I have written a lot about anti-vm tricks, and while this topic is so worn out that almost feels like kicking a dead horse I felt there is still a scope for some ‘novelty’ approach…

As a hobby, I started jotting down OPSEC failures from random reverse engineers and security professionals. I didn’t go too far, but once you see the list, you will get the gist and can easily expand on it a bit more.

Trust me, this is nothing personal. But yeah, it totally is 🙂

Analysing screenshots shared on social media I was able to jot down some notes on the user names used by the researchers’ boxes/test environments. Some of these user names are generic, and as such, not very helpful, but hey… many actually are pretty specific!

So, a personalized anti-* trick could simply add these known user names to a ‘we don’t run here’ list i.e. if any of these user names is found on the system –> gracefully exit.

Not very complex… but you didn’t see it coming!

Honorary mention:

Update

Not all these are correct findings f.ex. see response from proxylife.

In my old post I have listed a number of wine functions that are exported in that environment and are not present in Windows libraries. 5 years later I decided to re-visit that post and update it with the info from the latest wine vs Windows 10 death match.

The list of APIs has changed, and a new set of functions that can be used to distinguish between the two environments are listed below.

The test program can be downloaded here.

Wine

Windows 10

List of functions

• advapi32.dll!LookupAccountSidLocalA
• advapi32.dll!LookupAccountSidLocalW
• advapi32.dll!LsaRegisterPolicyChangeNotification
• advapi32.dll!LsaUnregisterPolicyChangeNotification
• advapi32.dll!QueryWindows31FilesMigration
• advapi32.dll!SynchronizeWindows31FilesAndWindowsNTRegistry
• comctl32.dll!DPA_GetSize
• comctl32.dll!DrawShadowText
• comctl32.dll!DSA_Clone
• comctl32.dll!DSA_GetSize
• comctl32.dll!GetWindowSubclass
• comctl32.dll!HIMAGELIST_QueryInterface
• comctl32.dll!ImageList_CoCreateInstance
• comctl32.dll!LoadIconMetric
• comctl32.dll!LoadIconWithScaleDown
• comctl32.dll!TaskDialog
• comctl32.dll!TaskDialogIndirect
• dbgeng.dll!DebugExtensionInitialize
• dnsapi.dll!DnsAcquireContextHandle_UTF8
• gdi32.dll!GetDCHook
• gdi32.dll!pfnRealizePalette
• gdi32.dll!pfnSelectPalette
• gdi32.dll!SetDCHook
• gdi32.dll!SetHookFlags
• gdi32.dll!SetObjectOwner
• gdi32.dll!__wine_get_vulkan_driver
• gdi32.dll!__wine_get_wgl_driver
• gdi32.dll!__wine_make_gdi_object_system
• gdi32.dll!__wine_set_display_driver
• gdi32.dll!__wine_set_visible_region
• imm32.dll!__wine_get_ui_window
• imm32.dll!__wine_register_window
• imm32.dll!__wine_unregister_window
• inseng.dll!DllInstall
• IPHLPAPI.dll!AllocateAndGetIfTableFromStack
• IPHLPAPI.dll!AllocateAndGetIpForwardTableFromStack
• IPHLPAPI.dll!AllocateAndGetIpNetTableFromStack
• IPHLPAPI.dll!AllocateAndGetTcpExTableFromStack
• IPHLPAPI.dll!AllocateAndGetTcpTableFromStack
• IPHLPAPI.dll!AllocateAndGetUdpTableFromStack
• kernel32.dll!ConvertToGlobalHandle
• kernel32.dll!GetDaylightFlag
• kernel32.dll!GetProcessFlags
• kernel32.dll!InvalidateNLSCache
• kernel32.dll!MakeCriticalSectionGlobal
• kernel32.dll!OpenVxDHandle
• kernel32.dll!RegisterServiceProcess
• kernel32.dll!ReinitializeCriticalSection
• kernel32.dll!SetCPGlobal
• kernel32.dll!UninitializeCriticalSection
• kernel32.dll!wine_get_dos_file_name
• kernel32.dll!wine_get_unix_file_name
• kernel32.dll!__wine_start_process
• mpr.dll!NPSAuthenticationDialogA
• mpr.dll!NPSCopyStringA
• mpr.dll!NPSDeviceGetNumberA
• mpr.dll!NPSDeviceGetStringA
• mpr.dll!NPSGetProviderHandleA
• mpr.dll!NPSGetProviderNameA
• mpr.dll!NPSGetSectionNameA
• mpr.dll!NPSNotifyGetContextA
• mpr.dll!NPSNotifyRegisterA
• mpr.dll!NPSSetCustomTextA
• mpr.dll!NPSSetExtendedErrorA
• mpr.dll!PwdChangePasswordA
• mpr.dll!PwdChangePasswordW
• mpr.dll!PwdGetPasswordStatusA
