In this blog post, we are gonna take a look at the mysterious “/P” flag of svchost.exe. TL;DR: P flag enforces different policies: DynamicCodePolicy, BinarySignaturePolicy and ExtensionPolicy.
So first of all, what is svchost.exe? Following Wikipedia “svchost.exe (Service Host, or SvcHost) is a system process that can host from one to many Windows services in the Windows NT family of operating systems“. It’s basically the loader of your different services.
Before diving into svchost with Cutter (or your favorite disassembler/decompiler), it’s good to have the PDB of executable beforehand. PDB is short for “Program DataBase” and is storing the debug information of an executable. You can have it with PDBDownloader.exe (which you can grab here https://techcommunity.microsoft.com/t5/iis-support-blog/pdb-downloader/ba-p/342969) Microsoft lets you access some of the debug information for its different component so you can debug them with Windbg or import them in IDA which is cool. It’s important to note that you don’t have access to ALL the debug information. Only the symbols that Microsoft made public. Continue reading Exploration of svchost.exe /P flag