Debugging Windows Services For Malware Analysis / Reverse Engineering4 minutes read
A service, also known as a Windows service, is a user-mode process designed to be started by Windows without human interaction. It is started automatically at system boot, or by an application that uses the service functions included in the Win32 API. A service can also be started by a human user through the Services control panel utility. Every service must conform to the interface rules of the service control manager (SCM). - MSDN
Windows Vista era services were ordinary processes on the same session. After
Windows Vista and later everything else, except services, was moved out of
Session 0. In general, executables from
Session 0 don’t communicate with our desktop session -
Session 1. This makes it hard to debug them.
Unlike a normal application, we cannot start a service by entering its name on the command line, or by calling
CreateProcess. Instead, we need to rely on the
Service Control Manager to start and stop the process.
NOTE: I assume we don't have access to the source code of the service application
service control manager starts a service process, it waits for the process to call the
StartServiceCtrlDispatcher function, if we run a service executable from any other context we will get
- How can we debug a service?
We can start a service and attach a debugger such as
- What if we need to a debug the beginning of a process execution?
To run a debugger before a process execution we need to create a key under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProgramName registry key or use
GFlags (the Global Flags Editor) and set a debugger.
We cannot use
WinDbg directly due to a service and
WinDbg execute at
session 0 and we cannot see
WinDbg UI from
session 1, but we can use
NTSD as the server debugger on
session 0 and
session 1 as the client debugger.
There is an important registry value under
The significance of this value is that a clock starts to run when each service is launched, and when the timeout value is reached, any debugger attached to the service is terminated. Therefore, the value you choose should be longer than the total amount of time that elapses between the launching of the service and the completion of your debugging session... For example, a value of 60,000 is one minute, while a value of 86,400,000 is 24 hours. When this registry value is not set, the default timeout is about thirty seconds... - MSDN
We need to reboot the system after changing the value.
After that, run
WinDbg with the following commands:
.\windbg.exe -remote tcp:server=localhost,port=55555.
We can add a breakpoint at the entry point of a sample by adding
AddressOfEntryPoint to start the address of the loaded executable:
That’s all, we are at the entry point.
Any feedback would be greatly appreciated. @_qaz_qaz
Discuss on Reddit