Delphi + Windows + isWine

[#ifdef 12]

Do you remember that show last summer? 😶

 

Well. These same guys recently launched their own "VirusTotal" analog and, obviously, their new service is very stupid and dangerous too:

 

 

 

 

 

 

 

But I suppose it's gaining popularity and/or is being actively promoted, because recently some clients (suffering from a special form of paranoia) started complaining: "VirusTotal" and "Hybrid Analysis" have started marking my signed (say "Hi" to CrowdStrike!) app as malicious:

 

 

 

 

 

 

 

As you can see, the problem is specifically with the "wine_get_version" string, which Delphi for some reason includes even in a completely empty EXE (to verify, you can create a new empty "VCL, 32-bit, Release" project without a single line of code):

 

 

 

 

 

 

Of course I reported this to CrowdStrike, but these guys definitely know how to make a problem out of nothing:

 

 

 

 

 

 

So... Any ideas why Delphi does this, and how to avoid it? I don't need the "IsWine" check from SysInit.pas, but I can't figure out how to disable it:

 

 

 

 

Yes, I know this string can be fixed in HEX, but I need a more reliable solution, I don't want to patch each of my files every release 🥲

[DelphiUdIT 200]

This is a method to detect if it's running under wine emulation.

 

Look this: https://stackoverflow.com/questions/27413641/how-to-detect-if-delphi-program-runs-in-playonmac

[Remy Lebeau 1459]

The RTL looks for Wine as part of its check to know whether it can use the Win32 API to access TLS (thread local storage) data, instead of using direct access to the GS register.

Edited 15 hours ago by Remy Lebeau

[#ifdef 12]

Ok, thank you.

 

And how can I permanently remove the "wine_get_version" string from my EXE? Because with this string CrowdStrike considers my EXE "malicious":

 

 

 

 

... but without this string (when I remove it in a HEX editor) it's just "suspicious"

 

 

 

 

 

 

I suspect that CrowdStrike has been reading others' blogs and set up a simple trigger for this string, thus shifting this burden from their head to mine, because Delphi adds this string to all EXEs by default 😞

 

Right now, I'm patching each file, but what if I want to both get rid of the string and don't want to patch the file each time?

Edited 8 hours ago by #ifdef

[David Heffernan 2357]

I personally want my program to run on Wine. Seems like Crowdstrike is the problem.

 

Do you sign your executables? 

[Remy Lebeau 1459]

3 hours ago, #ifdef said:

And how can I permanently remove the "wine_get_version" string from my EXE?

You can't, without patching the EXE or recompiling the RTL. Nor should you be doing so. You should be complaining to CrowdStrike instead. And code-signing your EXE.

[#ifdef 12]

Of course, my code is signed:

 

 

 

 

And it has always been signed:

 

 

 

 

 

 

And yes, I contacted CrowdStrike.

 

Everything is useless, that's why I'm here.

 

For the guys at CrowdStrike it doesn't matter how exactly the "wine_get_version" string is used — they hate the very fact of its presence, so by default they consider any executable file containing it to be "malicious". This is the root of the problem, but they don't see any problem with this approach and therefore have no intention of fixing it, they're completely fine with it 😑

Edited 4 hours ago by #ifdef

[David Heffernan 2357]

What actual problem does this cause? How does this affect what you do? 

 

 

[#ifdef 12]

Clients have a system for selecting the software they use: according to the rules and regulations, at the selection stage they are forced to give priority to software that is impeccable in terms of security. When selecting, they do not figure out whether the software is actually dangerous or not, the verdict of competent and proven online services is enough for them. If the online services unanimously recognize the file as safe, the software goes to the next stage, and so on. It's like a face control 🙂

 

These are their rules, I cannot change them. All that is required of me is simply to comply with them and provide code that 100% passes any security checks.

 

 

 

As is:

 

 

 

 

 

 

 

Should be:

 

[#ifdef 12]

In fact, the problem is idiotic, and it should not exist at all: CrowdStrike cannot even prove their false accusations (I asked what kind of danger this "wine_get_version" string carries and how exactly my application exploits it, but they, of course, ignored all my questions), but customers do not need any evidence from me — software from other providers successfully passes all checks, and my software is considered dangerous, and this is enough for any bureaucratic machine.

 

I would never trust a heuristic that considers a file version to be an IPv4 address, and moreover — considers "0.0.0.0" to be a valid IPv4 address:

 

 

 

But "the customer is always right" 🥲

Edited 3 hours ago by #ifdef

[pyscripter 701]

Out of curiosity, I tried the CrowdStrike analyzer on the PyScripter setup program (signed).  Whilst Falcon and MetaDefender gave a clean record, their Falcon Sandbox report gave a threat score 100/100!

The report included the following:

 

This report has 268 indicators that were mapped to 106 attack techniques and 11 tactics
- Calls an API typically used to query local/system time as file time

- Reads configuration files (.ini files)

- Marks file for deletion

- Contains ability to load/free library (API string)

- Contains ability to modify registry key/value (API string)

- Contains ability to set file time (API string)

etc.

 

Micorsoft's "MicrosoftEdgeWebview2Setup.exe" fails miserably as well.

 

I am not sure any real-world compiled program would pass all these tests.  I don't think there is  much to worry about here.

 

Edited 4 minutes ago by pyscripter