check if process is running under wine

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: check if process is running under wine
    namespace: anti-analysis/anti-emulation/wine
    authors:
      - "@_re_fox"
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Emulator Detection [B0004]
    references:
      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Wine.cpp
    examples:
      - ccbf7cba35bab56563c0fbe4237fdc41:0x40d750
  features:
    - or:
      - string: /SOFTWARE\\Wine/i
      - and:
        - api: GetModuleHandle
        - api: GetProcAddress
        - string: "wine_get_unix_file_name"
        - or:
          - string: "kernel32.dll"
          - string: "ntdll.dll"

last edited: 2023-11-24 10:34:28