macOS H FileSystem Registry Generic OS Queries Global OS object UI artifacts OS Features Processes Network CPU Hardware Firmware tables Hooks Timing WMI Human-like behavior macOS
Most macOS-specific methods for sandbox and virtual environment detection are based on using shell commands such as “sysctl” and “ioreg”. Instead of providing code sample blocks, we show the commands and their arguments. Unfortunately, we can’t collect command outputs for various hypervisors due to Apple software licensing policy. Therefore, we compare the command outputs for physical and virtual machines when possible.
The command used:
sysctl -n hw.modelIf running on native Apple hardware, the returned value contains the model name of the hardware:
$ sysctl -n hw.model
Macmini8,1On virtualized hardware, the value may contain the hypervisor name:
$ sysctl -n hw.model
VMware7,0This technique was seen in the MacRansom malware. If the command output doesn't contain the "Mac" substring, the malware considers that it is running in a virtual machine.
Most Apple hardware (MacBook, Mac mini) released before 2018 came with hyperthreading enabled. This means that the number of physical cores is equal to half the of logical cores. However, some hypervisors don’t provide an ability to change the number of logical cores, which is always equal to the number of physical cores.
The command used:
echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))On physical hardware, the output value of the command must be equal to "2". This techinique was seen in the MacRansom malware.
We should note that new hardware comes with hyperthreading disabled, for example, Mac mini with 6‑core Intel Core i7 CPU. Therefore, this method should be considered outdated.
This method is similar to the memory size detection method used for PC. When running several virtual machines, each VM is allocated a small amount of RAM, whereas Apple physical hardware usually have more than 4 Gb RAM.
The command used:
sysctl -n hw.memsizeThe command returns the RAM size in bytes, for example: 17179869184.
There are several ways in which virtual machine can be detected using the I/O Kit Registry.
The command used:
ioreg -rd1 -c IOPlatformExpertDeviceThe following fields of the IOPlatformExpertDevice class can be checked in order to detect a virtual machine:
| Field | Physical hardware example value | Virtual machine example value | VM detection rule |
|---|---|---|---|
| IOPlatformSerialNumber | "C07T40BYG1J2" | "0" | Equal to "0" |
| board-id | <"Mac-87C4F04823D6BACF"> | <"VirtualBox"> | Contains "VirtualBox", "VMware", etc. |
| manufacturer | <"Apple Inc."> | <"innotek GmbH"> | Doesn't contain "Apple" |
The commands used:
ioreg -rd1 -c IOUSBHostDevice | grep "USB Vendor Name"Sample output on native Apple hardware:
$ ioreg -rd1 -c IOUSBHostDevice | grep "USB Vendor Name"
"USB Vendor Name" = "Apple Inc."
"USB Vendor Name" = "Apple Inc."
"USB Vendor Name" = "Apple, Inc."On virtualized hardware, the value may contain the hypervisor name:
$ ioreg -rd1 -c IOUSBHostDevice | grep "USB Vendor Name"
"USB Vendor Name" = "VirtualBox"
"USB Vendor Name" = "VirtualBox"A virtual machine can be detected by checking if the command output contains a hypervisor name, for example "VirtualBox", "VMware", etc.
Another option is to call the ioreg command with the “-l” option which makes it show properties for all objects. The output should be checked against known hypervisor names, for example:
ioreg -l | grep -i -c -e "virtualbox" -e "oracle" -e "vmware"The above command counts the number of occurrences of various hypervisor names in the ioreg output. If the number of occurrences is greater than 0, the system is likely virtualized.
The command used:
system_profiler SPHardwareDataType | grep "Boot ROM Version"If running on native Apple hardware, the returned value contains the letter code for the corresponding Apple product, for example, “MM” for Mac mini, “MBP” for MacBook Pro, “MBA” for MacBook Air:
$ system_profiler SPHardwareDataType | grep "Boot ROM Version"
Boot ROM Version: MM71.0232.B00If running on a virtual machine, the returned value may contain the hypervisor name:
$ system_profiler SPHardwareDataType | grep "Boot ROM Version"
Boot ROM Version: VirtualBoxThis method is implemented in OceanLotus malware, as shown below:
system_profiler SPHardwareDataType 2>/dev/null | awk '/Boot ROM Version/ {split($0, line, ":");printf("%s", line[2]);}' 2>/dev/null
The latest versions of macOS have the System Integrity Protection feature (SIP). If a sandbox uses a non-signed kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension. Malware may check if the SIP is enabled.
The command used:
csrutil statusThe command returns the SIP status, for example: “System Integrity Protection status: enabled.”
There is a kind of trade-off between the number of detected evasion techniques and the false-positive rate. If we want to detect as many as possible attempts to use the evasion techniques, we should use signatures with a broad scope. If a process is created with one of the following command lines, this indicates an application is trying to use an evasion technique:
sysctl -n hw.model
sysctl -n hw.logicalcpu
sysctl -n hw.physicalcpu
sysctl -n hw.memsize
ioreg -rd1 -c IOPlatformExpertDevice
ioreg -rd1 -c IOUSBHostDevice
ioreg -l
system_profiler SPHardwareDataType
csrutil statusHowever, the commands mentioned above can be used both to perform evasion techniques and for system information gathering. To reduce the rate of false-positive detections, malware-specific signatures can be used, for example:
echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))
Apple software licensing policy doesn’t allow emulating macOS on hardware other than the original Apple hardware. It is also doesn’t not allow more than 2 virtual machines to run on one host machine. Therefore, we suggest using solutions such as DeepFreeze instead of virtualization. In addition, signed kernel extensions should be used.