Wine and Ollydbg

programming
linux
reverseengineering

(ctnguyenvn) #1

Hello,
I participated in the forum a short time and learned a lot of interesting things.
I am currently a student, and newbie to learn about RE / Malware.
I met a question that, when I use linux and install wine to run Ollydbg. The problem is probably in wine, I understand that wine windows platform emulator is correct and if true, when I open the wine with a crackme (PE), this is causing the error. It says that this file is only executable on windows 32. I think I was wrong because wine did not emulate windows. I want to ask if my thoughts are true? Wine does not emulate the windows platform, it just emulates the folders so that the programs on windows understand and execute them.
It is great if you give me some tips on something that is needed for a beginner like me. Be it documentation, knowledge or some specialized tools.
Thanks for care. (sorry for my bad english).


#2

If you’re serious about reverse engineering Windows applications and malware, you might as well get a Windows virtual machine. Ollydbg is only one of the many tools you’ll need and only using it is not sufficient, e.g. it does not support 64-bit or .NET PE files.


(ctnguyenvn) #3

Thanks for the reply.
I can use the VM, however I am a Linux user and I want to operate conveniently on my computer. And I want to learn and analyze objects on Linux (ELF-32, ELF64) rather than windows (.NET, .exe, …). Can you recommend a few common tools for RE on linux? (It’s bad because I only know GDB :blush: )
And the question in my topic is raised because I want to understand if I run malicious files through wine on my Linux machine, will my Linux OS be affected?
Thank you.


#4

Sorry, Windows is my playground so I’ve no idea about Linux. You should direct your questions towards @0x00pf. As for Linux malware? Not sure if there’s anything significant there?


#5

Hi,

You can use IDA 7.0 Free which runs perfectly on Linux. Or you can use radare2 which is popular amongst Linux reversers (they have also a GUI in development, Cutter).

Otherwise for debugging, you still have gdb :slight_smile:


(ctnguyenvn) #6

Thanks @dtm, I think it should be Linux malware :wink::wink:
Hi @aaSSfxxx I have heard about IDA, which is a great tool. I will learn more about radare2.
I might as well ask about some programs that display other information as if they were packed, I remember seeing a write-up on the binary and they used DIE. Do you share some of the support tools for these tasks.
Thank you. :kissing_heart:


#7

Hi!

As for your big reverse engineering frameworks
You can always check out the new IDA 7 free version which is quite limited in terms of functionality tho.

Otherwise if you can spare a few bucks check out binaryninja. It’s not yet on par with the paid IDA version but for your general CTF style ELF binaries and even more it’s good enough.

Radare2 with the Cutter GUI are both free. Never used those much but they are powerful. Radare2 itself in the CLI variant has a steep learning curve imho. Lots of people like using it.

Now for GDB. It’s already hella useful out of the box but for much better visibility, more features and more supported architectures check out either pwndbg or GEF. These will make your life way easier during dynamic analysis.

If you want to dive into exploitation and further ELF manipulation check out pwntools and the LIEF project .

Now last but not least for the malware question a good example that directly comes to my mind is the skeksi virus . It showcases some nifty tricks for how UNIX malware could look like.

Hope that helped and cleared the air quite a bit.

//Edit:

As for the question if running Windows malware via wine will affect your linux system:
I never much thought about it. And I hope someone can correct me here but I’d assume many of these programs will look for certain .dlls, application files or file paths which are windows specific. If these are not present I’m betting that a lot of malware is breaking upon execution. Stuff which remotely downloads some RAT or Trojan couldn’t be executed even when the download succeeds somehow.

So I’m not so sure how to evaluate that threat level of infecting your own system in that case, since I’m not sure what and how wine emulates things under the hood!


(ctnguyenvn) #8

Thanks all

Thank @ricksanchez
I will try to find out more about this if possible.


#9

Sure. As far as I’m informed wine tries to emulate certain windows specific paths and files and downloads a bunch of stuff for that in the background. Never heard someone trying to run malware via wine :smile: .
If anything I’d vote for the same what @dtm suggested with a dedicated malware windows VM.


(ctnguyenvn) #10

Hi, Actually many of my friends run windows programs on linux through wine. I suspect one of them is not clean.


(Zain) #11

What do you mean… one isn’t clean?

For conversations like these… they’re nice and all but we do have a irc; irc.0x00sec.org/6697


(system) #12

This topic was automatically closed after 30 days. New replies are no longer allowed.