Sign In
In this module

MF1.8 Anti-Acquisition Techniques

6 hours · Module 1 · Free
What you already know

From MF1.1-1.7 you know how to capture, verify, and assess memory images from Windows, Linux, and the hypervisor. All of that assumes the capture succeeds. This sub covers what happens when it doesn't — when the attacker's tradecraft includes countermeasures specifically designed to prevent or degrade memory acquisition.

Operational Objective

Sophisticated attackers know memory forensics exists. Some of them build countermeasures into their tradecraft — not because they expect every responder to capture memory, but because the ones who do capture memory are the ones most likely to find the attacker's footprint. Anti-acquisition techniques range from simple (detect the VM environment and stop executing) to complex (wipe memory pages on process termination to eliminate forensic traces) to extreme (detect driver loads consistent with acquisition tools and trigger evidence destruction).

Most practitioners won't encounter anti-acquisition frequently. The vast majority of compromises are commodity — ransomware, BEC, credential phishing — where the attacker doesn't invest in anti-forensic tradecraft. But the cases where anti-acquisition matters are exactly the cases where memory forensics matters most: advanced persistent threats, nation-state activity, insider threats with technical sophistication, and targeted attacks against organisations the attacker expects to investigate.

This sub covers the four categories of anti-acquisition you'll encounter: anti-VM detection (malware that shuts down in virtual environments), memory wiping (deliberate page zeroing before process termination), acquisition-tool detection (monitoring for driver loads or forensic tool signatures), and evidence degradation (injecting noise into memory structures to confuse analysis). For each, you'll learn the mechanism, how to detect it in your analysis, and the operational countermeasures that let you acquire memory despite the resistance.

Deliverable: Understanding of the four anti-acquisition technique categories, their indicators in captured images, the operational countermeasures for each, and the decision framework for when acquisition is genuinely blocked versus when the countermeasure can be bypassed.

Estimated completion: 35 minutes
FOUR ANTI-ACQUISITION TECHNIQUE CATEGORIES ANTI-VM Detect hypervisor Check VM artifacts Terminate if virtual Counter: capture before malware runs anti-VM checks MEMORY WIPE Zero pages on exit VirtualAlloc + free RtlSecureZeroMemory Counter: capture while malware runs + check pagefile TOOL DETECT Monitor driver loads Watch for WinPmem Trigger wipe on detect Counter: hypervisor acquisition (no guest driver visible) EVIDENCE DEGRADE Inject noise structures Corrupt pool tags Confuse analysis tools Counter: manual hex analysis + WinDbg structure walks
Figure 1.8.1 — Each category targets a different stage of the memory forensics workflow. Anti-VM blocks the attack from running in your lab. Memory wipe destroys evidence before capture. Tool detection triggers destruction when capture begins. Evidence degradation makes analysis unreliable even after successful capture.

Anti-VM detection — malware that refuses to run in virtual environments

This section covers the most common anti-acquisition technique. It doesn't block your capture — it blocks the attack from running in your lab in the first place.

Anti-VM detection is a technique where malware checks whether it's running inside a virtual machine and terminates if it is. The logic is simple from the attacker's perspective: security researchers and forensic analysts use VMs; real victims don't (or at least, their desktops don't). If the malware detects a VM, it assumes it's being analysed and shuts down before the analyst can observe its behaviour.

The detection methods are well-documented and range from trivial to sophisticated.

Trivial checks: look for VMware or VirtualBox processes in the process list (vmtoolsd.exe, VBoxService.exe), check for VM-specific registry keys (HKLM\SOFTWARE\VMware, Inc.\VMware Tools), query the BIOS for VM-manufacturer strings (SYSTEM\CurrentControlSet\Control\SystemInformation\SystemManufacturer containing "VMware" or "innotek"). Intermediate checks: execute CPUID instruction and examine the hypervisor-present bit (bit 31 of ECX from leaf 1), check the I/O port backdoor (in eax, dx with dx = 0x5658 on VMware), measure execution timing of instructions that behave differently under virtualisation. Sophisticated checks: compare RDTSC timing across sequences of instructions to detect the overhead virtualisation introduces, check for the interrupt descriptor table (IDT) at an address that reveals a hypervisor's relocation of system structures.

For the course lab, anti-VM detection has a specific impact: if you're analysing malware that uses these checks, the malware won't execute on Target-Win (a VM) the way it would on a physical host. The attack-capture-analyse loop assumes the attack executes fully. The course's scripted attacks don't include anti-VM checks (they're controlled playbooks), but real-world malware the learner encounters in production may.

