There are VM-Aware malware that doesn't run on virtualization and so the analysis has to be done to bare metal. I am thinking of using the native VHD boot for malware analysis. I managed to setup the VHD boot with snapshot capability (via differencing VHDs). The idea is to analyse the malware on that VHD machine, and after that I can revert to the previous state easily. However I realize that malware could actually be able to detect if the C drive is running on a VHD via the registry (\SYSTEM\CurrentControlSet\services\Disk\Enum) and disk management also shows that the drive is a VHD. I am wondering if there are any malware nowadays that does check if it is running on a VHD, and are there any methods to prevent that from happening? (e.g. modifying the registry keys)
