Virtual environments emulate hardware devices and leave specific traces in their descriptions - which may be queried and the conclusion about non-host OS made.
This method checks physical display adapters present in the system when the IDirect3D9 interface was instantiated. It works on all Windows versions starting from Windows XP.
Functions used:
Direct3DCreate9 - called from `d3d9.dll` library
GetAdapterIdentifier - called via IDirect3D9 interface
Code sample
Credits for this code sample go to elsamuko who pointed it out.
Example of output on a usual host machine is provided below:
And here is an example of output on a virtual machine (VMware):
Examined fields are named after the corresponding fields of D3DADAPTER_IDENTIFIER9 structure. Malware can compare values in these fields to the ones which are known to be present inside the virtual machine and if match is found, then it draws the conclusion that it’s run under virtual machine.
Detections table
Check if the following values are present in the fields of D3DADAPTER_IDENTIFIER9 structure:
Detect
Structure field
Value
Comment
VMware
VendorId
0x15AD
DeviceId
0x405
Only when used in combination with VendorId related to VMware (0x15AD)
Signature recommendations are general for each technique: hook the function used and track if it is called. It’s pretty hard to tell why application wants to get HDD name, for example. It doesn’t necessarily mean applying evasion technique. So the best what can be done in this situation is intercepting target functions and tracking their calls.
versus HDD checks: rename HDD so that it's not detected by specific strings;
versus audio device check: add audio device;
versus CPU temperature check: add stub to hypervisor to output some meaningful information;
versus physical display adapter check: set up hook on a function GetAdapterIdentifier from d3d9.dll, check if the queried adapter is related to DirectX and replace return values.