Innovative Design and Implementation of Payload-Based Virtual Machine Identification in Technological Systems

Varad Joshi; Aditya More; Kapil Kumar

doi:10.54489/ijtim.v5i1.418

Authors

Varad Joshi Research Scholar, Cyber Security and Forensics, Gujarat University, Ahmedabad, INDIA
Aditya More Research Scholar, Cyber Security and Forensics, Gujarat University, Ahmedabad, INDIA
Kapil Kumar Department of Biochemistry and Forensic Science, Gujarat University, Ahmedabad, INDIA

DOI:

https://doi.org/10.54489/ijtim.v5i1.418

Keywords:

Virtualization Detection, CPUID Interrogation, Anti-VM Techniques, Stub coding, Dynamic Payload Binding

Abstract

Virtualization-based environments have become ubiquitous tools for software development, testing, and security analysis. However, their dual use by adversaries to analyze and evade detection has spurred the development of anti–virtual machine (anti-VM) techniques. This work presents the design, implementation, and evaluation of an Anti–Virtual Machine Converter that enforces execution exclusively on physical hosts. By integrating multilayered detection—CPUID interrogation, BIOS and registry analysis, and process enumeration—with a dynamic payload- binding mechanism implemented via Python stubs and PyInstaller packaging, the system achieves sub-millisecond detection latency, zero false positives on a diverse set of 50 physical machines, and negligible performance overhead (<9% increase in launch time). A user-friendly GUI built with Tkinter and ttkbootstrap provides transparent feedback. Extensive experiments across VMware Workstation, VirtualBox, and Hyper-V validate robustness against advanced cloaking tools. This paper details each component’s design, the evaluation methodology, comprehensive results, and discusses implications for malware evasion and software protection, concluding with avenues for future enhancement. Unlike previous studies that merely identify virtualization presence, our approach tightly integrates payload delivery control, ensuring executable logic is not just aware of, but governed by, host authenticity—blending detection and response in one secure pipeline.

References

Muhovic, T., 2020. Behavioural analysis of malware using custom sandbox environments. Aalborg University.

Lusky, Y. and Mendelson, A., 2021, April. Sandbox detection using hardware side channels. In 2021 22nd International Symposium on Quality Electronic Design (ISQED) (pp. 192-197). IEEE. DOI: https://doi.org/10.1109/ISQED51717.2021.9424260

“What Is a Virtual Machine and How Does It Work?” Accessed: Apr. 02, 2025. [Online]. Available: https://www.techtarget.com/searchitoperatio ns/definition/virtual-machine-VM

Zulmeika, A.R., Bagjasantosa, M.D.A. and Ismail, S.J.I., 2024, October. Prevention Methods of Virtual Machine Environment Recognition by Malware. In 2024 18th International Conference on Telecommunication Systems, Services, and Applications (TSSA) (pp. 1-6). IEEE. DOI: https://doi.org/10.1109/TSSA63730.2024.10863873

Gruber, J. and Freiling, F., 2022. Fighting evasive malware: how to pass the reverse Turing test by utilizing a vmi-based human interaction simulator. Datenschutz und Datensicherheit- DuD, 46(5), pp.284-290. DOI: https://doi.org/10.1007/s11623-022-1604-9

"VMDMD: A Solution to Defend a Linux System against VM-detection-based Malware." PhD diss., National Central University, 2021.

Koutsokostas, V. and Patsakis, C., 2021. Python and malware: Developing stealth and evasive malware without obfuscation. arXiv preprint arXiv:2105.00565. DOI: https://doi.org/10.5220/0010541500002998

Moore, A.D., 2021. Python GUI Programming with Tkinter: Design and build functional and user-friendly GUI applications. Packt Publishing Ltd.

Bartell, S., 2021. Optimizing whole programs for code size (Doctoral dissertation, University of Illinois at Urbana-Champaign).

“Anti-VM and Anti-Sandbox Explained - Cyberbit.” Accessed: Apr. 02, 2025. [Online]. Available: https://www.cyberbit.com/endpoint- security/anti-vm-and-anti-sandbox-explained/

M. N. Olaimat, M. Aizaini Maarof, and B. A. S. Al- Rimy, “Ransomware Anti-Analysis and Evasion Techniques: A Survey and Research Directions,”

3rd International Cyber Resilience Conference, CRC 2021, Jan. 2021, doi: 10.1109/CRC50527.2021.9392529. DOI: https://doi.org/10.1109/CRC50527.2021.9392529

L. Maffia, D. Nisi, P. Kotzias, G. Lagorio, S. Aonzo, and D. Balzarotti, “Longitudinal Study of the Prevalence of Malware Evasive Techniques,” Dec. 2021, Accessed: Apr. 01, 2025. [Online]. Available: https://arxiv.org/abs/2112.11289v1

“An overview of hardware support for virtualization | TechTarget.” Accessed: Apr. 02, 2025. [Online]. Available: https://www.techtarget.com/searchitoperatio ns/tip/Understand-hardware-support-for- virtualization

