Hyper-V Virtual Machine Hardening
This article shows how a virtual machine(VM) can be modified to evade detection from malware. This process is also called VM hardening. In dynamic malware analysis, researchers use virtual machines to execute malware in a safe and isolated environment in order to monitor and investigate its behavior. This is why malware author started to use Anit-VM techniques to detect if their programs are running inside a virtual environment and subsequently evade the analysis process. In this article a virtual machine is set up and several open-source VM-detection tools are executed to see how the VM can be detected by malware. Afterwards countermeasures are implemented to mitigate the detection rate of the tools.
Setup
Hyper-V is used for the virtualization. This is because it is a Type 1, bare-metal, Hypervisor, which runs directly on the host's hardware to control the hardware and to manage guest operating systems.
The specifications are:
- Host OS: Windows 11
- Hypervisor: Microsoft Hyper-V
- Guest OS (VM OS): Windows 10
Three tools are used for the VM detection. They are all open-source and can be found on GitHub:
Initial Test Run
After the virtual machine setup is complete and all the tools have been installed, a first test can be conducted.
In the unmodified, native machine the tools show a number of positive checks, that hint towards a VM.
Number of detections: Pafish 13 + VMAware 13 + Al-Khaser 31 = 57 positive detections
These numbers are likely to vary between different setups and tool versions.
Hardening Steps
This section contains system modifications that aim to lower the number of positive detections.
Virtual Hardware Specifications
Common checks aim at the system hardware. If the disk, memory or processor contain strange values, which typically cannot be found on normal machines, the malware might see this as a sign of a VM.
Very low or odd numbers are highly unlikely in a physical machine. Therefore, see that the VM has at least the following requirements:
- 60-80 GB disk size
- 4-8 GB memory size and no odd numbers
- At least 4 processor cores and no odd numbers
With Hyper-V, these values can be configured in the machine settings:
Windows Registry
The Windows registry is a central database in Microsoft Windows that stores configuration information and settings for the operating system, installed applications and hardware components.
The manufacturers of virtualisation software also store information for their products here. Malware checks whether known keys exist or whether they contain special strings such as "virtual" or the manufacturer's name.
Delete the following Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters
For this Key, delete the substring "virtual" from the values: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Disk\Enum
Hyper-V EventLogs
Content in the Windows Hyper-V EventLogs is apparently an indication of a virtual machine.
To delete the log, open the PowerShell as administrator and execute the following command:
PS C:\Windows\system32> wevtutil cl "Microsoft-Windows-Kernel-PnP/Configuration"You can check that the logs are empty with:
PS C:\Users\VMuser> Get-WinEvent -LogName "Microsoft-Windows-KernelPnP/Configuration"And to disable further logging use:
PS C:\Windows\system32> Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Kernel-PnP\Configuration" -Name "Enabled" -Value 0
Windows Activation
It is likely that your VM does not have a valid Windows product key. Most users, however, have a valid windows installed in order to use the system properly.
Instead of buying a key, for this purpose a windows activation script can be used. In this guide, this one from GitHub is used.
Again, open the PowerShell and enter this command:
irm https://get.activated.win | iexThe tool is easy to use and afterwards the VM´s Windows should be activated.
Other Changes
Some checks can be fended off without really having to change anything on the system.
This includes, for example, how to start the tools. One tool checks whether Windows Explorer is its parent process.
Another check looks at the system uptime, i.e. how long the system has been running. If you do not have the option to manipulate the system time, it is sufficient to let the machine run a little beforehand.
The screen dimensions are also checked, as the VM window can be resized as required. If the dimensions are too small, it is clear that it is a VM, as there are only certain options for physical screens. E.g. a very small screen window or one that is taller than it is wide is very unlikely on a typical end user device.
Test Run in modified VM
After implementing the described hardening measures the number of positive detections drops from 57 to 41.
If the mouse is moved and clicked and keyboard inputs are entered during the execution of the tools, the number even drops to 32. This is because of the Reverse-Turing-Tests(RTTs) of the tools. These test focus on detecting human interaction with the system, normally by mouse or keyboard. These tests can only be countered by simulating human interaction, which is a complex task. In a typical analysis VM there is no human that is actually operating the system. For this example, it is sufficient if you are manually using mouse and keyboard.
A lot of the remaining positive detections could be countered by implementing hooks. With hooks you could interecpt the return values of many system function and instead return fake information that satisfy the checks of the tools.
However, hooking is a complex mechanism that is not covered in this article.
Conclusion
There is a wide range of possible VM detection methods.
The most widespread include simply checking static system information. However, new techniques are on the rise that exploit other vulnerabilities. Monitoring system components and observing human interaction with RTTs are powerful methods and also hard to counter.
Malware researchers must constantly keep up with new detection and evasion methods in order to keep their analysis systems transparent. It is essential that malware can be analysed at runtime in order to keep up with increased cybercrime.