Various computing devices, including desktop computers, laptops, tablets, and mobile computing devices such as smart phones, execute programs and processes according to software instructions stored in memory. Some programs, such as malware, execute malicious code when run on a computing device. There are a various ways to detect and analyze programs to determine whether or not those programs are malicious.
One method of analyzing programs is to execute the program within a virtual environment on the computing device, such as a virtual machine or emulator. The virtual environment provides an artificial self-contained environment for the program to execute. An anti-malware application or other program analyzer may observe and analyze the behavior of the program within the virtual environment to determine whether or not it is malicious.
However, some malicious programs may try to evade virtual environment testing by attempting to detect whether the program is executing within a virtual environment. For example, the program may attempt to call certain functions or access certain data structures indicative of a virtual operating environment. If the program detects that it is executing within a virtual environment, the program may behave in a benign manner and thus escape detection. When the program is released and executed within the normal operating system of a computing device, the program may then act maliciously.