This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.
Topic 6.3 of Examining Self-Defending Malware
Four categories of VM detection — registry/file artefacts, hardware checks (CPUID hypervisor bit), behavioural user activity checks, and sandbox-specific checks — with bypass techniques and a lived-in VM configuration checklist.
By the end of this topic, you will
Quadrant 1 · e-Tutorial
Quadrant 2 · e-Content
Quadrant 3 · Web Resources
Downloadable reference material
External links
Pafish — Paranoid Fish VM Detection Tester
Run in your analysis VM to identify which VM artefacts are detectable. Fix every failed check before analysing sophisticated samples.
Al-Khaser — Comprehensive Anti-Analysis Test Suite
More extensive than Pafish — tests 100+ checks. Essential for validating a hardened analysis environment.
MITRE ATT&CK — Virtualization/Sandbox Evasion (T1497)
ATT&CK technique for VM and sandbox evasion with sub-techniques covering system checks, user activity, and time-based evasion.
Quadrant 4 · Self-Assessment
Examining Self-Defending Malware
Covers anti-debugging techniques, virtual machine and sandbox detection, protection of embedded data, code misdirection, and advanced unpacking methodologies.
REMA Complete Assessment
A comprehensive 120-question assessment covering the entire Reverse Engineering and Malware Analysis curriculum: malware taxonomy and reverse engineering fundamentals, static and dynamic analysis, reversing malicious code, malicious web and document files, in-depth analysis of packed and fileless malware, and self-defending malware techniques.