VMware Artifacts

The VMware environment leaves many artifacts on the system, especially when VMware Tools is installed. Malware can use these artifacts, which are present in the filesystem, registry, and process listing, to detect VMware.

For example, Figure 17-1 shows the process listing for a standard VMware image with VMware Tools installed. Notice that three VMware processes are running: VMwareService.exe, VMwareTray.exe, and VMwareUser.exe. Any one of these can be found by malware as it searches the process listing for the VMware string.

Process listing on a VMware image with VMware Tools running

Figure 17-1. Process listing on a VMware image with VMware Tools running

VMwareService.exe runs the VMware ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.