Jump to content











Photo

Is it possible to modify the services. EXE program of Winpe10 V1809?

winpe modify services.exe

  • Please log in to reply
34 replies to this topic

#1 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 02 November 2018 - 10:19 AM

Hi

My background = In the past, I have already modified a driver (FBWF. sys) from Winpe10 Version 1511 build 10586. I know a few things, like modify the checksum created by the linker, sign with SignTool. exe the file with a test certificate created by MakeCert. exe.

But, it's sure, I don't control all the settings.  <_<

The target: I want to modify the services. EXE program of Winpe10... for educational purposes only!

My modify: Replace the  "M " of the string  "Minit " with a "N ".

So I created a test certificate with MakeCert (an older version because it is no longer available in the "SDK... signing tools "). And I signed the program with SignTool. exe.
I checked with  "SignTool Verify/pa" that the signature is correct.
I also checked that the BCD contains  "testsigning = yes " (visible at the bottom right of the screen)

Then I copied this file into the VHD containing WinPE Flat mode.

My observation: When starting this WinPE, there is a blue-screen  "Critical process died ". :angry:

My idea: The startup mechanism checks the signature of the file  "services. exe " before launching it. This check fails.

Q = what is missing?
Should it put the certificate in WinPE?  If so, how do I proceed?
Do I have to create the same  "store " in WinPE to file the certificate?
Should it also copy the certificate in  "root "?
Thank you

 

PS : I created a NININT key in the System hive to make sure that the program's operation is not disturbed



#2 alacran

alacran

    Silver Member

  • .script developer
  • 648 posts
  •  
    Mexico

Posted 02 November 2018 - 09:42 PM

I suggest to try enabling Test Mode (testsingning) on the BCD you may use BootIce for this, if you still have problems after this, also enable No integrity checks. Then you can see if there is something wrong with your modified/signed file.



#3 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2343 posts
  • Location:Nantes - France
  •  
    France

Posted 03 November 2018 - 02:41 PM

Have you been able to gather more details from windows event logs?

 

Also, out of curiosity, when does it BSOD? before or during the logon screen?

My understanding is that it works as follow : bios->mbr->bootmgr->winload (os loader)->kernel init->session init->winlogon init->explorer init.

I believe that the SCM is loaded during session init but services are loaded during winlogon init.

 

Last and thinking loud : if patching the file offlline is not an option, could it be an option to patch it live as early as possible during the boot process?

I believe that there are a few malwares/viruses out there who do tamper services.exe (to be verified thus...).



#4 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 03 November 2018 - 09:15 PM

Thanks a lot for your answers. I appreciate a lot. :) 
@Alacran: I mainly use bcdedit. So i'll test in a few days "bcdedit /set loadoptions DISABLE_INTEGRITY_CHECKS". And i'll search more information in MS's sites. I didn't know this value. Merci !  ;) 
@ Erwan.l: the father of the "service.exe" (SCM) program is Winint.exe (i see that into procexp64.exe). I understand the starting chain.It seems very difficult to change the SCM "wmain" code before its launch  :( 
It has no information in eventlog as precisely services.exe = SCM fails. I see blank lines in ntbtlog.txt (bootlog = yes in the BCD, to view the loading of drivers)
Note: It is well the services.exe = SCM program I want to change and not a software hosting service.
Next week I'll try to use windbg with 2 machines (host and target) and put a breakpoint in "wmain" of services.exe. " But I kinda forgot the method of debugging.
If you have any ideas, feel free to let me know.
If I get a positive result, I will inform you.
Thank you



#5 slore

slore

    Member

  • Members
  • 33 posts
  •  
    China

Posted 04 November 2018 - 02:02 AM

Hi, noel

 

I modified some PE's dll, exe system files, and I didn't checksum them at all, but they work.

 

maybe the .text needn't? or they are not import system files.

 

How about change the test/jne/jmp asm code with 1 or 3 bytes, needn't change the .data's MININT static string data.

 

or inject a dll to services.exe, to wapper API.



#6 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2343 posts
  • Location:Nantes - France
  •  
    France

Posted 04 November 2018 - 07:12 PM

Altering (either offline or online) services.exe in latest windows 10 versions might be a challenge : the anti malware mechanisms will quickly step in.



#7 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 04 November 2018 - 10:15 PM

@erwan.l : my target is Winpe without anti malware.