• mpr.dll!PwdGetPasswordStatusW
• mpr.dll!PwdSetPasswordStatusA
• mpr.dll!PwdSetPasswordStatusW
• mpr.dll!WNetCachePassword
• mpr.dll!WNetEnumCachedPasswords
• mpr.dll!WNetGetCachedPassword
• mpr.dll!WNetLogoffA
• mpr.dll!WNetLogoffW
• mpr.dll!WNetLogonA
• mpr.dll!WNetLogonW
• mpr.dll!WNetRemoveCachedPassword
• mpr.dll!WNetRestoreConnectionA
• mpr.dll!WNetRestoreConnectionW
• mpr.dll!WNetVerifyPasswordA
• mpr.dll!WNetVerifyPasswordW
• msctf.dll!TF_InitMlngInfo
• mshtml.dll!NP_GetEntryPoints
• mshtml.dll!RNIGetCompatibleVersion
• msi.dll!__wine_msi_call_dll_function
• netapi32.dll!I_BrowserQueryEmulatedDomains
• netapi32.dll!I_NetNameCompare
• netapi32.dll!I_NetNameValidate
• netapi32.dll!NetpGetComputerName
• ntdll.dll!NtClearPowerRequest
• ntdll.dll!NtCreatePowerRequest
• ntdll.dll!NtSetPowerRequest
• ntdll.dll!RtlFindLastBackwardRunSet
• ntdll.dll!RtlFindLongestRunSet
• ntdll.dll!RtlFindNextForwardRunSet
• ntdll.dll!RtlFindSetRuns
• ntdll.dll!wine_nt_to_unix_file_name
• ntdll.dll!wine_server_call
• ntdll.dll!wine_server_fd_to_handle
• ntdll.dll!wine_server_handle_to_fd
• ntdll.dll!wine_server_release_fd
• ntdll.dll!wine_server_send_fd
• ntdll.dll!wine_unix_to_nt_file_name
• ntdll.dll!__wine_dbg_get_channel_flags
• ntdll.dll!__wine_dbg_header
• ntdll.dll!__wine_dbg_output
• ntdll.dll!__wine_dbg_strdup
• ntdll.dll!__wine_get_unix_codepage
• ntdll.dll!__wine_locked_recvmsg
• ntdll.dll!__wine_make_process_system
• ntdll.dll!__wine_set_signal_handler
• ole32.dll!CoGetState
• Query.dll!CIState
• Query.dll!LocateCatalogsA
• Query.dll!LocateCatalogsW
• rpcrt4.dll!I_RpcBindingSetAsync
• rpcrt4.dll!I_RpcServerStartListening
• rpcrt4.dll!I_RpcServerStopListening
• rpcrt4.dll!I_RpcWindowProc
• rpcrt4.dll!NdrAsyncStubCall
• serialui.dll!EnumPropPages
• setupapi.dll!AssertFail
• setupapi.dll!CaptureAndConvertAnsiArg
• setupapi.dll!CaptureStringArg
• setupapi.dll!DelayedMove
• setupapi.dll!DuplicateString
• setupapi.dll!EnablePrivilege
• setupapi.dll!FileExists
• setupapi.dll!MultiByteToUnicode
• setupapi.dll!OpenAndMapFileForRead
• setupapi.dll!QueryRegistryValue
• setupapi.dll!RegistryDelnode
• setupapi.dll!RetreiveFileSecurity
• setupapi.dll!StampFileSecurity
• setupapi.dll!StringTableAddString
• setupapi.dll!StringTableAddStringEx
• setupapi.dll!StringTableDestroy
• setupapi.dll!StringTableDuplicate
• setupapi.dll!StringTableGetExtraData
• setupapi.dll!StringTableInitialize
• setupapi.dll!StringTableInitializeEx
• setupapi.dll!StringTableLookUpString
• setupapi.dll!StringTableLookUpStringEx
• setupapi.dll!StringTableSetExtraData
• setupapi.dll!StringTableStringFromId
• setupapi.dll!StringTableStringFromIdEx
• setupapi.dll!StringTableTrim
• setupapi.dll!TakeOwnershipOfFile
• setupapi.dll!UnmapAndCloseFile
• shdocvw.dll!InstallReg_RunDLL
• shell32.dll!CheckEscapesA
• shell32.dll!Control_FillCache_RunDLLA
• shell32.dll!Control_FillCache_RunDLLW
• shell32.dll!ExtractVersionResource16W
• shell32.dll!Printers_RegisterWindowW
• shell32.dll!Printers_UnregisterWindow
• shell32.dll!Printer_LoadIconsW
• shell32.dll!SheChangeDirW
• shell32.dll!SheGetDirW
• shell32.dll!SHRegCloseKey
• shell32.dll!SHRegDeleteKeyW
• shell32.dll!SHRegOpenKeyA
• shell32.dll!SHRegOpenKeyW
• shell32.dll!SHRegQueryValueA
• shell32.dll!SHRegQueryValueExA
• shell32.dll!SHRegQueryValueExW
• shell32.dll!SHRegQueryValueW
• shlwapi.dll!MLFreeLibrary
• shlwapi.dll!ShellMessageBoxWrapW
• shlwapi.dll!_SHGetInstanceExplorer
• sti.dll!StiCreateInstanceA
• user32.dll!CalcChildScroll
• user32.dll!CharNextExW
• user32.dll!CharPrevExW
• user32.dll!KillSystemTimer
• user32.dll!SetDeskWallPaper
• user32.dll!SetLogonNotifyWindow
• user32.dll!SetSystemTimer
• user32.dll!UserSignalProc
• user32.dll!__wine_send_input
• user32.dll!__wine_set_pixel_format
• winmm.dll!GetDriverFlags
• winmm.dll!OpenDriverA
• wsock32.dll!WsControl
• XInput1_4.dll!XInputGetStateEx