How is Win/Dos syscalls implemented in Wine?
eric.pouech at wanadoo.fr
Sat Oct 26 11:01:31 CDT 2002
> Well for now there are not much Linux viruses around. It is possible to
> write an antivirus program (I have not heard of any yet) for Linux/Unix.
if antivirus check for a signature, it should find it. it would be more
difficult for polyforms virii of course.
As of today, I don't think that people willing to write virii for
(against) Linux would use wine as their insertion media
> there are antivirus programs for Windows. But how do you check for viruses
> that directly affects the Linux/Unix environment embedded
> within a Windows app? I believe running windows apps in wine should be
> trusted the same way as enabling java in a web browser.
there are some validity checks against the PE (file format). however,
doesn't provide a sandbox. intercepting linux syscalls isn't enough
you need also to prevent :
1/ read/write to wine memory (which would trigger some other nice side
2/ read/write of local files (which isn't allowed for java in web
browser by default...)
3/ know if a requested operation (syscall, win32 api call) is malicious
so wine will not protect users from windows programs
the best thing to do (see some recent discussion on wine-devel on this
topic) is to limit the part of the disk wine will be allowed to
> Has an int 0x80 any purpose in Windows environment?
under dos it sure has (don't have Ralf Brown list handy)
> > > Cant you fix this with ptrace?
> Are you really sure?
you will need to:
1/ know which part of memory is calling (wine DLLs vs program exec vs
loaded DLLs) [regular windows API must be allowed to call linux
2/ allow disallow the traps you want
3/ and because of the point 1 above, this will not be of any protection.
for example, look at the following scheme:
1/ get the address of the implementation of an API in wine
2/ call Win32 API to allow write access to this part of memory
3/ modify the code the make the linux syscall you want
4/ call in this API.
of course, you could in the ptrace code check for CRC of memory (or
calling page), but I wouldn't dare to use the final performance of such
if you have enough time to loose on this, feel free to do it
More information about the wine-users