@slore : about checksum :
i see here https://docs.microso...Debug/pe-formatin "Optional Header Windows-Specific Fields (Image Only)" offset 64
"The image file checksum. The algorithm for computing the checksum is incorporated into IMAGHELP.DLL. The following are checked for validation at load time: all drivers, any DLL loaded at boot time, and any DLL that is loaded into a critical Windows process."
So, i think that update the checksum is a good thing for SCM=services.exe. And using the "MapFileAndCheckSum" API is not complex even in PS (https://docs.microso...gehlp-functions).
Note : i modify the string "ERROR" in notepad.exe into my windows10. It works well. No need to update checksum. But it's not services.exe=SCM

 

I test also DISABLE_INTEGRITY_CHECKS in the  BCD :

https://social.techn...river-integrity

bcdedit /store d:\boot\bcd /set `{default`} loadoptions DISABLE_INTEGRITY_CHECKS

i get also the same blue-screen with DISABLE_INTEGRITY_CHECKS.

 

this week, i 'll try to get some informations about how to put the certificat in the root of winpe.

Merci à tous.



#8 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 06 November 2018 - 09:25 PM

hi,

my test in a flat winpe :

start winpe and start procmon

add the signing certificat in root and trustedpublisher with certutil.exe

analyse activity with procmon : only two new keys for certificats.

launch regedit in winpe

export theses two keys from "system" ( in ram )

load the system hive ( the file ) : name = new-sys

import the two keys in new-sys

unload the hive

shutdown

reboot winpe

check the two stores for the certificat with certlm.msc : OK !

shutdown

mount the vhd and put the modified services.exe in place

eject and reboot winpe

-->> bluescreen " critical process died"

 

Maybe someone can explain to me the mechanism of the protection used by OS for the program services.exe.

 

The next test : debugging with host and target with an ethernet cable



#9 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2343 posts
  • Location:Nantes - France
  •  
    France

Posted 06 November 2018 - 10:49 PM

Can you generate a dump on bsod ?
If so you could analyse your dump post mortem and get more details.

#10 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 06 November 2018 - 11:09 PM

hi Erwan.l,

I never do that.

Tomorow, I'll search how to generate the dump.

And more later, perhaps i understand how to analyze.

It's a good idea.

It seems to me very difficult. But, i'll try.

Merci Erwan.l

 

PS : je progresse à tout petits pas dans l'art du debugage. I progress to small steps in the art of debugging



#11 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2343 posts
  • Location:Nantes - France
  •  
    France

Posted 08 November 2018 - 05:47 PM

HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet \Control \CrashControl may help but since you run in a winpe, i am not so sure...

 

LogEvent:1 will log in event logs

CrashDumpEnabled:0,1,2,3 will determine what is dumped to file

Dumpfile:path determine where to dump 

 

there are several freewares outthere to nicely analyse a dump.

 

Are you actually from Nantes!?? 

I am from Nantes ("sud loire")... :)



#12 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 08 November 2018 - 06:02 PM

hi Erwan.l,

Yes, from Nantes, (sud loire, Saint sébastien). One coffe ?

I'll read many documents in MS's site. I paly with winpe, services.exe and CrashDumpEnabled in a few days.

Actually, an old grand-father brink me his PC with mother card KO. I replace with a good one, but not the same. And many issues, no sound, no sub connector for SD card reader...

I must finish his PC..



#13 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2343 posts
  • Location:Nantes - France
  •  
    France

Posted 08 November 2018 - 06:13 PM

I use this freeware to "parse" my system dump files : https://www.nirsoft....creen_view.html .

 

bluescreenview2.gif



#14 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 08 November 2018 - 10:03 PM

hi,

I modify CrashDumpEnabled =  1 ( complete dump https://msdn.microso...1(v=vs.85).aspx) in the hive system in the vhd of winpe.

When BSOD comes, it displays "0 to 100% complete".

I shutdown the VM and mount the vhd : NO file  …\windows\memory.dmp" in the vhd  :confused1:

at this time, i don't know what i can do.

If someone have an idea….or made a dump on bsod in winpe...



