Protected process using elam

I am trying to create a protected service using the elam driver, all the steps are succeeding except the last StartService call. I am following the MSDN link https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx#starting_the_service_as_protected and http://www.osronline.com/showThread.CFM?link=284726 for certificate creation and signing.

The error message, i am getting on service start is 1053, which is “The service did not respond to start or control request in a timely fashion”. Even is have tried to increase the timeout but still the result is same.

If, I am just creating a normal (not-protected) service then it is working fine, which means no issue with the service, issue is only happening when i am trying to run it as a protected service.

Below are the steps, that i am performing.

  1. hFileHandle = CreateFile(L"C:\Windows\System32\drivers\elamsample.sys", FILE_READ_DATA, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
  2. InstallELAMCertificateInfo(hFileHandle)
  3. schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS);
  4. schService = CreateService(schSCManager, lpszDisplayName, lpszDisplayName, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START,
    SERVICE_ERROR_NORMAL, lpszBinaryPathName, NULL, NULL, NULL, NULL, NULL);
  5. SetServiceObjectSecurity(schService, si, &sd)
  6. ChangeServiceConfig2(schService, SERVICE_CONFIG_LAUNCH_PROTECTED, &Info)
  7. StartService(schService, 0, NULL) // This is failing.

Need help on this, any input would be highly appreciated.

Does your service process actually start? Does it then report it’s running state to the SCM in a timely manner?

I assume protected services can still write ETW or other logging events. Creating ETW TraceLogging is REALLY easy.

Jan

On 8/9/17, 3:07 AM, “xxxxx@lists.osr.com on behalf of xxxxx@gmail.com xxxxx@lists.osr.com” wrote:

I am trying to create a protected service using the elam driver, all the steps are succeeding except the last StartService call. I am following the MSDN link https://msdn.microsoft.com/en-us/library/windows/desktop/dn313124(v=vs.85).aspx#starting_the_service_as_protected and http://www.osronline.com/showThread.CFM?link=284726 for certificate creation and signing.

The error message, i am getting on service start is 1053, which is “The service did not respond to start or control request in a timely fashion”. Even is have tried to increase the timeout but still the result is same.

If, I am just creating a normal (not-protected) service then it is working fine, which means no issue with the service, issue is only happening when i am trying to run it as a protected service.

Below are the steps, that i am performing.

1. hFileHandle = CreateFile(L"C:\Windows\System32\drivers\elamsample.sys", FILE_READ_DATA, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
2. InstallELAMCertificateInfo(hFileHandle)
3. schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS);
4. schService = CreateService(schSCManager, lpszDisplayName, lpszDisplayName, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL, lpszBinaryPathName, NULL, NULL, NULL, NULL, NULL);
5. SetServiceObjectSecurity(schService, si, &sd)
6. ChangeServiceConfig2(schService, SERVICE_CONFIG_LAUNCH_PROTECTED, &Info)
7. StartService(schService, 0, NULL) // This is failing.

Need help on this, any input would be highly appreciated.


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

xxxxx@gmail.com xxxxx@lists.osr.com wrote:

I am trying to create a protected service using the elam driver, all the steps are succeeding except the last StartService call.

Below are the steps, that i am performing.

  1. hFileHandle = CreateFile(L"C:\Windows\System32\drivers\elamsample.sys", FILE_READ_DATA, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );
  2. InstallELAMCertificateInfo(hFileHandle)
  3. schSCManager = OpenSCManager( NULL, NULL, SC_MANAGER_ALL_ACCESS);
  4. schService = CreateService(schSCManager, lpszDisplayName, lpszDisplayName, SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, lpszBinaryPathName, NULL, NULL, NULL, NULL, NULL);

I admit that I’m confused by the documentation. If this is a kernel
driver, then it needs to be SERVICE_KERNEL_DRIVER, not
SERVICE_WIN32_OWN_PROCESS, doesn’t it? The ELAM Driver Requirements
document shows that:

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/elam-driver-requirements

What confuses me is that the page you referenced seems to be talking
about two different services: one for the ELAM driver, and one for the
protected user-mode process. I don’t see two separate services there.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks Jan and Tim for the quick responses.

Jan, The service was getting launched and timed out. Actually, i have written a simple out-of-proc com service without much functionality and it was failing to find the AppId which is resolved by manually creating it. I need to figure out why it is not creating by itself on registration.

Tim, it was my bad, i did not mention about the driver service, which i was able to create. I was only having the issue with the user mode service.

Can you clarify what you mean be “timed out”? It sounds like you’re saying the process DID start, but you didn’t answer if it reported it entered running state to the SCM (by calling ReportSvcStatus( SERVICE_RUNNING, NO_ERROR, 0 ) with a success return code)

The SCM will timeout and terminate a service that does not report a running state within a timeout value. We are trying to determine if the service successfully started, and then failed, or if it never became running. I believe you can get ETW trace events about services moving into different states.

I would not be surprised if protected services had some restrictions on what APIs they can call, and becoming an out of process COM service involves hooking up to a bunch of mechanism. The docs for a protected service specifically say the service exe and ALL bound DLLs must be signed with the protected service key. I didn’t see in the docs what the signature requirements were for “run-time” and “system” DLLs, which are what implement a ton of the Windows API functionality.

You might try turning on the “code integrity” ETW traces, and see if any events are reported for failing a code signature check. You might also try turning on loader snaps, and see if some message around a DLL binding error is spit out.

Jan

On 8/10/17, 9:53 AM, “xxxxx@lists.osr.com on behalf of xxxxx@gmail.com xxxxx@lists.osr.com” wrote:

Thanks Jan and Tim for the quick responses.

Jan, The service was getting launched and timed out. Actually, i have written a simple out-of-proc com service without much functionality and it was failing to find the AppId which is resolved by manually creating it. I need to figure out why it is not creating by itself on registration.

Tim, it was my bad, i did not mention about the driver service, which i was able to create. I was only having the issue with the user mode service.


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

I don’t know why but the ‘Create Process’ WinDbg’s event filter is not working for me.

To have your service being debugged in a kernel mode debugger, try to:

  1. Install a VS 2015 template PNP driver on the target with DEVCON.EXE. A sample KMDF Kernel Mode Driver is good. The driver should have a device interface, and a default WDF queue with an IOCTL handler.
  2. In the debugger, set a breakpoint to the driver’s IOCTL handler.
  3. Then in your SvcMain, have your service open a handle to the device and issue an IOCTL code.
  4. If the debugger breaks in the context of the service (look at the stack), you can make a step by step debugging of the service initialization. Just add another break after DeviceIoControl in the source window.

I remember that a Windows service based on the old Windows Service Sample below was hanging on startup:

https://msdn.microsoft.com/fr-fr/library/windows/desktop/bb540475(v=vs.85).aspx

But a Windows service based on the VS 2015 C# Windows Service template explained below was ok.

https://docs.microsoft.com/en-us/dotnet/framework/windows-services/walkthrough-creating-a-windows-service-application-in-the-component-designer

This was already discussed here:

http://www.osronline.com/showThread.CFM?link=284726
http://www.osronline.com/showThread.CFM?link=284667

Yes Jan, process did start but as it is a com service and i was creating the service by the steps i have mentioned above which are required for the protected service but not through the /service ( servicename.exe /service) command, it was not creating the appid and during the service start call, process was starting but as the appid was not registered it was taking time to find it out and was eventually getting time out. After i created the appid before start it started working. Thanks for all your help.

Thanks W.D. for providing the debugging steps.