|
#1
|
|||
|
|||
Debugging Windows ServiceDLL
Hi,
I'm learning RE and I was trying to reverse a piece of malware that is a DLL and expects to run as a service. It exports ServiceMain and expects to be run as a service so I would like to perform some dynamic analysis on it while it's running as a service. Some attempts I made to just use rundll32 malware.dll,MainExport failed so I'd prefer to now run it as a service and try again. However, I'm not sure how to approach this. I have read (Inside Windows Debugging) about installing a service and using gflags to configure a debugger / command to launch when - for example, "MyService.exe" runs. However, in my case I am running "svchost.exe -k groupname" and setting ServiceDLL in the registry to the "malware.dll". I tried using gflags to run x64dbg (it's a 64-bit sample), but I ran into another issue. So, my questions to the community are:
|
#2
|
|||
|
|||
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugging-a-service-application
If your service is running on Windows Vista or a later version of Windows, there is one restriction on how these choices can be combined. If you want to debug from the beginning of the service startup, or from the time that an exception is encountered, you must use either remote debugging or kernel-controlled user-mode debugging. In other words, on Windows Vista and later, you cannot use local debugging unless you plan to attach the debugger manually after the service is already running. This restriction results from the fact that in these versions of Windows, services run in session 0, and any debugger that is automatically launched and attached to the service is also in session 0, and does not have a user interface on the computer that the service is running on. |
#3
|
||||
|
||||
One of the ways to debug a service is to patch code being executed to "eb fe" - infinite loop and then attach with a debugger. But if you do it before the service responded to service manager, you'll be running against the timeout as services not responded within the timeout are killed. So either patch it after the response or do something about the timeout.
|
#4
|
|||
|
|||
Quote:
Thanks for the responses folks. Looks like WinDBG is the only way, starting out at least. Coincidentally someone just publicised a blog post on debugging Windows services. hxxps://secrary.com/Random/WindowsServiceDebugging/ I've made a lot of notes recently and I was planning a blog post myself on the subject. When it's complete I will post here. |
#5
|
|||
|
|||
As promised.
hxxps://musings.konundrum.org/2018/05/03/debugging-windows-services.html Appreciate feedback and comments. Hope it helps someone though. |
#6
|
|||
|
|||
404 error using "HTTPS"
|
#7
|
|||
|
|||
Old thread but I was looking at a service and using the method of replacing bytes at entrypoint with a loop (EB FE) and I extended service timeout with this registry mod. I searched the forum here and didn't see reference to it so if this is duplicate I blame the search function
.reg file to apply then reboot Code:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control] "ServicesPipeTimeout"=dword:ffffffff |
#8
|
||||
|
||||
WayBackMachine has that page archived:
https://web.archive.org/web/20201128212614/https://musings.konundrum.org/2018/05/03/debugging-windows-services.html
__________________
Personal Projects Site: https://atom0s.com |
The Following User Says Thank You to atom0s For This Useful Post: | ||
Stingered (09-11-2022) |
Thread Tools | |
Display Modes | |
|
|