madshi.net

Hi

Can I hook the file I/O APIs in WSL(Windows Subsystem for Linux)?

For example when Ubunbu is installed on Windows 10 and "ls" command is issued, I'd like to hook the file I/O APIs.

According to MSDN, the system calls on Linux is converted to the native Windows API by lxss.sys and lxcore.sys drivers.

Is it possible with madCodeHook?

Thanks.

If the Linux subsystem converts to native win32 APIs then yes, madCodeHook should be able to hook that, as well. That is, if DLL injection into the WSL works at all. But I assume it would. Never actually tested that, though.

Does the Linux subsystem support printing, and is that converted to Windows printers, as well? If so, you could check if this print monitor demo works to capture WSL printing, for example:

http://madshi.net/PrintMonitor.zip

(Please note that this demo is only signed with a conventional certificate, but not with an EV certificate, which means it might not support Windows 10 Secure Boot. So you may have to test on a VM with disabled Secure Boot to successfully run this demo.)