EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationvm-detectionsandbox-evasionpafish

VM and Sandbox Detection

How malware fingerprints VMware, VirtualBox, and automated sandboxes through artefact checks, hardware queries, and behavioural tests — and how to build a convincing lived-in analysis VM that passes all checks.

Ashish Revar12 May 202618 min read2 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

The Art of Deception: Unmasking Anti-Analysis & Evasion Techniques

A technical examination of the self-defence mechanisms used by self-defending malware — how threats detect sandboxes, sabotage debuggers, and hide from automated analysis, and how analysts defeat each technique.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

Pafish — Paranoid Fish VM Detection Tester

Run in your analysis VM to identify which VM artefacts are detectable. Fix every failed check before analysing sophisticated samples.

tool
Al-Khaser — Comprehensive Anti-Analysis Test Suite

More extensive than Pafish — tests 100+ checks. Essential for validating a hardened analysis environment.

tool
MITRE ATT&CK — Virtualization/Sandbox Evasion (T1497)

ATT&CK technique for VM and sandbox evasion with sub-techniques covering system checks, user activity, and time-based evasion.

reference
More articlesTest your knowledge

Why VM Detection?

Beyond detecting debuggers, malware checks whether it is running inside a virtual machine or an automated sandbox. If the environment looks artificial, the malware terminates or executes benign decoy behaviour.

VM detection is like a kidnapper checking if the ransom drop location is a police sting. They look for unmarked vans, people with earpieces, and suspiciously empty streets. If anything feels staged, they abort. Your analysis VM needs to look like a messy teenager''s bedroom, not a sterile FBI surveillance post.

Category 1: Registry and File Artefact Checks

Virtual machine software leaves registry keys, files, and processes that malware can enumerate:

ArtefactVMwareVirtualBox
Registry keysHKLM\SOFTWARE\VMware, Inc.\VMware ToolsHKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
Processesvmtoolsd.exe, vmwaretray.exeVBoxService.exe, VBoxTray.exe
FilesC:\Windows\System32\vmGuestLib.dllC:\Windows\System32\VBoxGuest.sys
ServicesVMware Physical Disk Helper ServiceVBoxSF
MAC prefix00:0C:29, 00:50:5608:00:27

Bypass

1. Uninstall VMware Tools / VirtualBox Guest Additions
   (accept reduced functionality — no shared folders, no clipboard sync)
2. Change MAC address to a Dell or HP OUI prefix (e.g., 00:1A:A0)
3. Rename suspicious processes (if Tools must be installed)
4. Delete or rename suspicious registry keys

Category 2: Hardware and CPU Checks

CPUID Hypervisor Bit

The CPUID instruction with leaf 0x1 returns ECX with bit 31 set if a hypervisor is present:

MOV  EAX, 1
CPUID
TEST ECX, 80000000h    ; bit 31 = hypervisor present
JNZ  vm_detected

Bypass (VirtualBox):

VBoxManage modifyvm "VM_Name" --paravirt-provider none

This instructs VirtualBox not to set the hypervisor bit. VMware requires registry modification or a third-party tool.

Low Hardware Resources

A real workstation typically has:

  • RAM ≥ 8 GB
  • CPU cores ≥ 2
  • Disk ≥ 100 GB

Malware checks:

; Check RAM
CALL  GlobalMemoryStatusEx
CMP   [dwTotalPhys], 0x80000000  ; < 2 GB?
JL    vm_suspected

; Check CPU cores
CALL  GetSystemInfo
CMP   [dwNumberOfProcessors], 2
JL    vm_suspected

Bypass: Configure VM with 4+ GB RAM and 2+ CPU cores.

Disk Size

# Malware PowerShell check
$disk = Get-WmiObject Win32_DiskDrive | Select-Object -First 1
if ($disk.Size -lt 60GB) { exit }

Bypass: Set virtual disk to 100 GB dynamically allocated.

Screen Resolution

Sandboxes often run at 800×600 or 1024×600.

Bypass: Set VM resolution to 1920×1080 and maximise the window.

Category 3: Behavioural and User Activity Checks

The most sophisticated checks look for evidence of real user activity:

CheckWhat It Looks ForBypass
Mouse movementMinimum pixel distance movedRun mouse jiggler script in VM
Recent documentsFiles in Recent Items folderPopulate with dummy Office documents
Browser historySites visited in Chrome/FirefoxBrowse a few legitimate sites
Desktop contentNumber of files/icons on desktopAdd files and shortcuts
UptimeSystem running < 10 minutesBoot VM and wait 15+ minutes before analysis
Installed softwareOnly security tools presentInstall common apps (Chrome, VLC, WinRAR)

Category 4: Sandbox-Specific Checks

Automated sandboxes have distinctive characteristics beyond VM artefacts:

# Common sandbox detection checks in Python (for educational reference)
import os, platform, ctypes

# Check username
if os.getenv('USERNAME') in ['sandbox', 'malware', 'virus', 'analyst']:
    sys.exit()

# Check hostname
if platform.node() in ['SANDBOX', 'CUCKOO', 'CAPE']:
    sys.exit()

# Check recent file count in Documents
docs = len(os.listdir(os.path.expanduser('~/Documents')))
if docs < 3:
    sys.exit()  # too clean — sandbox

Bypass: Set a realistic username (first name + last name), set hostname to a corporate-looking name (e.g., DELL-WS-4821), populate Documents folder.

Building a Convincing Analysis VM

A convincing analysis VM should look like a real user''s machine:

Hardware configuration:
  RAM:        4–8 GB
  CPU cores:  2–4
  Disk:       100 GB
  Resolution: 1920×1080
  MAC:        Dell or HP OUI prefix (not VMware/VirtualBox)
  CPUID:      Hypervisor bit cleared

Software configuration:
  OS:         Windows 10, realistic username, corporate hostname
  Browsers:   Chrome with bookmarks and history
  Office:     Microsoft Office with recent documents
  Common apps: VLC, WinRAR, 7-Zip, Adobe Reader
  Background: Real desktop wallpaper, icons, files

User activity simulation:
  Recent documents: 5+ Office files in Documents
  Desktop files:    3–5 files and shortcuts
  Browser history:  10+ legitimate sites visited
  Uptime:           Boot 30+ minutes before analysis

Pafish and Al-Khaser: VM Hardening Validators

Run these tools inside your analysis VM before detonating any sample. They reveal exactly which artefacts malware could detect.

Pafish: tests ~30 VM, sandbox, and debugger checks. Any check that triggers is a gap to fix.

Al-Khaser: more extensive — tests 100+ checks across all categories. Essential for hardening against sophisticated samples.

# Run in your analysis VM
Pafish.exe           # shows PASS/FAIL for each check
Al-Khaser.exe        # more comprehensive check suite

Fix every failed check before analysing sophisticated malware.