Jump to content











Photo

Is it possible to modify the services. EXE program of Winpe10 V1809?

winpe modify services.exe

  • Please log in to reply
35 replies to this topic

#26 noel

noel

    Frequent Member

  • Advanced user
  • 178 posts
  • Location:nantes
  •  
    France

Posted 25 November 2018 - 08:59 PM

Hello slore,

I confirm, with windbg i modify the string in "services.exe". After i connect my smartphone. I see it in "explorer". I also see my SD-Card inserted in  the reader.

 

My first context : my "winpe". It needs many modifications. I don't identify all keys nor files. Too difficult in the short time. So no WDP/MTP is this contexte at this time

My second context : my winpe FullFlat ( build from an full installation of windows10 and with somme modifications, some keys and replace some files ). WPD/MTP is ok, no modif.

 

In the link https://1drv.ms/f/s!...3bQJ6LgRVwUAjD_ you can see 3 pictures for my "winpe" ( WPD/MTP KO ) and one picture for my "FullFlat" ( WPD/MTP OK )

My SD-Card is named "winpe" and my smartphone is named "Alcatel pop C2"

 

I'll search all missing elements ( key and files ) to add in winpe only when i can use services.exe without windbg ( i compare into my two contextes )


Edited by noel, 25 November 2018 - 09:00 PM.


#27 slore

slore

    Member

  • Members
  • 51 posts
  •  
    China

Posted 26 November 2018 - 12:29 AM

Hi,

I can't see the pic, but I kown it works from your words.  :good job:

Now, next is how to make the services.exe init WUDF.

 

 

>Ps: can you confirm that procexp can't see dlls loaded by "services.exe" (handles are visible)?

 

procexp can't see any dlls. also tasklist.exe.



#28 slore

slore

    Member

  • Members
  • 51 posts
  •  
    China

Posted 26 November 2018 - 06:22 AM

Hi,

I use native reg delete the MiniNT key in native shell.

and got BSOD later.

So I use the made hook.dll to call RegCreateKey after winlogon.exe loaded.

 

and go into PE now.

 

But I can't confirm if MTP is working, because my base PE is just winre.wim.

 

I can't upload files now, I will send you later. You can check if this way can skip the check without windbg.



#29 noel

noel

    Frequent Member

  • Advanced user
  • 178 posts
  • Location:nantes
  •  
    France

Posted 26 November 2018 - 09:08 AM

Hi,

 

> But I can't confirm if MTP is working,...

With "winobj" or with" procexp", if you can see( in  "handles" ) the ALPC port "ProcessManagement" under "UMDFCommunicationPorts\UMDF" then it's OK !

The first action doing by Services.exe is to initialize this ALPC port.

 

I'm anxious to figure out how to implement your hook.

The key "bootExecute" seems to me to be a good start. But identifying the right process during the call is complicated for me who am not a good programmer

 

PS : I play with "native.exe" ( i find it  here ), but keybord is not responding in my VM



#30 slore

slore

    Member

  • Members
  • 51 posts
  •  
    China

Posted 26 November 2018 - 01:23 PM

hook the RegOpenKey API is complicated, but now is just create key.

 

hook.dll

#include<windows.h>


int ReCreateMiniNT() {
    TCHAR szFileName[MAX_PATH] = {0};
    GetModuleFileName(NULL, szFileName, MAX_PATH);
    if (wcsncmp(szFileName, L"X:\\windows\\system32\\winlogon.exe", 32) == 0) {
        HKEY dmy;
        RegCreateKey(HKEY_LOCAL_MACHINE, L"SYSTEM\\ControlSet001\\Control\\MiniNT", &dmy);
    }
    return 0;
}




BOOL APIENTRY DllMain(HMODULE hModule,
                      DWORD  ul_reason_for_call,
                      LPVOID lpReserved
)
{
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
        ReCreateMiniNT();
        break;
    case DLL_THREAD_ATTACH:
    case DLL_PROCESS_DETACH:
    case DLL_THREAD_DETACH:
        break;
    }
    return TRUE;
}

I can't upload here, I put a WimBuilder2 patch for this in WimBuilder2 topic other site.

and as you can input in native shell, I upload a native reg.exe for you,

It will directly remove the MiniNT key beforce services.exe, winlogon.exe loaded.

 

I can't see ALPC port "ProcessManagement" with origin winre.wim + my MTP(native,hook) batch patch.

maybe I need add WUDF*sys,*dlls, and the services registy entry.

 

 

the upload attach files url is sent, please check your email.


Edited by slore, 26 November 2018 - 01:49 PM.


