Anti-Analysisintermediate
CPUID Hypervisor Bit
Detecting a virtualized environment by checking bit 31 of ECX returned by CPUID leaf 1, and reading the hypervisor vendor string from leaf 0x40000000.
The CPUID instruction exposes a reserved bit that cooperative hypervisors set
to advertise their presence. Malware uses it to refuse to run inside an analyst
VM or automated sandbox.
How it works
CPUID with EAX=1 returns feature flags in ECX. Bit 31 is the
"hypervisor present" bit — always 0 on bare metal, set by most hypervisors
(VMware, VirtualBox, Hyper-V, KVM).
int regs[4];
__cpuid(regs, 1);
if (regs[2] & (1 << 31)) {
// Running under a hypervisor.
}Leaf 0x40000000 returns a 12-byte vendor string in EBX:ECX:EDX, e.g.
VMwareVMware, KVMKVMKVM, Microsoft Hv, VBoxVBoxVBox.
mov eax, 40000000h
cpuid
; EBX:ECX:EDX now holds the hypervisor vendor stringDetection & bypass
- Mask the bit: a stealth hypervisor can clear bit 31 and spoof leaf
0x40000000(VirtualBox/VMware have config flags for this). - Patch the sample: force the conditional after the bit test.
- For analysis, log every
cpuidwithEAX=1orEAX=0x40000000.
Combine with checks for MAC OUI prefixes, registry artifacts and device names for a more robust sandbox profile.
Votes