{"id":3984,"date":"2016-12-14T00:15:35","date_gmt":"2016-12-14T00:15:35","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=3984"},"modified":"2016-12-14T09:10:12","modified_gmt":"2016-12-14T09:10:12","slug":"malware-analysis-using-wine","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2016\/12\/14\/malware-analysis-using-wine\/","title":{"rendered":"Malware analysis using Wine"},"content":{"rendered":"<p>Wine is a free implementation of Windows on Unix. That&#8217;s what the Wine <a href=\"https:\/\/www.winehq.org\/\">web site<\/a> says. To a malware analyst though, Wine is a free analysis platform that can be leveraged to analyze Windows executables.<\/p>\n<p>How so?<\/p>\n<p>It&#8217;s all thanks to the various so-called <a href=\"https:\/\/wiki.winehq.org\/Debug_Channels\">debug channels<\/a> that Wine offers. Some of these channels &#8211; when enabled &#8211; turn Wine into a fully-blown tracer, an API monitor, or a complete log madness that includes any possible messages from Wine.<\/p>\n<p>I won&#8217;t cover here how to install Wine, but you should easily <a href=\"https:\/\/www.google.com\/search?q=wine+install\">find a recipe online<\/a>. Once installed, it&#8217;s ready for a few quick tests that will demonstrate its main monitoring features (from the malware analysts&#8217; perspective):<\/p>\n<ul>\n<li>Showing a list of loaded\/unloaded modules (during run-time)\n<ul>\n<li>\n<pre>WINEDEBUG=+loaddll wine \/mnt\/&lt;path&gt;\/notepad.exe<\/pre>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3985\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine1-300x124.png\" width=\"501\" height=\"207\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine1-300x124.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine1-768x317.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine1.png 973w\" sizes=\"(max-width: 501px) 100vw, 501px\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<li>Showing list of API calls and their return values\n<ul>\n<li>\n<pre>WINEDEBUG=+relay wine \/mnt\/&lt;path&gt;\/notepad.exe<\/pre>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3986\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine2-300x129.png\" width=\"500\" height=\"215\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine2-300x129.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine2-768x330.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine2.png 963w\" sizes=\"(max-width: 500px) 100vw, 500px\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<li>Absolute tracing madness (yet still meaningful)\n<ul>\n<li>\n<pre>WINEDEBUG=+all wine \/mnt\/&lt;path&gt;\/notepad.exe<\/pre>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-3987\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine3-300x126.png\" width=\"499\" height=\"210\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine3-300x126.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine3-768x323.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2016\/12\/wine3.png 867w\" sizes=\"(max-width: 499px) 100vw, 499px\" \/><\/a><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>A number of channels can be combined, f.ex. one can run the following command:<\/p>\n<ul>\n<li>\n<pre>WINEDEBUG=+relay,+tid,+timestamp<\/pre>\n<\/li>\n<\/ul>\n<p>to prepend the API log with a timestamp, and the TID (thread ID) of the current thread executing the API inside the process:<\/p>\n<pre style=\"padding-left: 30px;\">202729.726:0024:Call ntdll.RtlAllocateHeap(00110000,00000000,00000020) ret=7ed13224\r\n202729.726:0024:Ret\u00a0 ntdll.RtlAllocateHeap() retval=00118ac8 ret=7ed13224\r\n202729.726:0024:Ret\u00a0 rpcrt4.I_RpcGetBuffer() retval=00000000 ret=7ed57c45\r\n202729.726:0024:Call rpcrt4.NdrServerContextNewMarshall(00b4e718,00119078,7ed55770,7ed612a4) ret=7ed57c81\r\n202729.726:0024:Call ntdll.RtlFreeHeap(00110000,00000000,00118fc0) ret=7ed14071\r\n202729.726:0024:Ret\u00a0 