Virtual Machine Detection Using OS Status Changes presented at ToorCamp 2014

by Xiaoning Li,

Summary : Our talk is about how to detect virtual machine with OS status changes, which happens in virtual machine environment. The purpose of the detection is to evade those defense methods that are based on virtual machines.
Virtual machines and virtualization technology play a critical role in virtual appliances to enable dynamic and parallel sample analysis. Methods for detecting virtual machines and sandboxes have been previously discussed but mostly from obvious virtual machine features including specific files, processes, VM communication protocol etc. The talk focuses on OS status changes happened in virtual machines with application level code.
The talk will cover the techniques that detect different virtual machines such as VirtualBox, VMware, and XEN.