Countermeasures: disable VM-specific services and registry keys before running the malware, use hypervisor-specific hardening features that mask VM indicators (VMware's monitor_control.restrict_backdoor = TRUE), or capture from a physical system where anti-VM checks pass naturally. MF2 and later modules note where anti-VM is relevant to the specific attack scenario.

Memory wiping — destroying evidence before capture

This section covers the technique that directly counters memory forensics: the attacker zeroes their own memory before exiting.

Memory wiping is when the attacker's code explicitly zeroes the memory regions it used before terminating. A well-written implant calls RtlSecureZeroMemory on its heap allocations, C2 communication buffers, credential caches, and decrypted configuration data before calling ExitProcess. When the process terminates, the wiped pages are returned to the kernel's free list — and your capture finds zeroed regions where the evidence used to be.

The effectiveness depends on timing. Wiping only works if the attacker's code runs the cleanup before your acquisition tool captures those pages. If you capture while the malware is running (before it decides to exit and wipe), the evidence is in RAM and your image has it. If you capture after the malware has exited and wiped, the evidence is gone from RAM — but may still be in the pagefile (MF1.5), because the OS may have paged out copies of the same data before the wipe occurred.

This is one reason acquisition speed matters. The longer the gap between "we know we need memory" and "the acquisition tool starts reading pages," the more time the attacker has to detect the response and trigger cleanup. Hypervisor-based acquisition (MF1.4) is particularly valuable here: the guest is suspended instantly with no guest-visible signal, so the attacker's cleanup code can't run in response to the acquisition because the CPU is halted.

Detection in analysis: look for large zeroed regions within a process's virtual address space (VADs with RWX or RW permissions that contain nothing but zeros). A region that's RWX + zeroed + private (no file backing) is the classic post-wipe fingerprint — something was there, it was executable, and now it's gone. The presence of the zeroed region is itself a finding, even if the content is unrecoverable. The absence of content in a region with suspicious characteristics is evidentially relevant: "a private RWX allocation of 128 KB within PID XXXX contained only zeroed bytes, consistent with deliberate memory wiping prior to process termination."

Acquisition-tool detection — triggering destruction when capture begins

This section covers the adversary who monitors for your acquisition tools and responds to them. Rare in commodity attacks, real in targeted operations.

Some implants register kernel callbacks that fire when a new driver is loaded (PsSetLoadImageNotifyRoutine) or when a new process is created (PsSetCreateProcessNotifyRoutine). If the callback detects a WinPmem driver load or a forensic tool process creation, the implant triggers its cleanup routine — wiping memory, killing persistence, deleting files, disconnecting C2. The attacker's logic: if the IR team is loading forensic tools, the operation is burned; destroy evidence and extract.

This is the strongest argument for hypervisor-based acquisition in environments where advanced adversaries are a realistic threat model. Hypervisor suspension doesn't load a driver, create a process, or generate any kernel callback. The guest's entire execution state is frozen from outside. An implant monitoring for driver loads never sees the acquisition because its CPU is halted before the acquisition begins.

When hypervisor acquisition isn't available and in-guest tools are the only option, the countermeasure is speed and stealth. Use an acquisition tool the adversary hasn't pre-programmed a detection for (the tool landscape changes; adversaries can't monitor for every tool). Rename the executable to something innocuous (the driver's internal name matters more than the executable name, but renaming adds a minor layer). Execute from a network share or USB drive rather than copying the tool to the local disk first (avoids file-creation callbacks). None of these are guarantees — a determined adversary with kernel-level access can detect any in-guest acquisition — but they raise the cost of detection.

Extended context — kernel callback mechanisms and the cat-and-mouse dynamic

The kernel callback API that enables tool detection is the same API that legitimate security software uses. PsSetLoadImageNotifyRoutine fires on every driver and DLL load — EDR products use it to monitor for malicious driver loads. An attacker's implant that registers the same callback gets the same visibility. The attacker's callback checks the loaded image's name against a list of known forensic tools; if it matches, the cleanup triggers. This is an arms race: forensic tool authors change binary names and signatures; attacker tool authors update their detection lists.

The deeper problem is that any software running at the kernel level can observe any other software at the kernel level. There's no isolation between the attacker's kernel code and the forensic tool's kernel code. This is why hypervisor-based acquisition — which operates at a privilege level above the kernel — is the architecturally correct response to kernel-level adversaries. The guest kernel can't observe the hypervisor's actions because the hypervisor is the more privileged layer.

