unix-witch
commented
1 year ago Take a look at the Red Pill Blue Pill technique. A StackOverflow post also mentions that 00:50:56, 00:1C:14, 00:0C:29, and 00:05:69 will always be the first 3 values in a MAC address on a VM ware virtual machine.
If anyone knows of any other ways to identify if a program is being run inside of a virtual machine please let me know.
Furthermore, if anyone has any ideas of how to implement a confidence scoring system, should other methods of detecting if we're in a VM is found, please let me know too. For example, the vendor string check isn't reliable as this can easily be changed, so would have a low confidence score compared to checking the 31st bit of leaf 1 of ecx, which is harder to change.