Disk Drive using the Get-WmiObject via Powershell and see the output.
The Strings is actually retrieve from the following Registry Entry:
Any attempt to change the Friendly Name will trigger a permission error.
The permission to edit the name is restricted , but this can be resolved by adding the current user with full access.
Change the name in my case to Handsomeware.
Requerying using powershell will return
Thus this will bypass one of VM Checks . On the next post we will going to talk about bypassing BIOS Detection.