Evidence degradation — making analysis unreliable after capture

This section covers the subtlest category: the attacker doesn't prevent your capture; they poison the data you capture.

Evidence degradation is when the attacker modifies kernel structures to confuse analysis tools without preventing normal system operation. Pool-tag overwriting (changing the pool tag on an allocation to match a different object type, causing psscan to misidentify structures), EPROCESS field manipulation (setting misleading values in fields that plugins read, like false CreateTime timestamps or spoofed ImageFileName values), and DKOM (Direct Kernel Object Manipulation — unlinking a process from the active list while keeping the pool allocation intact) are all forms of evidence degradation.

The defense is multi-method analysis. A single plugin result is vulnerable to degradation; multiple independent analysis methods cross-validate each other. If pslist shows a process and psscan confirms it with consistent fields and windows.handles shows it owns handles that match expected behaviour, the evidence is corroborated. If pslist shows a process but psscan finds inconsistent pool tags and windows.handles shows no handles, the process may be a planted decoy. The confidence tier framework from MF0.7 handles this: multi-method confirmation raises confidence; single-method findings without corroboration stay at medium or low.

WinDbg (MF0.6) is the fallback for deep structure validation when plugin-level analysis is insufficient. Walking the EPROCESS structure by hand at the debugger level lets you see the raw fields without the plugin's interpretation layer — which is exactly what you need when you suspect the plugin's interpretation is being manipulated by the attacker's modifications. MF6 covers kernel-level adversary investigation in depth; this sub establishes that it exists and why it matters.

tasklist | findstr /i "vmtoolsd VBoxService VBoxTray vmware"
# VMware
reg query "HKLM\SOFTWARE\VMware, Inc.\VMware Tools" 2>nul

