9

How can I call Windows API functions from a Linux binary inside Windows Subsystem for Linux (WSL)? I am pretty sure there is no documented way to do so, but nevertheless it might be interesting to try.

I am interested in calling Win32 functions, or if that is not possible, at least Windows NT native APIs (Nt*, Zw*). The native APIs should be at the very least available, as the component that runs Linux processes (lxss) depends on these APIs.

It might be neccessary to build a custom LoadLibrary-like function to load windows DLLs. Another idea would be to search the process memory for known pieces of kernel functions (that is, their user-mode entry points).

Has anybody experimented with this and would like to share a solution?

Kappa
  • 1,015
  • 1
  • 16
  • 31
jdm
  • 9,470
  • 12
  • 58
  • 110
  • 1
    This presentation – https://github.com/ionescu007/lxss/blob/master/The%20Linux%20kernel%20hidden%20inside%20windows%2010.pdf – suggests (to me at least) that linux processes are so-called pico processed that that have no ntdll mapped to their address space. Also, all the system calls are handled by the pico process provider for WSL (I expect they just use different system service dispatch table, so the NT syscalls are unreachable from userspace). – Martin Drab Sep 05 '16 at 17:27

1 Answers1

7

In short, you can't.

The actual processes within which Linux processes run are not Win32 processes and are unable to load and execute Win32 user-mode code, nor are they able to invoke the standard Win32 NT kernel entry points.

For more info on the PicoProcess infrastructure employed by WSL, read this blog and/or watch the accompanying video.

If you do want to "call" Windows code from code running inside WSL, you might want to consider using some form of socket/messaging/RPC/REST calling technology wherein the etiher/both ends of the relationship can listen for and respond to messages carried via some network/socket/pipe.

Rich Turner
  • 10,800
  • 1
  • 51
  • 68
  • I realize that this is an old question, but given Black Lotus Lab's recent find of malware that was compiled as a Debian ELF but called Windows APIs (https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/) is there any new sources that might explain how this is possible? – Rick Henderson Oct 14 '21 at 14:52
  • 1
    As per the post you reference, this is malware that uses WSL to invokes Python/PowerShell which run as Windows processes to carry out various attacks. The Linux processes did not call Windows APIs themselves. The malware is using WSL to mask the attack since many anti-malware tools do not scan WSL distros' and their filesystems for malware. – Rich Turner Nov 02 '21 at 21:44