We have discussed a number of ways to thwart VMware detection throughout this chapter, including patching code, removing VMware Tools, changing VMware settings, and using a multiprocessor machine.
There are also a number of undocumented features in VMware that can help mitigate anti-VMware techniques. For example, placing the options in Example 17-5 into the virtual machine’s .vmx file will make the virtual machine less detectable.
Example 17-5. VMware’s .vmx file undocumented options used to thwart anti-VM techniques
isolation.tools.getPtrLocation.disable = "TRUE" isolation.tools.setPtrLocation.disable = "TRUE" isolation.tools.setVersion.disable = "TRUE" isolation.tools.getVersion.disable = "TRUE" monitor_control.disable_directexec = "TRUE" monitor_control.disable_chksimd = "TRUE" monitor_control.disable_ntreloc = "TRUE" monitor_control.disable_selfmod = "TRUE" monitor_control.disable_reloc = "TRUE" monitor_control.disable_btinout = "TRUE" monitor_control.disable_btmemspace = "TRUE" monitor_control.disable_btpriv = "TRUE" monitor_control.disable_btseg = "TRUE"
The directexec
parameter causes user-mode code to be
emulated, instead of being run directly on the CPU, thus thwarting certain anti-VM techniques. The
first four settings are used by VMware backdoor commands so that VMware Tools running in the guest
cannot get information about the host.
These changes will protect against all of ScoopyNG’s checks, other than the sixth, when running on a multiprocessor machine. However, we do not recommend using these settings in VMware, because they disable the usefulness of VMware Tools and they may have serious negative effects on the performance of your virtual machines. Add these options only after you’ve exhausted all other techniques. These techniques have been mentioned for completeness, but modifying a .vmx file to try to catch ten of the potentially hundreds of ways that VMware might be detected can be a bit of a wild-goose chase.