The majority of VMs “hook” interrupts and APIs on the host operating system. Malware can walk the interrupt vector table or VM interface subroutines, find the VM hooks, and insert itself one call above or replace a sub-routine. With just a little digging, you too can find the weaknesses (if you’re a threat modeler) SANS presentation covers some other techniques, as well as, discusses some of the items that are relevant to break out attacks.”]
Source: https://www.csoonline.com/article/2632990/excellent-vm-detection-and-breakout-presentation.html