# VirtualBox
reg query "HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions" 2>nul
wmic computersystem get manufacturer,model
Guided Procedure — Check your Target-Win baseline for anti-VM indicators
This procedure doesn't involve an attacker — it checks whether your clean Target-Win VM would be detected as virtual by common anti-VM techniques. Understanding what your VM exposes helps you anticipate which malware samples will refuse to run on it.
Step 1 — Check for VM-specific processes. On Target-Win, check for VM-specific processes:
Expected output: On VMware Workstation: `vmtoolsd.exe` appears (VMware Tools daemon). On VirtualBox: `VBoxService.exe` and `VBoxTray.exe` appear. These processes are visible to any malware running on the system and are trivial anti-VM indicators.
If it fails: No VM processes found → either you're running on a hypervisor that doesn't install guest tools (unusual for the course lab) or guest tools aren't installed (install them — they're needed for shared folders and display drivers).
Step 2 — Check for VM-specific registry keys. Check for VM-specific registry keys:
Expected output: The relevant registry key exists with install path and version values. This is a second indicator that anti-VM malware would use to detect the virtual environment.
If it fails: Key not found → guest tools may not be installed, or you're on a different hypervisor. Not a problem for the course lab — the key's absence makes the VM slightly harder to detect, which is actually advantageous for anti-VM malware testing.
Step 3 — Check BIOS manufacturer string. Query the BIOS manufacturer string:
Expected output: VMware: Manufacturer shows "VMware, Inc." Model shows "VMware Virtual Platform" or "VMware7,1." VirtualBox: Manufacturer shows "innotek GmbH." Both are trivially detectable by anti-VM malware.
If it fails: Unexpected manufacturer → you may be running under a hypervisor that spoofs the BIOS strings (some security-focused hypervisors do this intentionally). Check your hypervisor documentation.
Step 4 — Assess the detection surface. Your VM exposes at least three layers of VM indicators: processes, registry keys, and BIOS strings. Any malware with basic anti-VM checks will detect this environment. The course's scripted attacks don't use anti-VM checks, so this doesn't affect the lab. In production malware analysis, these indicators are what you'd suppress before detonation.
Expected result: You now know your VM's anti-VM detection surface — which indicators it exposes and which layers of anti-VM checking would trigger on it. This awareness matters when you encounter real malware in MF2+ that terminates unexpectedly in the lab.
If it fails: If none of the three checks found VM indicators, you may be running on physical hardware (which is fine for the course but unusual for the lab setup described in MF0.9). The lab works on physical hardware — the only difference is that hypervisor-based acquisition (MF1.4) won't be available.
Decision Point
**The situation.** You've successfully captured memory from a Northgate Engineering server during an incident. The analysis shows a suspicious process that was running at capture time — but the process's memory regions are entirely zeroed. The VAD shows a 256 KB private RWX allocation with nothing but null bytes. The process is present in both `pslist` and `psscan` with consistent EPROCESS fields. Network connections from the process are logged in Sentinel. The process is clearly real and was clearly active — but the memory content is gone. **The choice.** Report the finding as "process found but no recoverable memory content" and move on, or investigate further to determine whether the zeroing is deliberate wiping or normal memory management. **The correct call.** Investigate further. A private RWX allocation of 256 KB that contains only zeros is not normal memory management — legitimate processes rarely allocate large private RWX regions, and when they do, the regions contain code or data, not zeros. The zeroing pattern is consistent with deliberate wiping (MF1.8's memory-wipe technique). Check the pagefile (MF1.5) — if the same virtual address range was paged out before the wipe, the pre-wipe content may still exist in the pagefile. Check Sentinel for the process's network activity to establish what it was doing while its memory was populated. The finding is: "process evidence of execution with deliberate memory wiping before capture. Pre-wipe content [recovered/not recovered] from pagefile. Network activity during execution window confirms active C2 communication." That's a reportable finding even without the memory content — the wipe itself is evidence of anti-forensic intent. **The operational lesson.** Zeroed memory is a finding, not a dead end. The absence of content in a region with suspicious characteristics (private, RWX, large) is evidentially meaningful. The investigation doesn't stop because the memory content is gone — it shifts to corroborating evidence (pagefile, network logs, disk artifacts) and the anti-forensic indicator itself.
Compliance Myth: "If the attacker wipes memory before we capture, the investigation is over"
**The myth.** Memory forensics depends on the attacker's data being in memory at capture time. If the attacker wipes their memory regions before terminating, the evidence is destroyed and the investigation reaches a dead end. Sophisticated attackers can always defeat memory forensics by cleaning up after themselves. **The reality.** Memory wiping destroys the content of specific pages. It doesn't destroy the structural evidence of the process's existence, its network connections, its handle table, its loaded modules, its parent-child relationship, its creation timestamp, or its command line. An attacker who wipes their heap and code regions eliminates the payload content but leaves the process metadata intact — and the metadata is often enough to establish what the process was, when it ran, what it connected to, and what resources it accessed. Additionally, wiping works only on pages that are in RAM at wipe time. Pages that were previously paged out to the pagefile (MF1.5) may contain pre-wipe copies of the same data. The attacker would need to zero both the in-RAM pages and the pagefile copies — which requires knowing where the OS paged the data, reading the PTE chain, and zeroing the pagefile slots. Few implants do this because the complexity is high and the pagefile locations aren't deterministic. The correct response to suspected memory wiping is: document the zeroed regions as evidence of anti-forensic behaviour, check the pagefile for pre-wipe copies, correlate with non-memory evidence sources (network logs, disk artifacts, EDR telemetry), and report what the structural metadata proves. A finding of "process with deliberate memory wiping and active C2 communication" is forensically meaningful even without the payload bytes.
Next