ntdll.RtlFreeHeap() retval=00000001 ret=7ed14071\r\n202729.726:0024:Call ntdll.RtlReleaseResource(0011909c) ret=7ecfc83c\r\n202729.726:0024:Ret\u00a0 ntdll.RtlReleaseResource() retval=00000000 ret=7ecfc83c\r\n202729.726:0024:Call ntdll.RtlDeleteResource(0011909c) ret=7ecfb4a7\r\n202729.726:0024:Ret\u00a0 ntdll.RtlDeleteResource() retval=00000000 ret=7ecfb4a7\r\n202729.726:0024:Call ntdll.RtlFreeHeap(00110000,00000000,00119078) ret=7ecfb4bb\r\n202729.726:0024:Ret\u00a0 ntdll.RtlFreeHeap() retval=00000001 ret=7ecfb4bb\r\n202729.726:0024:Ret\u00a0 rpcrt4.NdrServerContextNewMarshall() retval=001166a8 ret=7ed57c81\r\n202729.726:0024:Call ntdll.RtlAllocateHeap(00110000,00000008,00000018) ret=7ed03c9c\r\n202729.726:0024:Ret\u00a0 ntdll.RtlAllocateHeap() retval=00118c20 ret=7ed03c9c\r\n202729.726:0024:Call ntdll.RtlAllocateHeap(00110000,00000008,00000030) ret=7ed04c44\r\n202729.731:0024:Ret\u00a0 ntdll.RtlAllocateHeap() retval=00118fc0 ret=7ed04c44\r\n202729.731:0024:Call KERNEL32.WriteFile(00000024,00118fc0,00000030,00b4e748,00000000) ret=7ed0cc8f\r\n202729.731:0018:Ret\u00a0 KERNEL32.ReadFile() retval=00000001 ret=7ec72d02\r\n202729.731:0018:Call ntdll.RtlAllocateHeap(00110000,00000000,00000018) ret=7ec6be06\r\n202729.731:0018:Ret\u00a0 ntdll.RtlAllocateHeap() retval=0011b888 ret=7ec6be06<\/pre>\n<p>A few notes at the end:<\/p>\n<ul>\n<li>Wine supports both 64- and 32- Portable Executables<\/li>\n<li>There are 400+ different channels; I will lie if I say that I know what all of them trace<\/li>\n<li>Obviously, running executables under Wine is a subject to various sandbox detections, including these I described <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/03\/27\/detecting-wine-via-internal-and-legacy-apis\/\">in the past<\/a>.<\/li>\n<li>The analysis could be automated to produce a decent sandbox report; while it can&#8217;t compete with commercial sandboxes, it may be a a decent solution for in-house analysis, especially for small companies (and as an alternative, complementary sandbox)<\/li>\n<li>If combined with other free solutions, may provide a secondary sandbox for differential analysis i.e. certain artifacts could be compared between 2 sessions (f.ex. one in cuckoo and one in Wine) and help in highlighting &#8216;randomness&#8217; of some artifacts f.ex. mutex names, files created, etc.<\/li>\n<li>Since it is running natively on Linux, lots of tools are available out of the box that may help in scripting and data processing<\/li>\n<li>The source code is available and you can modify it to your purposes (f.ex. add automatic yara rule generation for specific artifacts, automatic URL extraction, etc.)<\/li>\n<li>Last, but not least &#8211; it won&#8217;t work with some executables &#8211; it still has bugs &amp; features that are not implemented yet<\/li>\n<\/ul>\n<p>All in all, yet another tool that may sometimes come handy.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Wine is a free implementation of Windows on Unix. That&#8217;s what the Wine web site says. To a malware analyst though, Wine is a free analysis platform that can be leveraged to analyze Windows executables. How so? It&#8217;s all thanks &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2016\/12\/14\/malware-analysis-using-wine\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[9,41],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3984"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=3984"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3984\/revisions"}],"predecessor-version":[{"id":3992,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/3984\/revisions\/3992"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=3984"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=3984"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=3984"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}