7

My understanding is that Wine directly executes the machine code contained in a PE executable. Assuming this is correct, what happens if the machine code contains a system call, which would obviously not be understood by Linux? Does Wine somehow intercept them? If so, how exactly does it work?

I tried to find the answer in Wine's source code, but found it daunting. I couldn't even find the place where the machine code is actually executed.

Nikolai
  • 3,053
  • 3
  • 24
  • 33
  • I'm pretty sure `system` calls are pretty rare in production applications, or at least those that one would want to run on wine. – MooseBoys Apr 05 '16 at 17:51
  • Wine emulates the system calls, or more specifically the Windows API. That's essentially what Wine is, a Windows API emulator. Some Windows API functions can be implemented by calling an equivalent Linux API function (system call), but most are much more complicated than that. – Ross Ridge Apr 05 '16 at 19:51
  • 5
    I am pretty sure that the only Windows programs which make direct system calls are malware. Programs are supposed to go through the system DLLs to access the kernel. – Zan Lynx Apr 05 '16 at 20:12
  • Zan is right, there's no need to intercept anything, Wine just provides its own versions of the various system DLLs. Attempting to call into the Windows kernel directly is unsupported, and the kernel interface changes with each new version of Windows. – Harry Johnston Apr 05 '16 at 23:46
  • @HarryJohnston that would make sense, but it would be surprising considering how much legacy stuff Wine seems to support. Perhaps you have a reference for that? – Nikolai Apr 06 '16 at 06:20
  • Windows has always used system DLLs as the only supported API, so legacy applications aren't a problem in that respect - unless you mean DOS? – Harry Johnston Apr 06 '16 at 09:16
  • As the other commenters mention, Wine is primarily concerned with replacing calls to DLLs since that's how programs communicate with the kernel but there is a good question here which is, what does Wine do if it literally encounters an `INT` or `SYS*` opcode in the program binary? – Praxeolitic Dec 09 '16 at 05:31
  • 1
    @Praxeolitic, it handles ints in DOS vm mode: https://www.winehq.org/pipermail/wine-patches/2003-March/005485.html – osgx Mar 11 '17 at 09:42
  • Could someone explain how do Wine implements windows DLLs? I mean, ntdll for example, which is the core of all windows dlls, is not documented and has lots and lots of very obscure functions. How do wine handle this? Looking into the machine code also is not a thing, since ntdll functions will make syscalls and syscalls are indeed not documented by microsoft – felipeek Sep 05 '18 at 00:50
  • @felipeek Wine uses black-box testing and public documentation like the MSDN. NTDLL is partially documented, and some routines have documentation for their identical kernel equivalents. – Derek Lesho Sep 07 '18 at 16:13

0 Answers0