VM detection caused by analysis of Plug and Play device IDs

[Atrate]

I have recently come across a piece of software that managed to bypass VBoxHardenedLoader and still detect the virtual machine. It did it by using Windows Management Instrumentation calls and checking the PNP device IDs by running a query SELECT DeviceID FROM Win32_PnPEntity and getting all fields with name DeviceID.

The following PNP IDs are unique to VirtualBox:

HID\VID_80EE&PID_0021\6&C0114FE&0&0000
USB\VID_80EE&PID_0021\5&12C8F4C0&0&1                                                                                                                                                       

Among those IDs, this is the full list of IDs checked, but only vid_80ee is present in VBox.

"vbox", "vid_80ee", "qemu", "ven_1af4", "ven_1b36", "subsys_11001af4"

This could be fixed by somehow spoofing those device IDs (possibly with devcon), but would undoubtedly cause driver issues.

UPDATE 1: Changing VM settings to:

Pointing device: PS/2 Mouse
Graphics Controller: VMSVGA

fixes the detection but it is a temporary fix (in the case of the Graphics Controller) and may cause performance issues with the graphics (the PS/2 mouse works well as long as you disable "Enhance pointer precision" in Windows settings).

Switching to the PS/2 mouse is still a good idea in and of itself, as it has a very generic ID, not unique to VMs.

The VMSVGA graphics controller shares part of its ID with different devices, sloppy software wouldn't detect it.

(Updated my original comment a couple of times since first posting it as I decided to do some more research and arrived at different conclusions)

[Atrate]

I've created PR #94 as a temporary fix to the issue. The PS/2 mouse ID cannot be ever used for VM identification as it's a generic mouse, so this part is permanent.