#31 noel

noel

    Frequent Member

  • Advanced user
  • 178 posts
  • Location:nantes
  •  
    France

Posted 01 December 2018 - 09:09 AM

Hi,

@slore : Thank you very much.

 

NativeShell and also "ncmd" are 32 bits. For the fun, i try to make a 64s bit version.

A this time, with VisualStudio 2017 community, i can create "native_64.exe" with subsystem "native". Because i new in the developpement domain, i meet many issues with "includes" and "librairies". The actual final "debug" version is made by VS. When winpe boot, i receive an error in windbg "DLL Initialization Failed". Before that error, it need to put to dll in "systeme32" : ucrtbased.dll and vcruntime140d.dll. 

At this time, i can't identify which dll can't be initialized.

Question : These two dll are "autorized" in "native application" context ?

 

About the modification of the key "minint" :

"bootExecute" launchs the program (nreg...) before winlogon is launched.

The sequence i see in windbg is : "system", "smss", "native nreg".....winlogon.....service.

So, i think the hook is a better way but i must verify when the hook dll is loaded.

 

I make a pause a few days ...



#32 slore

slore

    Member

  • Members
  • 51 posts
  •  
    China

Posted 01 December 2018 - 02:42 PM

Hi, noel

 

>When winpe boot, i receive an error in windbg "DLL Initialization Failed". Before that error, it need to put to dll in "systeme32" : ucrtbased.dll and vcruntime140d.dll. 

At this time, i can't identify which dll can't be initialized.
Question : These two dll are "autorized" in "native application" context ?
 
Project->Property->C/C++->Code Generation->RunTime Library
/MD -> /MT   (Release)
/MDd -> /MTd (Debug)
 
to compile the libraries to the exe file, it's size will be large, but it will run without xxx.dll in system.
 
>So, i think the hook is a better way but i must verify when the hook dll is loaded.
 
winlogon.exe started, it will load the hook.dll.
 
actually, my hook have a test log for record the load exe before call ReCreateMiniNT():
 
int LoadedLog() {
    if (!hFile) {
        hFile = CreateFile(L"X:\\hook.dat", FILE_APPEND_DATA, FILE_SHARE_READ | FILE_SHARE_WRITE,
                           NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    }
    if (szFileName[0] == TEXT('\0')) GetModuleFileName(NULL, szFileName, MAX_PATH);
    ::SetFilePointer(hFile, 0l, NULL, FILE_END);
    DWORD dwWritten;
    TCHAR buff[512] = { 0 };
    wsprintf(buff, TEXT("0x%x:%s\r\n"), hFile, szFileName);
    if (hFile) WriteFile(hFile, buff, lstrlenW(buff)*sizeof(TCHAR), &dwWritten, NULL);
    return 0;
}

>I make a pause a few days ...

 

Take your time. As WIN10PE come out for years, nobody know it is limited in services.exe by M$ but you,

it was a big break. at least we know a direction to try to make it work on WIN10PE.

 

 

 

 



#33 noel

noel

    Frequent Member

  • Advanced user
  • 178 posts
  • Location:nantes
  •  
    France

Posted 02 December 2018 - 04:49 PM

hi,

Thanks to Slore for making me discover NativeShell.

I finally managed to compile NativeShell in 64bits. It took me a few days because I'm not a good developer.
The only DLL to use is  "NTDLL.DLL". It is necessary to generate its file  "Lib " to have all the functions. Too long to explain in a few words.
The original code of NativeShell is so well written that I have not had any changes to make.
I will try to add the commands to manipulate the registry keys.

 

The only big anomaly for me is that the keyboard reading does not work in a HyperV VM.
The NtCretaFile API with  "DeviceKeyboardClass0" returns "success". Then the NtReadFile API returns "STATUS_PENDING".
But the following API NtWaitForSingleObject remains on hold (no come back) .
If anyone can give me a lead, it would be nice.
A few commands doesn't work well.

Build and debug NativeShell 64 bits is a good way to improve your knowledge of development and debugging.

 

Regarding "services. exe" and the key "Minit", I will get back to it soon.



#34 slore

slore

    Member

  • Members
  • 51 posts
  •  
    China

Posted 03 December 2018 - 02:24 AM

Hi,
Years ago, For old Windows XP PE, we used the native app to mount wims,
 extract zip files, or copy system files(like fonts) from ISO drive to X:\,
to make the XPPE.wim be very small in 2~3MB.
Let it be loaded fast with old USB 1.0/1.1 machine.
from Windows 7 PE with USB 2.0, WinPE is loading fast, the size is not such important,
so left the technique behind in years.
 
