Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-11-2018, 04:56
schrodyn schrodyn is offline
Friend
 
Join Date: Dec 2016
Posts: 22
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 154
Thanks Rcvd at 27 Times in 11 Posts
schrodyn Reputation: 0
Question Debugging Windows ServiceDLL

Hi,

I'm learning RE and I was trying to reverse a piece of malware that is a DLL and expects to run as a service. It exports ServiceMain and expects to be run as a service so I would like to perform some dynamic analysis on it while it's running as a service.

Some attempts I made to just use rundll32 malware.dll,MainExport failed so I'd prefer to now run it as a service and try again. However, I'm not sure how to approach this.

I have read (Inside Windows Debugging) about installing a service and using gflags to configure a debugger / command to launch when - for example, "MyService.exe" runs. However, in my case I am running "svchost.exe -k groupname" and setting ServiceDLL in the registry to the "malware.dll".

I tried using gflags to run x64dbg (it's a 64-bit sample), but I ran into another issue. So, my questions to the community are:
  1. How do other people approach debugging Windows Services?
  2. Has any tried to use gflags to launch x64dbg for debugging Windows services?
Reply With Quote
  #2  
Old 04-20-2018, 13:25
fqjp fqjp is offline
Friend
 
Join Date: Apr 2011
Posts: 37
Rept. Given: 1
Rept. Rcvd 2 Times in 1 Post
Thanks Given: 0
Thanks Rcvd at 31 Times in 16 Posts
fqjp Reputation: 2
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-a-service-application


If your service is running on Windows Vista or a later version of Windows, there is one restriction on how these choices can be combined. If you want to debug from the beginning of the service startup, or from the time that an exception is encountered, you must use either remote debugging or kernel-controlled user-mode debugging.

In other words, on Windows Vista and later, you cannot use local debugging unless you plan to attach the debugger manually after the service is already running. This restriction results from the fact that in these versions of Windows, services run in session 0, and any debugger that is automatically launched and attached to the service is also in session 0, and does not have a user interface on the computer that the service is running on.
Reply With Quote
The Following 3 Users Say Thank You to fqjp For This Useful Post:
ccsoup (09-11-2022), schrodyn (04-23-2018), sh3dow (05-05-2018)
  #3  
Old 04-20-2018, 17:30
Archer's Avatar
Archer Archer is offline
retired
 
Join Date: Aug 2005
Posts: 232
Rept. Given: 1
Rept. Rcvd 46 Times in 19 Posts
Thanks Given: 3
Thanks Rcvd at 382 Times in 53 Posts
Archer Reputation: 46
One of the ways to debug a service is to patch code being executed to "eb fe" - infinite loop and then attach with a debugger. But if you do it before the service responded to service manager, you'll be running against the timeout as services not responded within the timeout are killed. So either patch it after the response or do something about the timeout.
Reply With Quote
The Following 2 Users Say Thank You to Archer For This Useful Post:
schrodyn (04-23-2018), tonyweb (04-26-2018)
  #4  
Old 04-26-2018, 02:15
schrodyn schrodyn is offline
Friend
 
Join Date: Dec 2016
Posts: 22
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 154
Thanks Rcvd at 27 Times in 11 Posts
schrodyn Reputation: 0
Quote:
Originally Posted by Archer View Post
One of the ways to debug a service is to patch code being executed to "eb fe" - infinite loop and then attach with a debugger. But if you do it before the service responded to service manager, you'll be running against the timeout as services not responded within the timeout are killed. So either patch it after the response or do something about the timeout.
Thanks Archer. Yes, it's common to alter the timeout to 24 hours when debugging services. Patching into a loop also means I can probably attach another debugger other than WinDBG to it. My intention was probably to start the service with cdb, attach with WinDBG and immobalise the service DLL so that I could switch debugger to x64dbg. Or I can suck it up and use WinDBG

Thanks for the responses folks. Looks like WinDBG is the only way, starting out at least. Coincidentally someone just publicised a blog post on debugging Windows services.

hxxps://secrary.com/Random/WindowsServiceDebugging/

I've made a lot of notes recently and I was planning a blog post myself on the subject. When it's complete I will post here.
Reply With Quote
The Following 2 Users Say Thank You to schrodyn For This Useful Post:
niculaita (05-05-2018), tonyweb (04-26-2018)
  #5  
Old 05-04-2018, 23:13
schrodyn schrodyn is offline
Friend
 
Join Date: Dec 2016
Posts: 22
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 154
Thanks Rcvd at 27 Times in 11 Posts
schrodyn Reputation: 0
As promised.

hxxps://musings.konundrum.org/2018/05/03/debugging-windows-services.html

Appreciate feedback and comments. Hope it helps someone though.
Reply With Quote
The Following 2 Users Say Thank You to schrodyn For This Useful Post:
niculaita (05-05-2018), tonyweb (05-05-2018)
  #6  
Old 09-10-2022, 21:12
zen zen is offline
Friend
 
Join Date: Aug 2022
Posts: 6
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 8
Thanks Rcvd at 18 Times in 7 Posts
zen Reputation: 0
Old thread but I was looking at a service and using the method of replacing bytes at entrypoint with a loop (EB FE) and I extended service timeout with this registry mod. I searched the forum here and didn't see reference to it so if this is duplicate I blame the search function

.reg file to apply then reboot
Code:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"ServicesPipeTimeout"=dword:ffffffff
Load service exe, replace first two bytes with ebfe, start service, attach with x64dbg or x32dbg as appropriate, pause or set breakpoints, restore original bytes, proceed ..
Reply With Quote
The Following 2 Users Say Thank You to zen For This Useful Post:
Dr.FarFar (09-10-2022), niculaita (09-11-2022)
  #7  
Old 09-11-2022, 01:38
Stingered Stingered is offline
Friend
 
Join Date: Dec 2017
Posts: 196
Rept. Given: 0
Rept. Rcvd 1 Time in 1 Post
Thanks Given: 247
Thanks Rcvd at 138 Times in 67 Posts
Stingered Reputation: 2
Quote:
Originally Posted by schrodyn View Post
As promised.

hxxps://musings.konundrum.org/2018/05/03/debugging-windows-services.html

Appreciate feedback and comments. Hope it helps someone though.
404 error using "HTTPS"
Reply With Quote
  #8  
Old 09-11-2022, 04:32
atom0s's Avatar
atom0s atom0s is offline
Family
 
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 371
Rept. Given: 26
Rept. Rcvd 114 Times in 58 Posts
Thanks Given: 54
Thanks Rcvd at 656 Times in 259 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
WayBackMachine has that page archived:
https://web.archive.org/web/20201128212614/https://musings.konundrum.org/2018/05/03/debugging-windows-services.html
__________________
Personal Projects Site: https://atom0s.com
Reply With Quote
The Following User Says Thank You to atom0s For This Useful Post:
Stingered (09-11-2022)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 06:45.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )