This chapter introduced the most popular anti-VMware techniques. Because malware authors use these techniques to slow down analysis, it’s important to be able to recognize them. We have explained these techniques in detail so that you can find them in disassembly or debugging, and we’ve explored ways to overcome them without needing to modify malware at the disassembly level.
When performing basic dynamic analysis, you should always use a virtual machine. However, if your subject malware doesn’t seem to run, consider trying another virtual machine with VMware Tools uninstalled before debugging or disassembling the malware in search of virtual machine detection. You might also run your subject malware in a different virtual environment (like VirtualBox or Parallels) or even on a physical machine.
As with anti-debugging techniques, anti-VM techniques can be spotted using common sense while slowly debugging a process. For example, if you see code terminating prematurely at a conditional jump, it may be doing so as a result of an anti-VM technique. As always, be aware of these types of issues and look ahead in the code to determine what action to take.