Marcus Hutchins :verified: on Nostr: A common technique malware uses to detect if it's running in a virtual machine is via ...

A common technique malware uses to detect if it's running in a virtual machine is via CPUID. The 31st bit of ECX on leaf 1 is set to 1 if the OS is running on top of a hypervisor.

On leaf 0x40000000 the EBX, ECX, and EDX values combine to create a text string that identifies the hypervisor vendor.

With VMWare, both methods can be easily countered by modifying your VMX file to override the CPUID registers. Simply shut down your VM and add the following lines to your config file:
cpuid.1.ecx="0---:----:----:----:----:----:----:----"
cpuid.40000000.ebx=”0000:0000:0000:0000:0000:0000:0000:0000″
cpuid.40000000.ecx=”0000:0000:0000:0000:0000:0000:0000:0000″
cpuid.40000000.edx=”0000:0000:0000:0000:0000:0000:0000:0000″