Often one wonders during pentest or while malware analysis (or during malware writing ), as to how we can detect whether operating system is running in a virtual environment like vmware,virtualbox etc. You may also remember the 'checkvm' script in meterpreter.

So here are some techniques using which presence of virtual environment is detected. As discussed and shown in the posts, an increasing number of malwares are using these techniques to make the lives of malware researchers hard. Often malware researchers use virtual environments to study malware. But what if the malware comes to know that it is being run in a virtual environment and goes into dormant mode and does not do the usual malicious activity ? Nifty ha

VRT: How does malware know the difference between the virtual world and the real world?

Detecting VMWare Brundle's Laboratory