This code will scan the process address space of csrss.exe for the string, "MS_VM_CERT". It is the OEM String of VMWare present in the SMBIOS structures.

vmware-detect.c

/*
Detect VMWare using OEM String in Memory
Tested on Windows XP SP3/VMWare Workstation 7.1.0
c0d3inj3cT
*/

#include <windows.h>
#include <stdio.h>

#define MARKER "MS_VM_CERT"
#define SIZE_OF_MARKER strlen(MARKER)

typedef HANDLE (*_CsrGetProcessId)();

int vmdetect(HANDLE);

int main(int argc, char **argv)
{
	HANDLE process;
	HANDLE pid;
	HMODULE nt=GetModuleHandle("ntdll.dll");
	
	_CsrGetProcessId CsrGetProcessId=(_CsrGetProcessId)GetProcAddress(nt,"CsrGetProcessId");
	
	pid=CsrGetProcessId();
	
	process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, (DWORD) pid);
	
	printf("csrss.exe process id is: %x\n", (DWORD) pid);
	
	if(vmdetect(process))
	{
		printf("found the VM\n");
	}
	else
	{
		printf("did not find the VM\n");
	}
	
return 0;
}

int vmdetect(HANDLE process)
{
	int i=0;
	char *buffer=NULL;
	int address=0x00000000;
	MEMORY_BASIC_INFORMATION mbi={0};
	int result=0;
	
	while(address < 0x7fffffff)
	{
		if(VirtualQueryEx(process, (void *) address, &mbi, sizeof(mbi)) != sizeof(mbi))
		{
			exit(0);
		}
		
		i=0;
		
		buffer = (char *) malloc(sizeof(char) * mbi.RegionSize);
		ReadProcessMemory(process, (void *) address, buffer, mbi.RegionSize, NULL);
		
		while(i < (mbi.RegionSize - SIZE_OF_MARKER))
		{
			if(memcmp(MARKER, (buffer+i), SIZE_OF_MARKER) == 0x0)
			{
				printf("found a match at address: %x\n", (address + i));
				return 1;
			}
			i++;
		}
		
		free(buffer);
		
		address = address + mbi.RegionSize;
	}
	
return 0;
}