**MF1.9 — Building the Evidence Library: Clean Baselines.** MF1 closes with the captures that anchor the rest of the course. You'll document clean baseline images of both Target-Win and Target-Linux to the standard MF1.6 established, producing the reference state that every paid module's attack-modified capture is compared against.
Try it — Catalogue your Target-Win VM's anti-VM detection surface **Setup.** Your Target-Win VM from MF0.9. An elevated Command Prompt. No additional tools needed. **Task.** Run all three checks from the Guided Procedure (VM processes, registry keys, BIOS strings). Record which indicators are present. Then disable one indicator — remove VMware Tools or VirtualBox Guest Additions — and re-run the checks. Note which indicators disappear and which persist. Re-install the guest tools afterward (they're needed for the rest of the course). **Expected result.** Before removal: three indicators present (processes, registry, BIOS). After guest-tools removal: processes disappear, registry key may persist (removal doesn't always clean the key), BIOS string persists (it's baked into the virtual hardware). The BIOS string is the hardest to suppress because it comes from the hypervisor, not from installed software. This exercise demonstrates that removing guest tools reduces the detection surface but doesn't eliminate it. **If your result doesn't match.** If the BIOS string disappeared after removing guest tools, you're on a hypervisor that ties the BIOS string to the tools installation (unusual). If all three indicators persist after removal, the tools weren't fully removed — check Add/Remove Programs for remnant entries. If you can't reinstall the tools, re-import the Target-Win VM from your MF0.9 snapshot.
Checkpoint — before moving on
You should be able to do the following without referring back to this sub. If you can't, the sections to re-read are noted.
1. Name the four categories of anti-acquisition technique and state the operational countermeasure for the category that directly targets your acquisition tool's driver load. (§ Four categories overview + Acquisition-tool detection)
2. Describe the fingerprint of deliberate memory wiping in a captured image, and explain why the presence of zeroed RWX regions is itself a finding even when the content is unrecoverable. (§ Memory wiping + Decision Point)
3. Explain why hypervisor-based acquisition is architecturally resistant to kernel-level acquisition-tool detection, referencing the privilege-level relationship between the guest kernel and the hypervisor. (§ Acquisition-tool detection + context-expand)
Operational Artifact — Anti-Acquisition Response Guide
**Anti-VM detection encountered.** Malware terminates on the lab VM. Response: check which VM indicators the sample checks for (processes, registry, BIOS, timing, CPUID). Suppress the detected indicators before re-running the sample. If suppression fails, capture from a physical system or use a hypervisor with VM-indicator masking. **Memory wiping suspected.** Large zeroed RWX regions in a process that was clearly active (network connections, handles, consistent metadata). Response: document the zeroed regions with their VAD characteristics. Check pagefile for pre-wipe content (`vol -f image.raw --swap pagefile.sys windows.vadinfo`). Correlate with network and disk evidence. Report the wipe as an anti-forensic indicator. **Acquisition-tool detection suspected.** In-guest acquisition triggers evidence destruction (processes terminating, files being deleted during your capture). Response: abort the in-guest capture. Switch to hypervisor-based acquisition if available. If not, capture from a second system first (to preserve at least one clean image), then attempt the in-guest capture on the suspected system. **Evidence degradation suspected.** Analysis results are inconsistent (pool tags don't match, EPROCESS fields contain implausible values, pslist and psscan disagree in ways that don't match smear patterns). Response: use WinDbg to walk structures manually (MF0.6). Cross-validate with multiple independent methods. Apply the MF0.7 confidence framework — multi-method confirmation raises tier; single-method findings on degraded structures stay low.
Extended reference — anti-VM hardening for the course lab and production malware detonation
**VMware anti-VM hardening.** Add to the VM's `.vmx` file: `monitor_control.restrict_backdoor = "TRUE"` (blocks the I/O port backdoor check). `isolation.tools.getPtrLocation.disable = "TRUE"`, `isolation.tools.setPtrLocation.disable = "TRUE"`, `isolation.tools.setVersion.disable = "TRUE"`, `isolation.tools.getVersion.disable = "TRUE"` (blocks VMware Tools communication checks). These settings don't eliminate all detection vectors but block the most common ones. BIOS strings require community `.vmx` patches that replace VMware manufacturer strings with generic hardware strings — these exist but aren't officially supported. **VirtualBox anti-VM hardening.** `VBoxManage modifyvm --paravirtprovider none` (disables paravirtualisation advertising). `VBoxManage setextradata "VBoxInternal/Devices/pcbios/0/Config/DmiBIOSVendor" "American Megatrends Inc."` (spoofs BIOS vendor). Similar extradata settings exist for system manufacturer, product name, and serial number. These reduce the detection surface but don't eliminate it — VirtualBox's hardware emulation has detectable fingerprints at the I/O and timing levels. **Production malware detonation.** For real-world malware analysis (not the course lab), the standard approach is a purpose-built detonation environment that's been hardened against the anti-VM checks the sample is known to use. Intelligence on the sample's anti-VM techniques comes from static analysis (looking for CPUID calls, timing checks, registry queries in the disassembly) before detonation. Sandboxing services (ANY.RUN, Joe Sandbox, CAPE) handle anti-VM suppression automatically for most commodity malware.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've set up the lab and captured your first clean baselines.

MF0 built the three-VM lab and established the memory forensics landscape. MF1 taught acquisition with WinPmem and LiME, integrity verification, and chain of custody. From here, you execute attacks and investigate what they leave behind.

  • 8 attack modules (MF2–MF9) — process injection, credential theft, fileless malware, persistence, kernel drivers, Linux rootkits, timeline construction, and a multi-stage capstone
  • You run every attack yourself — from Kali against your target VMs, then capture memory and investigate your own attack's artifacts with Volatility 3
  • MF9 Capstone — multi-stage chain (initial access → privilege escalation → credential theft → persistence → data staging), three checkpoint captures, complete investigation report
  • The lab pack — PoC kernel driver and LKM rootkit source code, setup scripts, 21 exercises, 7 verification scripts, investigation report templates
  • Cross-platform coverage — Windows and Linux memory analysis in one course, with the timeline module integrating evidence from both

Cancel anytime

← Previous Next →