Menu
How can I call Windows API functions from a Linux binary inside Windows Subsystem for Linux (WSL)? I am pretty sure there is no documented way to do so, but nevertheless it might be interesting to try.
I am interested in calling Win32 functions, or if that is not possible, at least Windows NT native APIs (Nt*, Zw*). The native APIs should be at the very least available, as the component that runs Linux processes (lxss) depends on these APIs.
It might be neccessary to build a custom LoadLibrary-like function to load windows DLLs. Another idea would be to search the process memory for known pieces of kernel functions (that is, their user-mode entry points).
Has anybody experimented with this and would like to share a solution?
978
This API is used in the early stages of Windows NT startup process, when other components and APIs are still unavailable. Therefore, a few Windows components, such as the Client/Server Runtime Subsystem (CSRSS), are implemented using the Native API.
The application cannot be run in Windows NT mode. Instead of winmain or main, the entry point for native applications is NtProcessStartup. Also unlike the other Win32 entry points, native applications must reach into a data structure passed as its sole parameter to locate command-line arguments.
The Linux processes did not call Windows APIs themselves. The malware is using WSL to mask the attack since many anti-malware tools do not scan WSL distros' and their filesystems for malware.
Native system services routines make additional assumptions about the parameters that they receive. If a routine receives a pointer to a buffer that was allocated by a kernel-mode driver, the routine assumes that the buffer was allocated in system memory, not in user-mode memory.
In short, you can't.
The actual processes within which Linux processes run are not Win32 processes and are unable to load and execute Win32 user-mode code, nor are they able to invoke the standard Win32 NT kernel entry points.
For more info on the PicoProcess infrastructure employed by WSL, read this blog and/or watch the accompanying video.
If you do want to "call" Windows code from code running inside WSL, you might want to consider using some form of socket/messaging/RPC/REST calling technology wherein the etiher/both ends of the relationship can listen for and respond to messages carried via some network/socket/pipe.
95
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
