Jump to content











Photo

Is it possible to modify the services. EXE program of Winpe10 V1809?

winpe modify services.exe

  • Please log in to reply
17 replies to this topic

#1 noel

noel

    Member

  • Members
  • 81 posts
  • Location:nantes
  •  
    France

Posted A week ago

Hi

My background = In the past, I have already modified a driver (FBWF. sys) from Winpe10 Version 1511 build 10586. I know a few things, like modify the checksum created by the linker, sign with SignTool. exe the file with a test certificate created by MakeCert. exe.

But, it's sure, I don't control all the settings.  <_<

The target: I want to modify the services. EXE program of Winpe10... for educational purposes only!

My modify: Replace the  "M " of the string  "Minit " with a "N ".

So I created a test certificate with MakeCert (an older version because it is no longer available in the "SDK... signing tools "). And I signed the program with SignTool. exe.
I checked with  "SignTool Verify/pa" that the signature is correct.
I also checked that the BCD contains  "testsigning = yes " (visible at the bottom right of the screen)

Then I copied this file into the VHD containing WinPE Flat mode.

My observation: When starting this WinPE, there is a blue-screen  "Critical process died ". :angry:

My idea: The startup mechanism checks the signature of the file  "services. exe " before launching it. This check fails.

Q = what is missing?
Should it put the certificate in WinPE?  If so, how do I proceed?
Do I have to create the same  "store " in WinPE to file the certificate?
Should it also copy the certificate in  "root "?
Thank you

 

PS : I created a NININT key in the System hive to make sure that the program's operation is not disturbed



#2 alacran

alacran

    Silver Member

  • .script developer
  • 644 posts
  •  
    Mexico

Posted A week ago

I suggest to try enabling Test Mode (testsingning) on the BCD you may use BootIce for this, if you still have problems after this, also enable No integrity checks. Then you can see if there is something wrong with your modified/signed file.



#3 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2321 posts
  • Location:Nantes - France
  •  
    France

Posted A week ago

Have you been able to gather more details from windows event logs?

 

Also, out of curiosity, when does it BSOD? before or during the logon screen?

My understanding is that it works as follow : bios->mbr->bootmgr->winload (os loader)->kernel init->session init->winlogon init->explorer init.

I believe that the SCM is loaded during session init but services are loaded during winlogon init.

 

Last and thinking loud : if patching the file offlline is not an option, could it be an option to patch it live as early as possible during the boot process?

I believe that there are a few malwares/viruses out there who do tamper services.exe (to be verified thus...).



#4 noel

noel

    Member

  • Members
  • 81 posts
  • Location:nantes
  •  
    France

Posted A week ago

Thanks a lot for your answers. I appreciate a lot. :) 
@Alacran: I mainly use bcdedit. So i'll test in a few days "bcdedit /set loadoptions DISABLE_INTEGRITY_CHECKS". And i'll search more information in MS's sites. I didn't know this value. Merci !  ;) 
@ Erwan.l: the father of the "service.exe" (SCM) program is Winint.exe (i see that into procexp64.exe). I understand the starting chain.It seems very difficult to change the SCM "wmain" code before its launch  :( 
It has no information in eventlog as precisely services.exe = SCM fails. I see blank lines in ntbtlog.txt (bootlog = yes in the BCD, to view the loading of drivers)
Note: It is well the services.exe = SCM program I want to change and not a software hosting service.
Next week I'll try to use windbg with 2 machines (host and target) and put a breakpoint in "wmain" of services.exe. " But I kinda forgot the method of debugging.
If you have any ideas, feel free to let me know.
If I get a positive result, I will inform you.
Thank you



#5 slore

slore

    Newbie

  • Members
  • 26 posts
  •  
    China

Posted A week ago

Hi, noel

 

I modified some PE's dll, exe system files, and I didn't checksum them at all, but they work.

 

maybe the .text needn't? or they are not import system files.

 

How about change the test/jne/jmp asm code with 1 or 3 bytes, needn't change the .data's MININT static string data.

 

or inject a dll to services.exe, to wapper API.



#6 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2321 posts
  • Location:Nantes - France
  •  
    France

Posted A week ago

Altering (either offline or online) services.exe in latest windows 10 versions might be a challenge : the anti malware mechanisms will quickly step in.



#7 noel

noel

    Member

  • Members
  • 81 posts
  • Location:nantes
  •  
    France

Posted A week ago

@erwan.l : my target is Winpe without anti malware.

@slore : about checksum :
i see here https://docs.microso...Debug/pe-formatin "Optional Header Windows-Specific Fields (Image Only)" offset 64
"The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process."
So, i think that update the checksum is a good thing for SCM=services.exe. And using the "MapFileAndCheckSum" API is not complex even in PS (https://docs.microso...gehlp-functions).
Note : i modify the string "ERROR" in notepad.exe into my windows10. It works well. No need to update checksum. But it's not services.exe=SCM

 

I test also DISABLE_INTEGRITY_CHECKS in the  BCD :

https://social.techn...river-integrity

bcdedit /store d:\boot\bcd /set `{default`} loadoptions DISABLE_INTEGRITY_CHECKS

i get also the same blue-screen with DISABLE_INTEGRITY_CHECKS.

