Debugging Windows ServiceDLL
 

Hi,

I'm learning RE and I was trying to reverse a piece of malware that is a DLL and expects to run as a service. It exports ServiceMain and expects to be run as a service so I would like to perform some dynamic analysis on it while it's running as a service.

Some attempts I made to just use rundll32 malware.dll,MainExport failed so I'd prefer to now run it as a service and try again. However, I'm not sure how to approach this.

I have read (Inside Windows Debugging) about installing a service and using gflags to configure a debugger / command to launch when - for example, "MyService.exe" runs. However, in my case I am running "svchost.exe -k groupname" and setting ServiceDLL in the registry to the "malware.dll".

I tried using gflags to run x64dbg (it's a 64-bit sample), but I ran into another issue. So, my questions to the community are:

1. How do other people approach debugging Windows Services?
2. Has any tried to use gflags to launch x64dbg for debugging Windows services?

https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-a-service-application


If your service is running on Windows Vista or a later version of Windows, there is one restriction on how these choices can be combined. If you want to debug from the beginning of the service startup, or from the time that an exception is encountered, you must use either remote debugging or kernel-controlled user-mode debugging.

In other words, on Windows Vista and later, you cannot use local debugging unless you plan to attach the debugger manually after the service is already running. This restriction results from the fact that in these versions of Windows, services run in session 0, and any debugger that is automatically launched and attached to the service is also in session 0, and does not have a user interface on the computer that the service is running on.

One of the ways to debug a service is to patch code being executed to "eb fe" - infinite loop and then attach with a debugger. But if you do it before the service responded to service manager, you'll be running against the timeout as services not responded within the timeout are killed. So either patch it after the response or do something about the timeout.

Thanks Archer. Yes, it's common to alter the timeout to 24 hours when debugging services. Patching into a loop also means I can probably attach another debugger other than WinDBG to it. My intention was probably to start the service with cdb, attach with WinDBG and immobalise the service DLL so that I could switch debugger to x64dbg. Or I can suck it up and use WinDBG ;)

Thanks for the responses folks. Looks like WinDBG is the only way, starting out at least. Coincidentally someone just publicised a blog post on debugging Windows services.

hxxps://secrary.com/Random/WindowsServiceDebugging/

I've made a lot of notes recently and I was planning a blog post myself on the subject. When it's complete I will post here.

As promised.

hxxps://musings.konundrum.org/2018/05/03/debugging-windows-services.html

Appreciate feedback and comments. Hope it helps someone though.

Old thread but I was looking at a service and using the method of replacing bytes at entrypoint with a loop (EB FE) and I extended service timeout with this registry mod. I searched the forum here and didn't see reference to it so if this is duplicate I blame the search function :)

.reg file to apply then reboot
Load service exe, replace first two bytes with ebfe, start service, attach with x64dbg or x32dbg as appropriate, pause or set breakpoints, restore original bytes, proceed ..

404 error using "HTTPS"

WayBackMachine has that page archived:
https://web.archive.org/web/20201128212614/https://musings.konundrum.org/2018/05/03/debugging-windows-services.html