#15 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 09 November 2018 - 02:55 PM

hi,

I read this on : https://blogs.techne...ash-dump-files/
"
In addition to correctly sizing the page file, you also need to ensure that you have sufficient free disk space for the actual dump file itself to be written.  Unlike the page file used to capture the dump, the dump file itself can be written to a different local volume by changing the location in the Dump File field.  If there is a need to maintain multiple dumps of an issue, then you should uncheck the "Overwrite any existing file" box as well.  However, please remember that this may put a strain on free disk space over time.
If a dump is configured, the system makes a copy of the disk miniport driver used to write to the boot volume in memory and prepends the driver name with "dump_".  The system also checksums all of the components involved with writing a crash dump, (including the copied disk miniport driver), the I/O manager functions that write the dump and the map of where the boot volume’s page file is on the disk.  This checksum is saved.  When the KeBugCheck function executes it checksums these components again and compares this checksum to the one created at boot.  If these checksums do not match, no dump file is written (because of the risk of corrupting the disk).  If the checksum matches, the dump information is written directly to the sectors on disk occupied by the page file.  The file system driver is completely bypassed – because it may be corrupted or be the cause of the crash.  When SMSS.EXE enables paging during the boot process, the system examines the boot volume’s page file to see if there is a crash dump present.  If one exists, then this part of the page file is protected.  This makes all (or part) of the boot volume’s page file unusable during the early part of the boot process.  This may result in notifications that the system is low on virtual memory – a temporary condition.  Later in the boot process, WINLOGON.EXE calls the SAVEDUMP.EXE process to extract the dump from the page file and copy it to the final location that is specified in the Dump File field.
"

It's long but i understand that "my" dump file in winpe with no reboot after the crash is …\pagefile.sys. :)

I use windbg to analyse this file and get some informations that i can control.

But with this test, i modified CrashDumpEnabled =  2

So i 'll try later.



#16 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 4 weeks ago

Hi,

Reminder of my WinPE context: I modified the file  "services. exe ", change a Unicode character, the checksum and signed with a test certificate.
Starting WinPE generates a BSOD. Despite the implementation of CrashDumpEnabled, the memory. dmp file is not created.
If I understood the information quoted in the previous post, it is necessary to analyze the file pagefile. sys.

So I scanned the pagefile.sys file after the BSOD with WinDbg.
I conclude that the BSOD is generated by  "Wininit.exe" which ends. The wmain ends. Then the function  "Exit " is executed and gives rise to the BSOD.

To continue, I have to implement a session  "kernel debugging " with 2 machines (guest = VM in HyperV, host = host HyperV, and network TCP/IP).
The implementation was a bit long because I was using WiFi access. But random cuts have led me to use Ethernet.

Last night, with a correct link, I finally got the "break " to load WinPE.

 

And now it's getting very complicated.
Because how to put a breakpoint on the program that is not loaded?  :sos:

 

With IFEO, i play to trace the "termservice" service. But i think i can't use IFEO to trace "services.exe". 

If you have an idea...
Thank you



#17 erwan.l

erwan.l

    Gold Member

  • Developer
  • 2343 posts
  • Location:Nantes - France
  •  
    France

Posted 4 weeks ago

Well according to wikipedia, services.exe is indeed called by wininit.exe.

Wininit.exe is responsible for running the Windows Initialization process.

Amonst other things, Wininit.exe starts Lsass.exe, Lsm.exe, creates Services.exe and a window station (Winsta0).

Reusing post #3, you are effectively crashes here (bold part) : bios->mbr->bootmgr->winload (os loader)->kernel init->session init->winlogon init->explorer init

 

Killing services.exe usually lead to bsod.

Question is : is services.exe crashing because you modified it or is windows bsod'ing because it spots that services.exe has been altered?

 

About network kernel debugging, good luck with that :)

 

May be try with earlier windows version as i still believe latest windows builds will be extremely picky about altering services.exe.

And I am not talking about anti malware/virus software here, I am talking about deep windows mechanism possibly implemented in the kernel.

If it works with older windows versions, then it gives you an extra hint.

 

Also, you can actually call services.exe from command line.

It wont get you far as I believe it will immediately spot that an another instance is already running but it may be worth calling you altered services.exe from the command line to see what happens (and possibly debug it in an easier way).



#18 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 4 weeks ago

Hi, 

@erwan.l

Thank you very much. My idea about the verifications made at boot time and after are not the same. I use IDA to dissassemble "services.exe" . The first think is to test the object created by the first instance. I'll verify this point :is it launched without error when winpe is ok?

