Debugging a Windows Service in User-Mode
Recently, I had the opportunity to get acquainted with an interesting post about a vulnerability in the WebEx client, found at https://webexec.org. My interest in the subject prompted me to explore the vulnerability, but also to evaluate the possibility of debugging the service, since the post did not provide specific details on how to accomplish this task.
To solve this unknown, it is necessary to follow some crucial steps to analyze the service, since it is not as simple as simply running ▶️ in the debugger 🤣.
Let’s start with the installation of the vulnerable program (download) on a Windows 10 64-bit operating system. After installation, the files will be found in the path “C:\ProgramData\Webex\Webex\Applications”, where we can find the executable WebExService.exe. This file is responsible for creating a service with the name webexservice.
Building on the information provided above, we can move forward with setting up the experimental environment.
1) We need to identify the path for the following resources. It is usually located at “C:\Program Files (x86)\Windows Kits\10\Debuggers\x86”.
cdb.exe : Used to attach to a running process or to spawn and attach to new process
gflags.exe : Enables and disables advanced debugging, diagnostics, and troubleshooting features
windbg.exe : Is a kernel-mode and user-mode debugger2) To set the ability to manually start the service, it is necessary to open a command prompt with administrator permissions. Next, we will use the “sc” tool to perform the corresponding task. If the service is running, we must stop it before continuing.
cmd> sc config webexservice start=demand
cmd> sc stop webexservice3) Taking advantage of the information provided in point 1, we can quickly locate the short path for the cdb.exe binary which would be “C:\PROGRA~2\WI3CF2~1\10\DEBUGG~1\x86\cdb.exe”.
cmd> for %A in ("C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe") do @echo %~sA4) To enable debug hook mode for the service in question, we must use the “gflags” tool and set a listening port for debugging.
cmd> C:\PROGRA~2\WI3CF2~1\10\DEBUGG~1\x86\gflags /p /enable WebExService.exe /debug "C:\PROGRA~2\WI3CF2~1\10\DEBUGG~1\x86\cdb.exe -server tcp:port=9999"5) To prevent Windows from killing the service at startup, you need to create a registry that changes the service startup timeout to 1 hour.
cmd> reg add HKLM\System\CurrentControlSet\Control /v ServicesPipeTimeout /t REG_DWORD /d 36000006) Finally, we restart the host and when turning on, we open a command line with administrator permissions to start the service. During its execution, the service may appear to be blocked, but this situation is expected and normal.
cmd> sc start webexservice7) To start debugging, we open Windbg and use the Ctrl+R key combination to add the corresponding connection string, and finally, we start debugging.
tcp:server=localhost,port=9999Go back
To revert and disable debugging, you need to reset the service startup parameters to your preferred startup type and run the following commands in a terminal with administrator privileges to remove the timeout log. Finally, reboot the machine to restore the service timeout control.
cmd> C:\PROGRA~2\WI3CF2~1\10\DEBUGG~1\x86\gflags /p /disable WebExService.exe
cmd> reg delete HKLM\System\CurrentControlSet\Control /v ServicesPipeTimeoutDemo Video
The video demonstrates the previously explained steps up to debugging using Windbg and IDA simultaneously.