 
I don't know why your enviroment can't input(Hyper-V?).
 
the Native shell seems already have REGISTY functions,
but I don't know why there is no sub command for this.
 
 
also, the nreg.exe is a sub command of nativeCMD. which is use ReactOS sources to
make CMD.exe syntax works in native environment.
You can run "bat" command/file in native shell.
 
It is published in Chinese website, and the native shell home page also have the instruction.
 
Also Open source.
 
 
I can't access to this url, I don't know if it exists yet.
If you can download, give me a archive will be good :)
 
Recompile the reg.exe in x64 bits will be good to skip the KEYBOARD input issue to go forward.


#35 noel

noel

    Frequent Member

  • Advanced user
  • 178 posts
  • Location:nantes
  •  
    France

Posted 04 December 2018 - 01:40 PM

Hi,

The point of December 04, 2018.

 

The following processes load the DLL defined in "AppInit_DLLs": Winlogon, Svchost,....
But the process  "winint.exe" and  "services.exe" Do not load this hook.

 

PROCEXP displays for  "services. exe":  "protected: PSPROTECTEDSIGNERWINTCB-Light " and does not display the list of loaded DLLs (so really propected)

PROCMON shows that:
- "Winlogon" loads the DLL defined in  "AppInit_DLLs" when calling the function  "RegisterLogonProcess" contained in a DLL whose load is deferred (using user32.dll)
- "Services" never tests  "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs" (not using user32.dll ?)
-These two processes test several times the key  "Minint" at different moments
-they run in parallel

 

So it is difficult to guarantee the correct positioning of the key for each of these processes

 

Reminder of constraints: 

- "Services. exe " is protected and the change of one byte in the file prohibits its launch
- "Services. exe " does not load the DL defined in  "AppInit_DLLs "

 

DOC about  PPL security
Http://www.alex-ionescu.com/?p=34
http://www.alex-ionescu.com/?p=97
http://www.alex-ionescu.com/?p=116
http://www.alex-ionescu.com/?p=146
Www.nosuchcon.org/talks/2014/D3_05_Alex_ionescu_Breaking_protected_processes.pdf

 

New Idea for my next try: use Hook DLL with target "OpenRegKeyExW" in wingolon

Create a DLL and place it in AppInit_DLLs for:
  Target only  "Winlogon"
  Delete the key  "Minint"
  Install a hook to intercept calls from  "Winlogon" When it tests the key  "Minit"

 

How to inject the interceptor hook of  "OpenRegKeyExW" in  "Winlogon"?  Use a tool like  "Detour", "mhook"... : complex for me

 

The function  "Hook_OpenRegKeyExW_wingolon":

   If the target key is "Minint"  then return  "OK"  else call OpenRegKeyExW

 

Other idea:
Is it possible to target a DLL loaded by  "services. exe" to inject the hook into this DLL?
How to do it? Change the code of the DLL  "target "?

 

Another idea too complex for me:
Create a driver to change the string in the process code  "Services" when it is loaded.
  2 possibilities from a driver:
  -Write the installation of a hook on the correct API  "OpenRegKeyExW "
   -If the call comes from  "Services", return the correct information ( "missing key")
  -Behave like a debugger:
   When loading  "Services", attach to this process
   If necessary, inject a thread into this process
   Search the chain and change it

 

About Native (Really fun and educational tool) :

NativeShell 64 bits works well in a VHD used with a physical machine.  :) 
But it lacks commands for  "registry" and commands do not work

PB with NativeShell:
No keyboard in a VM under HyperV ( api ntcreatefile "\device\kerboardclass0" ...api ntwaitforsingleobject doesn't return)
No display if code is compiled in mode  "Console" and launched normally (in VS2017)

no idea?


Edited by noel, 04 December 2018 - 01:46 PM.


#36 noel

noel

    Frequent Member

  • Advanced user
  • 178 posts
  • Location:nantes
  •  
    France

Posted 15 December 2018 - 11:22 PM

The point of December 15, 2018.
Setting a hook on an API is too complex for me in this context.
As slore propose, I just used the classic injection mechanism with "AppInit_DLLs".
And in the "Attach" function, first, I check if it's the winlogon process.
If yes, I kill Minint key. And I set a timeout. After this timeout, I recreate the key.

The timeout varies according to the hardware, 3 seconds for one of my PC and 5 seconds for the other.

It is not a robust solution. :angry: 

If someone can help ...

 

Now, in "my" winpe, I can see my smartphone (WPD-MTP) in "explorer". :) 

Only for the fun!

http://noel.blanc.fr...e/hook5sMTP.png






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users