 

this week, i 'll try to get some informations about how to put the certificat in the root of winpe.

Merci à tous.



#8 noel

noel

    Member

  • Members
  • 81 posts
  • Location:nantes
  •  
    France

Posted A week ago

hi,

my test in a flat winpe :

start winpe and start procmon

add the signing certificat in root and trustedpublisher with certutil.exe

analyse activity with procmon : only two new keys for certificats.

launch regedit in winpe

export theses two keys from "system" ( in ram )

load the system hive ( the file ) : name = new-sys

import the two keys in new-sys

unload the hive

shutdown

reboot winpe

check the two stores for the certificat with certlm.msc : OK !

shutdown

mount the vhd and put the modified services.exe in place

eject and reboot winpe

-->> bluescreen " critical process died"

 

Maybe someone can explain to me the mechanism of the protection used by OS for the program services.exe.

 

The next test : debugging with host and target with an ethernet cable



#9 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2321 posts
  • Location:Nantes - France
  •  
    France

Posted A week ago

Can you generate a dump on bsod ?
If so you could analyse your dump post mortem and get more details.

#10 noel

noel

    Member

  • Members
  • 81 posts
  • Location:nantes
  •  
    France

Posted A week ago

hi Erwan.l,

I never do that.

Tomorow, I'll search how to generate the dump.

And more later, perhaps i understand how to analyze.

It's a good idea.

It seems to me very difficult. But, i'll try.

Merci Erwan.l

 

PS : je progresse à tout petits pas dans l'art du debugage. I progress to small steps in the art of debugging



#11 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2321 posts
  • Location:Nantes - France
  •  
    France

Posted 6 days ago

HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet \Control \CrashControl may help but since you run in a winpe, i am not so sure...

 

LogEvent:1 will log in event logs

CrashDumpEnabled:0,1,2,3 will determine what is dumped to file

Dumpfile:path determine where to dump 

 

there are several freewares outthere to nicely analyse a dump.

 

Are you actually from Nantes!?? 

I am from Nantes ("sud loire")... :)



#12 noel

noel

    Member

  • Members
  • 81 posts
  • Location:nantes
  •  
    France

Posted 6 days ago

hi Erwan.l,

Yes, from Nantes, (sud loire, Saint sébastien). One coffe ?

I'll read many documents in MS's site. I paly with winpe, services.exe and CrashDumpEnabled in a few days.

Actually, an old grand-father brink me his PC with mother card KO. I replace with a good one, but not the same. And many issues, no sound, no sub connector for SD card reader...

I must finish his PC..



#13 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2321 posts
  • Location:Nantes - France
  •  
    France

Posted 6 days ago

I use this freeware to "parse" my system dump files : https://www.nirsoft....creen_view.html .

 

bluescreenview2.gif



#14 noel

noel

    Member

  • Members
  • 81 posts
  • Location:nantes
  •  
    France

Posted 6 days ago

hi,

I modify CrashDumpEnabled =  1 ( complete dump https://msdn.microso...1(v=vs.85).aspx) in the hive system in the vhd of winpe.

When BSOD comes, it displays "0 to 100% complete".

I shutdown the VM and mount the vhd : NO file  …\windows\memory.dmp" in the vhd  :confused1:

at this time, i don't know what i can do.

If someone have an idea….or made a dump on bsod in winpe...



#15 noel

noel

    Member

  • Members
  • 81 posts
  • Location:nantes
  •  
    France

Posted 5 days ago

hi,

I read this on : https://blogs.techne...ash-dump-files/
"
In addition to correctly sizing the page file, you also need to ensure that you have sufficient free disk space for the actual dump file itself to be written.  Unlike the page file used to capture the dump, the dump file itself can be written to a different local volume by changing the location in the Dump File field.  If there is a need to maintain multiple dumps of an issue, then you should uncheck the "Overwrite any existing file" box as well.  However, please remember that this may put a strain on free disk space over time.
If a dump is configured, the system makes a copy of the disk miniport driver used to write to the boot volume in memory and prepends the driver name with "dump_".  The system also checksums all of the components involved with writing a crash dump, (including the copied disk miniport driver), the I/O manager functions that write the dump and the map of where the boot volume’s page file is on the disk.  This checksum is saved.  When the KeBugCheck function executes it checksums these components again and compares this checksum to the one created at boot.  If these checksums do not match, no dump file is written (because of the risk of corrupting the disk).  If the checksum matches, the dump information is written directly to the sectors on disk occupied by the page file.  The file system driver is completely bypassed – because it may be corrupted or be the cause of the crash.  When SMSS.EXE enables paging during the boot process, the system examines the boot volume’s page file to see if there is a crash dump present.  If one exists, then this part of the page file is protected.  This makes all (or part) of the boot volume’s page file unusable during the early part of the boot process.  This may result in notifications that the system is low on virtual memory – a temporary condition.  Later in the boot process, WINLOGON.EXE calls the SAVEDUMP.EXE process to extract the dump from the page file and copy it to the final location that is specified in the Dump File field.
"

It's long but i understand that "my" dump file in winpe with no reboot after the crash is …\pagefile.sys. :)

I use windbg to analyse this file and get some informations that i can control.

