I m trying to identify if my launched process is running on a local mac machine(desktop/laptop) or a virtual macOS X instance like AWS EC2, Azure, MacStadium etc.
I am using the below check for this:
1 . If running on native Apple hardware, the returned value contains the model name of the hardware:
$ sysctl -n hw.model
Macmini8,1
On virtualized hardware, the value may contain the hypervisor name:
$ sysctl -n hw.model
VMware7,0
If the command output doesn't contain the "Mac" substring, the malware considers that it is running in a virtual machine.
2. Checking USB device vendor names
The commands used:
ioreg -rd1 -c IOUSBHostDevice | grep "USB Vendor Name"
Sample output on native Apple hardware:
"USB Vendor Name" = "Apple Inc."
"USB Vendor Name" = "Apple Inc."
"USB Vendor Name" = "Apple, Inc."
On virtualized hardware, the value may contain the hypervisor name:
"USB Vendor Name" = "VirtualBox"
"USB Vendor Name" = "VirtualBox"
A virtual machine can be detected by checking if the command output contains a hypervisor name, for example "VirtualBox", "VMware", etc.
3 . Checking the "IOPlatformExpertDevice" registry class
The command used:
ioreg -rd1 -c IOPlatformExpertDevice
The following fields of the IOPlatformExpertDevice class can be checked in order to detect a virtual machine:
I wanted to know can a combination of these be used to identify a process running on a Cloud VM with certainity?