Debug Windows Service Startup Without Using gflags

Thomas Ptacek | November 22nd, 2006 | Filed Under: Reversing, Uncategorized

You can’t run a Windows service on the command line the same way you can a Unix daemon. So what do you do if you need to debug the startup routine of a Windows service?

Microsoft has a knowledgebase article on this. The “official” answer is to use “gflags.exe”, which comes with the (excellent, free) windbg package. There’s an image execution option that tells Windows to start a program under the debugger.

I can’t get this to work for me. So I asked a friend, and got an easy answer that did work:

  1. Set, say, Ollydbg as your JIT debugger.

  2. Make sure “Allow service to interact with desktop” is enabled under the service options.

  3. Open the service’s image file in an editor. The (excellent, free) “hte” works perfectly.

  4. Find some code that runs early in startup. Replace an instruction with INT 3 (0xCC). I just swapped an xor-to-zero.

  5. Start the service; it’ll pop up under the debugger. Make sure you set the register you skipped to zero.

Since I’m already cough tweaking this application with hte anyways, this was a perfect solution.

Viewing 1 Comment

    • ^
    • v
    Alternatively, you could follow step 2 and then download PEBrowse Interactive from my website, www.smidgeonsoft.com. From File/IFEO Manager, add the service -- this uses the registry key, Image File Execution Options and launches PEBrowse when the service starts. Then under Tools/Configure/Debug, check the option, "Break on Process Initialization". When the service starts, this will stop the process and bring up the debugger when the service is first loaded. This allows one to debug the service without munging the executable with an INT 3 and even debug the loader and any DLLs startup code. Or, you can read the documentation page on my website for how to debug ASP.NET pages which essentially uses the same technique.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus