<- .anti-analysis[Anti-Emulation] ->
- Try executing a privileged instruction in user-mode. If it succeeds, then the program is under emulation
- WRMSR is a privileged instruction that is used to write values to a MSR register. Values in MSR registers can be critical. For example, the SYSCALL instruction invokes the system-call handler by loading RIP from the IA32_LSTAR MSR register. As a result, user-mode application should not be able to access it
- Detection Through System Calls: invoke various uncommon system calls and check if it contains expected value. Since if there are OS features not properly implemented, it means that the process is running under emulation
- Execution under emulation will be slower than running under a physical CPU
- The number of cores under emulation will be less than the number of cores on host machine