今天看到一种新的是沙箱 基于 wine 的 。看来以后 恶意软件得要检测下 自己是不是运行在wine 下面了
病毒行为分析工具 zerowine 给出了检测 wine 的方法
Detection of the WINE environment demonstrated to be extremely easy. In example, the registry key HKLM\Software\Wine or HKCU\Software\Wine can be opened to detect it. Another example: Check the file size of any Windows critical system file. When running under WINE, the files will be ridiculously small, while in a real Windows system it will have a (always) bigger size.
Another “advanced” detection technique: Open any critical Windows file and decompile the entry point. When running under WINE the function will decompile to the following 2 simple instructions:
.text:10001000 public start
.text:10001000 start proc near
.text:10001000 mov eax, 1
.text:10001005 retn 4
.text:10001005 start endp
For the lazy people: Just search for the following binary string B8 01 00 00 00 C2 04 00 at .text:10001000.