Wine Environment Detection

Wine is an open-source compatibility layer that runs Windows binaries on Linux and macOS, and it underpins several automated malware sandboxes. Because Wine reimplements the Windows API rather than running the real one, it exposes a handful of helper exports that never exist on genuine Windows. Probing for those exports is a cheap, reliable way for malware to detect a Wine host.

Some Wine-aware samples behave differently — or simply exit — to frustrate sandboxes built on Wine rather than full Windows VMs.

How it works

The canonical check resolves wine_get_unix_file_name from ntdll. On real Windows this export does not exist, so GetProcAddress returns NULL; under Wine it returns a valid pointer. The related wine_get_version export confirms the version.

#include <windows.h>

HMODULE ntdll = GetModuleHandleW(L"ntdll.dll");

if (GetProcAddress(ntdll, "wine_get_unix_file_name") != NULL) {
    // Running under Wine.
}

// Wine also registers a marker key:
//   HKLM\Software\Wine
// and exports wine_get_version() from ntdll.
typedef const char* (*pWineVer)(void);
pWineVer wine_get_version =
    (pWineVer)GetProcAddress(ntdll, "wine_get_version");
if (wine_get_version)
    /* e.g. "9.0" */;

The registry key HKLM\Software\Wine and the Z: drive mapping to the host filesystem are secondary indicators a sample may also test.

Detection & analysis

• Static analysis: flag the literal strings wine_get_unix_file_name, wine_get_version, and Software\\Wine next to GetProcAddress / GetModuleHandle references to ntdll.
• Dynamic analysis: when running a sample under Wine for analysis, hook GetProcAddress to return NULL for the wine_* export names and hide the HKLM\Software\Wine key; alternatively analyze on a real Windows VM to sidestep the check entirely.
• Detection rule hint: YARA-match the wine_get_unix_file_name / wine_get_version strings, or the registry path Software\Wine; in behavioral logs, alert on a resolve of a wine_* export followed by a branch or early exit.