Jump to content
×
×
  • Create New...
  • 0

[C] Stopping Wine emulation


MetinGuard

Question

This is a snippet from my anti-cheat system, MetinGuard.

Wine is commonly used in reverse engineering as you can run PE (Windows executables) in an emulated environment, ntdll.dll on Wine will export the functions below listed in lpBadFunctions - we can try and get the address in the export table by using GetProcAddress and seeing if it succeeds.

This is just a small part of MetinGuard's anti reverse engineering module.

#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))
BOOL bCheckWine()
{
	LPCSTR lpBadFunctions[] = {
		"wine_get_unix_file_name", "wine_get_version",
		"wine_nt_to_unix_file_name", "wine_server_call",
		"wine_server_handle_to_fd", "wine_server_release_fd",
		"__wine_init_codepages"
	};

	HANDLE hNtLib = LoadLibraryA("ntdll.dll");
	if (hNtLib == NULL)
	{
		return FALSE;
	}

	LPVOID lpNtFunc = NULL;
	for (SIZE_T i = 0; i < ARRAY_SIZE(lpBadFunctions); i++)
	{
		lpNtFunc = GetProcAddress(hNtLib, lpBadFunctions[i]);
		if (lpNtFunc != NULL)
		{
			FreeLibrary(hNtLib);
			return TRUE;
		}
	}
	FreeLibrary(hNtLib);
	return FALSE;
}

 

  • Love 3
Link to comment

6 answers to this question

Recommended Posts

  • 0
4 minutes ago, tierrilopes said:

Not sure what the goal was, but to me it only gave me reasons to dont buy it.

__

But a release is a release and im sure it may help someone.

Good luck on your service.

The goal it to detect Wine which is an emulation environment on Linux, which allows you to run Windows executables. Its usually used when reverse engineering, this will simply detect that environment.

55 minutes ago, Koray said:
FreeLibrary(lpNtFunc);

wat?

Yeah I actually posted an old version which had been quickly mashed together, got my Git branches mucked up, updated the OP.

  • Love 1
Link to comment
  • 0
16 minutes ago, MetinGuard said:

Yeah I actually posted an old version which had been quickly mashed together, got my Git branches mucked up, updated the OP.

 

You don't need create new define macro (#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))) Because there is already have a another one (_countof).

LoadLibrary API don't return as HANDLE so you should convert to HMODULE or similar memory pointer.

LoadLibrary API don't give INVALID_HANDLE_VALUE aka. -1 value if is failed you will get null pointer.

You should free ntdll module not export's pointer.

  • Love 1
Link to comment
  • 0

A macro is a macro, they do the same things, ARRAY_SIZE looks a lot cleaner to me. But yeah, they both serve the same prupose.

No, HMODULE is a typedef of HINSTANCE which is a typedef of HANDLE.

Wow, that was a stupid mistake.

24 minutes ago, Koray said:

 

You don't need create new define macro (#define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0]))) Because there is already have a another one (_countof).

LoadLibrary API don't return as HANDLE so you should convert to HMODULE or similar memory pointer.

LoadLibrary API don't give INVALID_HANDLE_VALUE aka. -1 value if is failed you will get null pointer.

You should free ntdll module not export's pointer.

 

  • Love 2
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Announcements

  • -15% Discount in Metin2 Dev Store (01/10/2021 => 31/12/2021) => Code => 15_PCT_OCT_TO_DEC_2021


Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.