I participated in the forum a short time and learned a lot of interesting things.
I am currently a student, and newbie to learn about RE / Malware.
I met a question that, when I use linux and install wine to run Ollydbg. The problem is probably in wine, I understand that wine windows platform emulator is correct and if true, when I open the wine with a crackme (PE), this is causing the error. It says that this file is only executable on windows 32. I think I was wrong because wine did not emulate windows. I want to ask if my thoughts are true? Wine does not emulate the windows platform, it just emulates the folders so that the programs on windows understand and execute them.
It is great if you give me some tips on something that is needed for a beginner like me. Be it documentation, knowledge or some specialized tools.
Thanks for care. (sorry for my bad english).
If you’re serious about reverse engineering Windows applications and malware, you might as well get a Windows virtual machine. Ollydbg is only one of the many tools you’ll need and only using it is not sufficient, e.g. it does not support 64-bit or .NET PE files.
Thanks for the reply.
I can use the VM, however I am a Linux user and I want to operate conveniently on my computer. And I want to learn and analyze objects on Linux (ELF-32, ELF64) rather than windows (.NET, .exe, …). Can you recommend a few common tools for RE on linux? (It’s bad because I only know GDB )
And the question in my topic is raised because I want to understand if I run malicious files through wine on my Linux machine, will my Linux OS be affected?
Sorry, Windows is my playground so I’ve no idea about Linux. You should direct your questions towards @0x00pf. As for Linux malware? Not sure if there’s anything significant there?
You can use IDA 7.0 Free which runs perfectly on Linux. Or you can use radare2 which is popular amongst Linux reversers (they have also a GUI in development, Cutter).
Otherwise for debugging, you still have gdb
Thanks @dtm, I think it should be Linux malware
Hi @aaSSfxxx I have heard about IDA, which is a great tool. I will learn more about radare2.
I might as well ask about some programs that display other information as if they were packed, I remember seeing a write-up on the binary and they used DIE. Do you share some of the support tools for these tasks.
As for your big reverse engineering frameworks
You can always check out the new IDA 7 free version which is quite limited in terms of functionality tho.
Otherwise if you can spare a few bucks check out binaryninja. It’s not yet on par with the paid IDA version but for your general CTF style ELF binaries and even more it’s good enough.
Now for GDB. It’s already hella useful out of the box but for much better visibility, more features and more supported architectures check out either pwndbg or GEF. These will make your life way easier during dynamic analysis.
Now last but not least for the malware question a good example that directly comes to my mind is the skeksi virus . It showcases some nifty tricks for how UNIX malware could look like.
Hope that helped and cleared the air quite a bit.
As for the question if running Windows malware via wine will affect your linux system:
I never much thought about it. And I hope someone can correct me here but I’d assume many of these programs will look for certain .dlls, application files or file paths which are windows specific. If these are not present I’m betting that a lot of malware is breaking upon execution. Stuff which remotely downloads some RAT or Trojan couldn’t be executed even when the download succeeds somehow.
So I’m not so sure how to evaluate that threat level of infecting your own system in that case, since I’m not sure what and how wine emulates things under the hood!
I will try to find out more about this if possible.
Sure. As far as I’m informed wine tries to emulate certain windows specific paths and files and downloads a bunch of stuff for that in the background. Never heard someone trying to run malware via wine .
If anything I’d vote for the same what @dtm suggested with a dedicated malware windows VM.
Hi, Actually many of my friends run windows programs on linux through wine. I suspect one of them is not clean.
What do you mean… one isn’t clean?
For conversations like these… they’re nice and all but we do have a irc; irc.0x00sec.org/6697
This topic was automatically closed after 30 days. New replies are no longer allowed.