I’m not usually in this kind of paper, but this time, I am exceptionally writing a really short one about something related to some VM evasive PoC.
There is always some tricks to detect if you are running on a virtual machine or not. Most of them are stupid, but it’s enough accurate to just lose some minds when you have to harden your sandbox.
The idea here, there are some sensors to check the current CPU Power Usage. When you see as below, it returns this kind of values, when you are running a program normally.
But in a sandbox, it will return 0.
Source: >>> Crappy ugly content <<<
Photo by Shawn Stutzman from Pexels
Interesting how a few years ago VM detection was as simple as detecting reg keys and file paths (which could be mitigated). Three to four years ago they were looking for VMs by the number of cores. Now it’s just pushing the limitations by seeing what data you can’t obtain from the hardware (temps, power, etc.). Fascinating evolution of evasion techniques.
Here’s another great article related to this: