This is a snippet from my anti-cheat system, MetinGuard.
Wine is commonly used in reverse engineering as you can run PE (Windows executables) in an emulated environment, ntdll.dll on Wine will export the functions below listed in lpBadFunctions - we can try and get the address in the export table by using GetProcAddress and seeing if it succeeds.
This is just a small part of MetinGuard's anti reverse engineering module.
#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))
BOOL bCheckWine()
{
LPCSTR lpBadFunctions[] = {
"wine_get_unix_file_name", "wine_get_version",
"wine_nt_to_unix_file_name", "wine_server_call",
"wine_server_handle_to_fd", "wine_server_release_fd",
"__wine_init_codepages"
};
HANDLE hNtLib = LoadLibraryA("ntdll.dll");
if (hNtLib == NULL)
{
return FALSE;
}
LPVOID lpNtFunc = NULL;
for (SIZE_T i = 0; i < ARRAY_SIZE(lpBadFunctions); i++)
{
lpNtFunc = GetProcAddress(hNtLib, lpBadFunctions[i]);
if (lpNtFunc != NULL)
{
FreeLibrary(hNtLib);
return TRUE;
}
}
FreeLibrary(hNtLib);
return FALSE;
}