In my windows10, i launch it with an other name : "ServicesModifed.exe" and no error. And idem in winpe !!! 

Note : on the two machines, the  testing certificat (which ene i create and use ti sign) is present.

So, i think verification is different during boot and after, the first is made by kernel, the second, in user context.

I actually use the V1709. In the title i speak about V1809 because i think people are testing and working with the new version V1809. 

Yesterday i can "break" in a "good" services.exe to verify if i am ok with network kernel debugging. 

But i can't do a second time with the same "commands" in windbg.

 

Implementation of "network kernel debugging"  is very  simple with hyperV !

But what must i do before to hit "g" ?

It is very complicated to understand what sequence of commands winbdg implement to arrive in the code of services. exe : BP ??? not good !!!

 

Today, I find many informations on "how to debug winlogon, etc".

Some or many of them use IFEO and the "gFlags".

 

First next try : without IFEO, and with an adaptation of :

https://stackoverflo...ts-at-boot-time

( like yesterday evening since WinDbg allowed me to step into the wmain. I don't understand very well what the guy do).

 

Second next try : with IFEO : more later with an adapatation of 

https://docs.microso...ugging-winlogon

where i read :

"In addition, you should set the GlobalFlag value under the winlogon.exe key to REG_DWORD "0x000400F0". This sets heap checking and FLG_ENABLE_KDEBUG_SYMBOL_LOAD. However, since this second flag only affects the kernel debugger, symbols must also be copied to the target computer before starting the debugger." : Seem complex for me to copy symbols on target

 

Ps : I hope you can understand my poor english. I go to theatre this evening in saint Sebastien  :)



#19 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 3 weeks ago

hi,

Remote debugging is operational with the VM.
WINPE break at the beginning of its loading.  :)

 

I find the same problem: how to put a breakpoint on the function wmain of services. exe?  :huh:

Looking on the Internet, I found that the command  "SXE LD services. exe" break when loading the module  "services. exe ".
The process is loaded into memory but is not active in the process list.

"BP/bu services! wmain " Do not break.
"BA E 1 Services! wmain" break but leads to inconsistency!

 

 

kd> bl
     0 e Disable Clear  fffff800`67f3e1dc     0001 (0001) nt!MiMapProcessExecutable
     1 e Disable Clear  fffff800`67f40e10     0001 (0001) nt!MmMapViewOfSection
     2 e Disable Clear  00007ff7`69d29000 e 1 0001 (0001) services!wmain

kd> g
Breakpoint 2 hit
services!wmain:
0033:00007ff7`69d29000 ??              ???
kd> u services!wmain
services!wmain:
00007ff7`69d29000 ??              ???
                   ^ Memory access error in 'u services!wmain'

I lack a background knowledge on the kernel debugging.  :frusty:

If you can tell me what I miss...



#20 slore

slore

    Member

  • Members
  • 33 posts
  •  
    China

Posted 3 weeks ago

Hi,

I write a dll to hook the OpenRegKeyExW for custom the MINIT key query result and use AppInit_DLLs to inject it,

I found the winlogon.exe,wpeinit.exe,notepad.exe will be hooked, but the services.exe is start from the

wininit.exe, it don't load the AppInit_DLLs's dll.

I'm try to find a way to inject my dll to services.exe, maybe need write a driver...

Is there a way, let me start a hookinstaller.exe before the services.exe startup?



#21 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 3 weeks ago

hi slore,

I find here : https://support.micr...-registry-value

it is User32.dll which load dlls under this key.

With "depends", i don't see User32.dll in "services.exe"

note : "procexp.exe" (with adm) doesn't show loaded dlls in "services.exe" but show handles in my windows10

I have not tried to write a little program named "Services.exe", which would launch the original " services.EXE".

 

Now, i can debug "services.exe". It's a little long to implement. I'm not sure how my method works in another environment.

 

The story from the begining :

I want to know why smartphones are not visible in winpe. I read many about WPD/MTP. I find that UMDF plateform is not OK. And i arrive in "services.exe". With IDA, in "services!InitWudfDriverManager", i find a test of "MiniNt" which disable the call to "services!WdfDriverManager::InitializePlatformLibrary".

 

Now, i can debug and i modify the string in the code of "services.exe". So, the code of "services" continue a bit. But the error "0x8007007F" comes rapidely. The call to "KERNELBASE!NgcUpdateStatistics" return the error.