D. Mettrick, “Virtual Machine Detection Through Central Processing Unit (CPU) Detail Anomalies,” 2022.

“Merge two exe files into one programmatically

- Stack Overflow.” Accessed: Apr. 02, 2025. [Online]. Available:

https://stackoverflow.com/questions/226851 5/merge-two-exe-files-into-one- programmatically

V. Orbinato, M. C. Feliciano, D. Cotroneo, and R. Natella, “Laccolith: Hypervisor-Based Adversary Emulation with Anti-Detection,” IEEE Trans Dependable Secure Comput, 2024, doi: 10.1109/TDSC.2024.3376129. DOI: https://doi.org/10.1109/TDSC.2024.3376129

L. Zheng, J. Zhang, F. Lin, and X. Wang, “Feature- Fusion-Based Abnormal-Behavior Detection Method in Virtualization Environment,” Electronics 2023, Vol. 12, Page 3386, vol. 12, no. DOI: https://doi.org/10.3390/electronics12163386

, p. 3386, Aug. 2023, doi:

3390/ELECTRONICS12163386.

L. Wu, H. Zhang, and S. Jiang, “Design of a new detection system for anti-virtualization malicious code,” Proceedings - 2023 International Conference on Networks, Communications and Intelligent Computing, NCIC 2023, pp. 302–306, 2023, doi: 10.1109/NCIC61838.2023.00057. DOI: https://doi.org/10.1109/NCIC61838.2023.00057

Z. Lin, Y. Song, and J. Wang, “Detection of Virtual Machines Based on Thread Scheduling,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12737 LNCS, pp. 180–190, 2021, doi: 10.1007/9783- 030-78612-0_15. DOI: https://doi.org/10.1007/978-3-030-78612-0_15

Z. Chen, K. Deng, and W. Zheng, “VMSecDefender: virtual machine malicious

processes detection by using GRU,” https://doi.org/10.1117/12.3009414, vol. 12803, pp. 908–912, Oct. 2023, doi: DOI: https://doi.org/10.1117/12.3009414

1117/12.3009414.

X. Tao, L. Wang, Z. Xu, R. X.-2022 I. 25th

International, and undefined 2022, “Detection of Hardware-Assisted Virtualization Based on Low-Level Feature,” ieeexplore.ieee.orgX Tao, L Wang, Z Xu, R Xie2022 IEEE 25th International Conference on Computer Supported, 2022•ieeexplore.ieee.org, Accessed: Apr. 01, 2025. [Online]. Available: https://ieeexplore.ieee.org/abstract/documen t/9776255/

M. S. Unal, A. Javeed, C. Yilmaz, and E. Savas, “HyperDetector: Detecting, Isolating, and Mitigating Timing Attacks in Virtualized Environments,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 13641 LNCS, pp. 188–199,

, doi: 10.1007/978-3-031-20974-1_9. DOI: https://doi.org/10.1007/978-3-031-20974-1_9

G. Kaur, V. G.-2021 I. I. C. on, and undefined 2021, “Detection and Prevention of Hypervisor and VM Attacks,” ieeexplore.ieee.orgG Kaur, V Grover2021 IEEE International Conference on Nanoelectronics, 2021•ieeexplore.ieee.org, Accessed: Apr. 01, 2025. [Online]. Available: https://ieeexplore.ieee.org/abstract/documen t/9491137/

J. Zhang et al., “Malware Detection Based on Multi-level and Dynamic Multi-feature Using Ensemble Learning at Hypervisor,” Mobile Networks and Applications, vol. 26, no. 4, pp. 1668–1685, Aug. 2021, doi: 10.1007/S11036- DOI: https://doi.org/10.1007/s11036-019-01503-4

-01503-4.

P. Mishra, P. Aggarwal, … A. V.-I. T., and undefined 2021, “VMShield: Memory introspection based malware detection to secure cloud-based services against stealthy attacks,” ieeexplore.ieee.orgP Mishra, P Aggarwal, A Vidyarthi, P Singh, B Khan, HH Alhelou, P SianoIEEE Transactions on Industrial Informatics, 2021•ieeexplore.ieee.org, Accessed: Apr. 01, 2025. [Online]. Available: https://ieeexplore.ieee.org/abstract/documen t/9312437/

Z. Zhang, Y. Cheng, Y. Gao, … S. N.-I. T. on, and undefined 2020, “Detecting hardwareassisted virtualization with inconspicuous features,” ieeexplore.ieee.org, Accessed: Apr. 01, 2025.

[Online]. Available:

https://ieeexplore.ieee.org/abstract/documen t/9122497/

“Containers vs. virtual machines (VMs) | Google Cloud.” Accessed: Apr. 02, 2025. [Online]. Available: https://cloud.google.com/discover/containers

-vs-vms

WikiLeaks. “Vault 7: CIA Hacking Tools Revealed.” WikiLeaks, March 7, 2017. [Online].

Available: https://wikileaks.org/ciav7p1/

“What Is a Host Operating System (OS)? - Palo Alto Networks.” Accessed: Apr. 02, 2025. [Online]. Available:

https://www.paloaltonetworks.in/cyberpedia

/host-os-operating-system-containers