ionescu007/lxss ionescu007/lxss

  • Stars
    star
    831
  • Rank 54,863 (Top 2 %)
  • Language
    C++
  • License
    MIT License
  • Created over 8 years ago
  • Updated almost 6 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
ionescu007/lxss
github

ionescu007

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Fun with the Windows Subsystem for Linux (WSL/LXSS)

lxss -- Fun with the Windows Subsystem for Linux (WSL/LXSS)

This repository is dedicated to research, code, and various studies of the Windows Subsystem for Linux, also known as Bash on Ubuntu on Windows, and LXSS. It contains a variety of Proof-of-Concept Win32 and Linux binaries, both in user-mode and kernel-mode, in order to interact with the various subsystem pieces. Namely, it demonstrates usage of the Win32 COM interface between Bash.exe and LxssManager, as well as of the ADSS Bus interface between init and LxssManager. For Redstone 2, it shows off some of the new interoperability features of the subsystem.

The PDF titled "The Linux Kernel hidden inside Windows 10" represents the BlackHat 2016 slides from my presentation, and a video is now available on Youtube at: https://www.youtube.com/watch?v=_p3RtkwstNk

If you would like to know more about my research or work, I invite you check out my blog at http://www.alex-ionescu.com as well as my training & consulting company (Winsider Seminars & Solutions Inc.,) at http://www.windows-internals.com.

Screenshots

Screenshot Screenshot Screenshot

LxLaunch

LxLaunch is a simple launcher which either launches /usr/bin/python if no parameters are given to it, or launches the given ELF executable if an argument is entered. The binary launches as a child of the init daemon, under the current/default Lx instance. Additional command-line arguments can be entered for the ELF process, and further command-line arguments can be nested in quotes if the ELF binary launches its own sub-binary with additional command-line options. For example: lxlaunch.exe /bin/bash -c "ls -al"

LxServer

LxServer is a simple Win32 (x64) server that waits for connections over the ADSS Bus from a compatible LXSS client (such as lxclient), and launches (WinExec) any input received as long as it fits within MAX_PATH. If needed, it configures the registry to enable ADSS Bus usage from root LXSS binaries other than the init daemon (see presentation slides), after which an initial reboot will be required. Launch it with -v for verbose information.

LxClient

LxClient is a simple Linux (ELF) client that connects over the ADSS Bus to a compatible LXSS server (such as lxserver), and sends whatever the input command line argument is (which is expected to be a Win32 valid path to an executable, or other input that WinExec accepts) to the server. Launch it with -v following the Win32 path, for verbose information.

LxExt

LxExt is an ld.preload extension for the init daemon, which creates a UNIX Domain socket /tmp/lxexec-socket and waits for connections. Once data is received, it passes it straight through the lxserver ADSS server on the Win32 side. This removes the need to have the Registry key set for ADSS Bus Access.

Finally, you will need add the following line into /etc/ld.so.preload to allow lxext.so to load: /home/<username>/lxext.so making sure to replace with your LX user name and running the editor as root.

LxExec

LxExec is a client for LxExt. It connects to the UNIX Domain Socket and sends the input command line to it. This avoids needing to run as root, such as lxclient before. Simply run it as lxexec calc as an example, making sure that lxserver is running on the Win32 side.

LxDrv

LxDrv is a driver for the RS2 (Redstone 2) build of WSL. It interacts with the new "Minor Device" APIs and registers a new minor device of ID 0xBAD, under the Major ID 10 which is for Miscelleanous devices under the Linux Device Tree (see devices.txt in Linux source). After registering the device, it then creates a /dev/lxdrv node and handles VFS open() commands toward it, creating a file, which can then receives IOCTLs. One such IOCTL is implemented for PoC purposes for the moment. The driver shows how to interact with the exported APIs within LxCore.sys. Note that because it takes over the functionality provided by Lxss.sys, it must never be unloaded if you have running instances, or if you plan to run further instances. Once loaded, it can only be unloaded if no instances are running, and must be re-loaded before running another instnace.

LxDrvCli

LxDrvCli is a very simple ELF process to demonstrate opening the /dev/lxdrv node and sending it the 0xBEEF IOCTL, printing out the result.

Lx

The Lx directory contains a number of WinDBG scripts to dump the current LX state. Copy them to your c:\lx directory, or create a directory symlink (mklink /d) to wherever you've copied them, then execute in WinDBG as follows: $$>< c:\lx\lx.wds

More Repositories

1

SimpleVisor

SimpleVisor is a simple, portable, Intel VT-x hypervisor with two specific goals: using the least amount of assembly code (10 lines), and having the smallest amount of VMX-related code to support dynamic hyperjacking and unhyperjacking (that is, virtualizing the host state from within the host). It works on Windows and UEFI.
C
1,607
star
2

SpecuCheck

SpecuCheck is a Windows utility for checking the state of the software mitigations and hardware against CVE-2017-5754 (Meltdown), CVE-2017-5715 (Spectre v2), CVE-2018-3260 (Foreshadow), and CVE-2018-3639 (Spectre v4)
C
559
star
3

VisualUefi

A project for allowing EDK-II Development with Visual Studio
C
444
star
4

winipt

The Windows Library for Intel Process Trace (WinIPT) is a project that leverages the new Intel Processor Trace functionality exposed by Windows 10 Redstone 5 (1809), through a set of libraries and a command-line tool.
C
341
star
5

minlzma

The Minimal LZMA (minlzma) project aims to provide a minimalistic, cross-platform, highly commented, standards-compliant C library (minlzlib) for decompressing LZMA2-encapsulated compressed data in LZMA format within an XZ container, as can be generated with Python 3.6, 7-zip, and xzutils
C
332
star
6

faxhell

A Bind Shell Using the Fax Service and a DLL Hijack
C
317
star
7

Simpleator

Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803), also called "Redstone 4", with additional improvements that were made in Windows 10 October Update (1809), aka "Redstone 5".
C++
313
star
8

hdk

(unofficial) Hyper-VĀ® Development Kit
C
209
star
9

HookingNirvana

Recon 2015 Presentation from Alex Ionescu
C
205
star
10

PrintDemon

PrintDemon is a PoC for a series of issues in the Windows Print Spooler service, as well as potetial misuses of the functionality.
C
196
star
11

clfs-docs

Unofficial Common Log File System (CLFS) Documentation
143
star
12

tpmtool

The TpmTool utility is a simple cross-platform tool for accessing TPM2.0 Non-Volatile (NV) Spaces (Index Values) on compliant systems, with zero dependencies on any TPM2.0 stack. It provides the ability to enumerate, create, delete, query, and lock NV indices, as well as to read and write data stored in them.
C++
133
star
13

wnfun

WNF Utilities 4 Newbies (WNFUN)
Python
87
star
14

hazmat5

Local OXID Resolver (LCLOR) : Research and Tooling
C++
31
star
15

Blackwood-4NT

Blackwood 4NT -- Grand Slam Authentication for Windows NT (10)
26
star
16

smctool

SMC Utility for Apple Macintosh Computers
13
star