[poincaredisk]

I find that hard to believe. Bochs is trivial to detect, unless you heavily patch it, then it's still detectable (for example, by leveraging known bugs/mismatches with a real CPSs). And that's just a tip of the iceberg as far as antivm goes.

But I agree that many detectors used by malware don't expect Bochs and thus don't detect it.

[jchw]

Actually, I believe it's true. It's not that detecting Bochs is necessarily hard, it's just that it's probably not on most people's radars. I had similar success evading anti-VM detection by just simply using Qemu (without KVM) instead of VMware a while ago. (Long enough ago that I still used VMware, I suppose.)

If there were an anti-VM cat-and-mouse game with Qemu/Bochs/etc. that evolved beyond primitive string searches and the like, CPU emulation would likely do a lot better against anti-VM technology. I suspect this is the same thing that makes Unicorn Engine and Qiling fairly effective for analyzing obfuscated code.

[ronsor]

> leveraging known bugs/mismatches

What if a real CPU ends up having a similar bug? The more detection tricks you try, the higher the rate of false positives will be.

Bochs emulation side-steps most VM detection because it's not a VM. You can't even use the CPUID/VMEXIT timing detection trick because it's all emulated.

[anthk]

Bochs can use several BIOSes than its own ones.