Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Call Win32/NT-Native API from Windows Subsystem for Linux processes?

Tags:

windows-subsystem-for-linux

windows-kernel

How can I call Windows API functions from a Linux binary inside Windows Subsystem for Linux (WSL)? I am pretty sure there is no documented way to do so, but nevertheless it might be interesting to try.

I am interested in calling Win32 functions, or if that is not possible, at least Windows NT native APIs (Nt*, Zw*). The native APIs should be at the very least available, as the component that runs Linux processes (lxss) depends on these APIs.

It might be neccessary to build a custom LoadLibrary-like function to load windows DLLs. Another idea would be to search the process memory for known pieces of kernel functions (that is, their user-mode entry points).

Has anybody experimented with this and would like to share a solution?

like image 978
jdm Avatar asked May 17 '16 20:05

jdm

People also ask

What is native API in Windows NT?

This API is used in the early stages of Windows NT startup process, when other components and APIs are still unavailable. Therefore, a few Windows components, such as the Client/Server Runtime Subsystem (CSRSS), are implemented using the Native API.

Can I run a native application in Windows NT mode?

The application cannot be run in Windows NT mode. Instead of winmain or main, the entry point for native applications is NtProcessStartup. Also unlike the other Win32 entry points, native applications must reach into a data structure passed as its sole parameter to locate command-line arguments.

Why is Linux using WSL to call Windows APIs?

The Linux processes did not call Windows APIs themselves. The malware is using WSL to mask the attack since many anti-malware tools do not scan WSL distros' and their filesystems for malware.

What is native system services in Linux?

Native system services routines make additional assumptions about the parameters that they receive. If a routine receives a pointer to a buffer that was allocated by a kernel-mode driver, the routine assumes that the buffer was allocated in system memory, not in user-mode memory.

1 Answers

In short, you can't.

The actual processes within which Linux processes run are not Win32 processes and are unable to load and execute Win32 user-mode code, nor are they able to invoke the standard Win32 NT kernel entry points.

For more info on the PicoProcess infrastructure employed by WSL, read this blog and/or watch the accompanying video.

If you do want to "call" Windows code from code running inside WSL, you might want to consider using some form of socket/messaging/RPC/REST calling technology wherein the etiher/both ends of the relationship can listen for and respond to messages carried via some network/socket/pipe.

like image 95
Rich Turner Avatar answered Oct 14 '22 13:10

Rich Turner
Sign in to Comment

Related questions

How do I tell whether a Windows kernel Event object is auto-reset or manual-reset?
Windbg conditional breakpoint with string compare in a nested structure
The categories of commands of WinDBG?
what is the difference between pdo and fdo in windows device drivers?
Discovering footprints of loaded and unloaded kernel mode drivers
Windows CPU Scheduler - very high kernel time [closed]
How can I check if TCP port is available from TDI filter driver?
How to tell which process set the high timer resolution in Windows
Achieving realtime 1 millisecond accurate events without suffering from thread scheduling
How do I get the address to kernel modules nt and win32k?
Windbg and Symbol Files

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!