 

I'll try to put here the file which shows how to put a bp in the wmain of services.exe. I don't know how to upload a file in this post.

 

 



#22 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 3 weeks ago

Hi,
You can find  here https://1drv.ms/f/s!...3bQJ6LgRVwUAjD_
the file of the debug session.
I put some commentaries.
My new issue : the process "services.exe" calls the function GetAndInitializePlatformObject in WUDFPlatform.dll .
This dll or its functions are noticed "Delayed imports".
I no longer understand the code from this point and i get the error 0x8007007f

 
I am a stupid boy : i forget to copy the file WUDFPlatform.dll in winpe  :realmad: 

So, i am debugging ….
And it's ok, i go into the function. And no error when it returns !
i clear all bp and "g" : i get explorer.

 

Now how to test if UMDF platform is OK ?
With "winobj" ( i don't know why procexp hang up in my winpe) i see the ALPC port "ProcessManagement" under "UMDFCommunicationPorts\UMDF". :magic: 

It seems very good.
But no USB in HyperV so i can't try to plug my smartphone.
I stop for this day.


  • slore likes this

#23 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 3 weeks ago

Hi,

In the first post, I reported that the program's signature "services.exe" with a test certificate generated a BSOD.

This site https://community.os...scussion/268581 describes the same anomaly.
The context is different: "I have driver which loads DLL inside processes ". It plays in a normal windows.
But the failure takes place with "services.exe".

The post brings interesting information:
- A quick presentation of the protection mechanism "PPL"

- Links giving access to information too complex for me
http://www.alex-ionescu.com/?p=97
http://www.alex-ionescu.com/?p=116
http://www.alex-ionescu.com/?p=146
http://2012.ruxconbr...akpoint2012.pdf

 

From all this, I remember one thing: the memory loading of a modified program "services.exe" seems impossible in Winpe.
"PPL " seems to implement a chain of protection, each father protecting his sons.
My English is far too limited to understand how "wininit.exe" knows the protection level of "services.exe".
In case you have time to read these documents, please return a few explanations.

 

edit : i find this 

https://github.com/conioh/PPLKiller

a driver to bypass PPL ...


Edited by noel, 3 weeks ago.


#24 slore

slore

    Member

  • Members
  • 33 posts
  •  
    China

Posted 2 weeks ago

Hi,

 

yes, I was read that they are protected process...

modify the EPROCESS flags, but it is after services.exe started.

 

I think a wayrename the MiniNT on startup for services.exe,

and other USER32 processes(winlogon.exe, wpeinit.exe) will pass my hook,

when they query MiniNT subkey, I return WinPE key for them.

 

but, I found there is no MiniNT in SYSTEM hive. it init on boot.

 

I try "native shell", I can stop before wininit.exe/services.exe start and check process, loaded drivers/dlls,

but no comand for query reg. I don't know it already exists.

 

Finally, to do this things seems need kernel driver.

 

Could  you able to debug it and change the test result on PE, and use smartphone to test it? figure out if it is limited by MS.



#25 noel

noel

    Member

  • Members
  • 91 posts
  • Location:nantes
  •  
    France

Posted 2 weeks ago

hello slore,

I hope i understand what you want i test.

 

What i do this evening :

put the vhd on an usb disk

prepare remote debugging

boot a "physical" machine on this vhd

modify the string in services.exe "on the fly" ( more simply for me than modify test condition in the code )

when desktop is ok, i plug my smarphone in winpe

 

Constat : devmgmt.msc sees two new devices, MTP and "alcatel pop C2" but they are KO, no drivers for them in my vhd.

 

My vhd is old and i miss many files for MTP ( no inf, no dll )

In devmgmt.msc, i choose "update driver" and choose my windows10 partition on my hard disk, folder = "inf"

The update is starting  but "inf" folder doesn't contain all files (dll) . So, error...

But the stack UMDF is OK

So, i am sure it will works tomorrow when i put all files in the vhd and make a new test.

But to late for this evening.

a picture..... https://1drv.ms/f/s!...3bQJ6LgRVwUAjD_

 

next big job : find a way to play with "serivces.exe"

 

Ps: can you confirm that procexp can't see dlls loaded by "services.exe" (handles are visible)? if it's true, there is a futur difficulty, perhaps.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users