# Working with Wine * auto-gen TOC: {:toc} [Wine](https://www.winehq.org/) (Wine Is Not an Emulator) is a compatibility layer that translates Windows API calls into POSIX system calls, allowing Windows executables to run on Linux without a Windows installation. For malware analysis on REMnux, Wine lets you execute and observe Windows PE samples without needing a separate Windows VM. ## Important: Wine Is Not a Sandbox **Wine provides no isolation.** Malware running under Wine can read and write your home directory, make network connections, and in some cases escape to the host system entirely. Always run Wine inside your REMnux VM (not on your host machine), and take a snapshot before executing any sample. Never run malware under Wine without: 1. A clean VM snapshot to revert to 2. The network adapter disabled or isolated 3. A dedicated Wine prefix (see below) to contain registry and filesystem changes ## Installation REMnux may already include Wine. Check first: ```sh $ wine --version ``` If not installed, add it: ```sh $ sudo dpkg --add-architecture i386 $ sudo apt update $ sudo apt install wine wine32 wine64 winetricks ``` The `i386` architecture is required because most Windows malware targets 32-bit x86. ## Wine Prefixes A Wine prefix is an isolated directory that acts as a fake Windows installation — it contains a synthetic `C:\` drive, registry hives, and installed components. Using a dedicated prefix per sample keeps analysis contained and makes cleanup easy. ```sh # Create a fresh prefix for a sample $ WINEPREFIX=~/.wine-analysis wineboot --init # Run a binary inside that prefix $ WINEPREFIX=~/.wine-analysis wine sample.exe # Blow it away and start clean $ rm -rf ~/.wine-analysis ``` Set `WINEPREFIX` for every command or export it for the session: ```sh $ export WINEPREFIX=~/.wine-$(date +%Y%m%d)-sample_a ``` ## Basic Usage ```sh # Run a 32-bit PE $ wine sample.exe # Run a 64-bit PE $ wine64 sample.exe # Run with arguments $ wine sample.exe /silent /install # Check what Windows version Wine reports $ wine winver ``` Wine creates a synthetic `C:\` drive at `$WINEPREFIX/drive_c/`. Files the malware drops there are visible at that path on your Linux filesystem. ## Winetricks `winetricks` installs Windows runtime components that malware may depend on (Visual C++ runtimes, .NET Framework, DirectX, etc.): ```sh # Install common runtimes $ WINEPREFIX=~/.wine-analysis winetricks vcrun2019 dotnet48 # List available packages $ winetricks list-all | grep vcrun ``` If a sample exits immediately without doing anything, it may be checking for a runtime dependency. Check the Wine output for error messages about missing DLLs. ## Observing Behavior Under Wine ### System Call Tracing Use `strace` to trace system calls made by the Wine process: ```sh $ strace -f -e trace=network,file wine sample.exe 2>&1 | tee strace.log ``` The `-f` flag follows child processes, which is important because Wine spawns helper processes. ### Network Capture Wine uses the host network stack, so Wireshark captures all Wine traffic normally: ```sh $ sudo wireshark & $ WINEPREFIX=~/.wine-analysis wine sample.exe ``` Disable the VM's network adapter before running samples that should not reach the internet, or use INetSim/FakeNet to intercept and log DNS and HTTP. ### Filesystem Monitoring Watch for files created or modified during execution: ```sh # Before execution: snapshot the prefix $ cp -r $WINEPREFIX $WINEPREFIX.before # Run the sample $ WINEPREFIX=~/.wine-analysis wine sample.exe # After execution: diff to see what changed $ diff -rq $WINEPREFIX.before $WINEPREFIX ``` ### Registry Changes The Wine registry lives in `$WINEPREFIX/system.reg` and `$WINEPREFIX/user.reg`. Diff them before and after: ```sh $ cp $WINEPREFIX/system.reg system.reg.before $ wine sample.exe $ diff system.reg.before $WINEPREFIX/system.reg ``` Persistence mechanisms commonly write to: - `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` - `HKLM\Software\Microsoft\Windows\CurrentVersion\Run` ## Limitations for Malware Analysis | Limitation | Impact | |------------|--------| | No kernel-mode support | Rootkits and kernel drivers will not load | | Incomplete API coverage | Some samples crash or exit early due to unimplemented calls | | No real Windows registry | Anti-analysis checks for specific registry keys may behave differently | | VM detection still works | Malware may detect it is running under Wine via `GetSystemInfo`, timing, or missing registry artifacts | | No isolation | Any malware that runs successfully can access your home directory | Wine is best suited for **observing initial behavior** — network callbacks, dropped files, registry writes — rather than full execution of sophisticated malware. For complete execution fidelity, use a Windows VM. ## Useful Wine Environment Variables | Variable | Effect | |----------|--------| | `WINEPREFIX` | Path to the Wine prefix directory | | `WINEARCH=win32` | Force 32-bit prefix (required for some 32-bit-only samples) | | `WINEDEBUG=+all` | Enable verbose Wine debug output (very noisy; pipe to a file) | | `WINEDEBUG=fixme-all` | Suppress "fixme" messages, show only errors | Example combining several: ```sh $ WINEPREFIX=~/.wine-sample WINEARCH=win32 WINEDEBUG=fixme-all wine sample.exe ``` ## Further Reading - [WineHQ](https://www.winehq.org/) - [Wine documentation](https://wiki.winehq.org/Main_Page) - [Winetricks](https://github.com/Winetricks/winetricks)