Skip to content
Reverse Engineering
Anti-Analysisbeginner

Registry VM Artifact Detection

Reading registry keys and service entries left by VirtualBox and VMware Guest Additions reveals a virtual machine to evasive malware.

Virtual machine guest tooling — VirtualBox Guest Additions, VMware Tools — writes predictable keys, services, and device descriptions into the Windows registry. Reading these is one of the cheapest anti-VM checks available, requiring no special privileges and no exotic instructions, which is why commodity RATs lean on it.

The malware opens a handful of known paths; if any exist, it assumes an analysis environment and exits, sleeps, or runs a decoy. Because the values are static strings, detection is mostly a matter of enumerating the right paths.

How it works

A sample queries identifiers under HKLM\HARDWARE and HKLM\SYSTEM, plus vendor service keys. Typical targets include the disk enumerator and the system BIOS string, which leak VBOX, VMWARE, or QEMU.

c
// Example: a VMware/VBox disk enumerator string in the registry.
HKEY hKey;
char buf[256]; DWORD len = sizeof(buf);
LONG rc = RegOpenKeyExA(HKEY_LOCAL_MACHINE,
    "SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum",
    0, KEY_READ, &hKey);
if (rc == ERROR_SUCCESS &&
    RegQueryValueExA(hKey, "0", NULL, NULL, (LPBYTE)buf, &len) == ERROR_SUCCESS) {
    if (strstr(buf, "VBOX") || strstr(buf, "VMware") || strstr(buf, "QEMU"))
        vm_detected();
}

Commonly probed keys include:

text
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
HKLM\SYSTEM\CurrentControlSet\Services\VBoxGuest
HKLM\SYSTEM\CurrentControlSet\Services\VBoxMouse
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\HARDWARE\DESCRIPTION\System\SystemBiosVersion   ; "VBOX"/"VMWARE"
HKLM\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer

Detection & analysis

Static analysis: Search the binary for the literal registry paths and the vendor strings (VBOX, VMware, VBoxGuest, Oracle\VirtualBox). Pair them with imports of RegOpenKeyEx/RegQueryValueEx; obfuscated samples may build the strings at runtime, so also check for stacked-string construction.

Dynamic analysis: Use Process Monitor (ProcMon) to log RegOpenKey and RegQueryValue events and watch which VM keys the sample touches. To bypass, hide or rename the offending keys, or use a hardened/"detection-resistant" analysis VM where Guest Additions artifacts are stripped.

Detection rule hint: Alert on reads of Services\VBoxGuest, VMware Tools, or SystemBiosVersion shortly after process start, especially when followed by a branch that leads to early exit or an extended sleep.

Votes

Comments(0)