But with this test, i modified CrashDumpEnabled =  2

So i 'll try later.



#16 noel

noel

    Member

  • Members
  • 81 posts
  • Location:nantes
  •  
    France

Posted 15 hours ago

Hi,

Reminder of my WinPE context: I modified the file  "services. exe ", change a Unicode character, the checksum and signed with a test certificate.
Starting WinPE generates a BSOD. Despite the implementation of CrashDumpEnabled, the memory. dmp file is not created.
If I understood the information quoted in the previous post, it is necessary to analyze the file pagefile. sys.

So I scanned the pagefile.sys file after the BSOD with WinDbg.
I conclude that the BSOD is generated by  "Wininit.exe" which ends. The wmain ends. Then the function  "Exit " is executed and gives rise to the BSOD.

To continue, I have to implement a session  "kernel debugging " with 2 machines (guest = VM in HyperV, host = host HyperV, and network TCP/IP).
The implementation was a bit long because I was using WiFi access. But random cuts have led me to use Ethernet.

Last night, with a correct link, I finally got the "break " to load WinPE.

 

And now it's getting very complicated.
Because how to put a breakpoint on the program that is not loaded?  :sos:

 

With IFEO, i play to trace the "termservice" service. But i think i can't use IFEO to trace "services.exe". 

If you have an idea...
Thank you



#17 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2321 posts
  • Location:Nantes - France
  •  
    France

Posted 7 hours ago

Well according to wikipedia, services.exe is indeed called by wininit.exe.

Wininit.exe is responsible for running the Windows Initialization process.

Amonst other things, Wininit.exe starts Lsass.exe, Lsm.exe, creates Services.exe and a window station (Winsta0).

Reusing post #3, you are effectively crashes here (bold part) : bios->mbr->bootmgr->winload (os loader)->kernel init->session init->winlogon init->explorer init

 

Killing services.exe usually lead to bsod.

Question is : is services.exe crashing because you modified it or is windows bsod'ing because it spots that services.exe has been altered?

 

About network kernel debugging, good luck with that :)

 

May be try with earlier windows version as i still believe latest windows builds will be extremely picky about altering services.exe.

And I am not talking about anti malware/virus software here, I am talking about deep windows mechanism possibly implemented in the kernel.

If it works with older windows versions, then it gives you an extra hint.

 

Also, you can actually call services.exe from command line.

It wont get you far as I believe it will immediately spot that an another instance is already running but it may be worth calling you altered services.exe from the command line to see what happens (and possibly debug it in an easier way).



#18 noel

noel

    Member

  • Members
  • 81 posts
  • Location:nantes
  •  
    France

Posted 7 hours ago

Hi, 

@erwan.l

Thank you very much. My idea about the verifications made at boot time and after are not the same. I use IDA to dissassemble "services.exe" . The first think is to test the object created by the first instance. I'll verify this point :is it launched without error when winpe is ok?

In my windows10, i launch it with an other name : "ServicesModifed.exe" and no error. And idem in winpe !!! 

Note : on the two machines, the  testing certificat (which ene i create and use ti sign) is present.

So, i think verification is different during boot and after, the first is made by kernel, the second, in user context.

I actually use the V1709. In the title i speak about V1809 because i think people are testing and working with the new version V1809. 

Yesterday i can "break" in a "good" services.exe to verify if i am ok with network kernel debugging. 

But i can't do a second time with the same "commands" in windbg.

 

Implementation of "network kernel debugging"  is very  simple with hyperV !

But what must i do before to hit "g" ?

It is very complicated to understand what sequence of commands winbdg implement to arrive in the code of services. exe : BP ??? not good !!!

 

Today, I find many informations on "how to debug winlogon, etc".

Some or many of them use IFEO and the "gFlags".

 

First next try : without IFEO, and with an adaptation of :

https://stackoverflo...ts-at-boot-time

( like yesterday evening since WinDbg allowed me to step into the wmain. I don't understand very well what the guy do).

 

Second next try : with IFEO : more later with an adapatation of 

https://docs.microso...ugging-winlogon

where i read :

"In addition, you should set the GlobalFlag value under the winlogon.exe key to REG_DWORD "0x000400F0". This sets heap checking and FLG_ENABLE_KDEBUG_SYMBOL_LOAD. However, since this second flag only affects the kernel debugger, symbols must also be copied to the target computer before starting the debugger." : Seem complex for me to copy symbols on target

 

Ps : I hope you can understand my poor english. I go to theatre this evening in saint Sebastien  :)






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users