i recently read a great book that tapped into this subject briefly. the idea and the tool used are from an amazing researcher named Joanna Rutkowska. the tool she wrote is called Red Pill. it is really a rootkit (and one of the most advanced ones out there).

the idea behind what she did was based on the fact that every operating system has an IDT (Interrupt Descriptor Table). this is a place that stores all interrupt address ranges. it it usually found in the first 100 bytes on a standard hard drive. what she found is that, when in a VM environment, this table is moved up further in memory since there is a virtual disk being used by the VM. the Red Pill tool calls upon the register IDTR to locate where the IDT is located. if it is found in the first few bytes, you are seeing the main OS environment, if further up, then we know a VM is being used. i found that quite amazing. i am assuming this can also be done on a remote level as well, maybe with a Meterpreter session being used to extract data like how a null session does in Windows or also using WMI APIs

the book in reference to what i just wrote is "Counter Hack Reloaded". the article mentions that from what the author knows, as of now, there is still no way to "jump" outside of a VM environment into the main OS one. does anyone know of this happening yet?