Under the registry key :

HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\

VideoBiosVersion = VBOX   – 1

SystemBiosVersion = Sun xVM VirtualBox Version 2.1.4_OSE VGA BIOS
Sun xVM VirtualBox Version 2.1.4_OSE VGA BIOS
Sun xVM VirtualBox Version 2.1.4_OSE
Sun xVM VirtualBox Version 2.1.4_OSE
VirtualBox Version 2.1.4_OSE VBE Display Adapter
VirtualBox Version 2.1.4_OSE VBE Display Adapter

The above information indicates presence of VirtualBox.And there are even more giveaways!

HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARE\ACPI\FADT\VBOX__
HKEY_LOCAL_MACHINE\HARDWARe\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier = VBOX HARDDISK

HKEY_LOCAL_MACHINE\HARDWARe\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0

Identifier = VBOX CD-ROM

There are also hints in Device Manager, too. It can be easily queried programmatically.

DVD/CDROM : VBOX CD-ROM
Harddisk : VBOX HARDDISK

That’s just one solution. I strongly suggest to read Peter Ferrie’s paper.

I have found some resources for those interested : a Virtual Machine Threats paper and slide by Peter Ferrie ( Microsoftie now ), and Marshall Fryman blog entries here and here, and a codeproject demonstration. I hope you guys will find them useful.

===

A brief update. I haven’t been active for these 2 months. Since September I have been in involved some personal matters that took my time, and in October I just got onboard a new job (I was a developer for a server antivirus software for Microsoft Office SharePoint Server). Well, it isn’t about anticrime but the topic of cloud security.

Cloud security! Who haven’t heard of it?

My new job is to work on cloud computing on Windows Azure. Unfortunately I cannot reveal more. But don’t worry, I’m very serious in my anti-cybercrime endeavors. =)