Thread: Debugging Windows ServiceDLL
View Single Post
  #1  
Old 04-11-2018, 04:56
schrodyn schrodyn is offline
Friend
  
Join Date: Dec 2016
Posts: 23
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 160
Thanks Rcvd at 27 Times in 11 Posts
schrodyn Reputation: 0
Question Debugging Windows ServiceDLL
Hi,

I'm learning RE and I was trying to reverse a piece of malware that is a DLL and expects to run as a service. It exports ServiceMain and expects to be run as a service so I would like to perform some dynamic analysis on it while it's running as a service.

Some attempts I made to just use rundll32 malware.dll,MainExport failed so I'd prefer to now run it as a service and try again. However, I'm not sure how to approach this.

I have read (Inside Windows Debugging) about installing a service and using gflags to configure a debugger / command to launch when - for example, "MyService.exe" runs. However, in my case I am running "svchost.exe -k groupname" and setting ServiceDLL in the registry to the "malware.dll".

I tried using gflags to run x64dbg (it's a 64-bit sample), but I ran into another issue. So, my questions to the community are:
  1. How do other people approach debugging Windows Services?
  2. Has any tried to use gflags to launch x64dbg for debugging Windows services?
Reply With Quote