[OllyDbg] Problem stepping over HttpSendRequestEx()

Discussion on reverse-engineering and debugging.
Post Reply
User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

[OllyDbg] Problem stepping over HttpSendRequestEx()

Post by R136a1 » Tue Oct 23, 2012 7:41 pm

Hey there,

I have a strange problem while trying to step over the HttpSendRequestEx() function in OllyDbg.
Every time I try to debug a malware sample by stepping over (F8) the HttpSendRequestEx() function a new Thread is created and the program is in a infinite loop. That is because HttpSendReuqest() function internally calls CreateThread() function and WaitForSingleObject() function:

Image

Image

I don't know what causes this behaviour and for what object the Thread is waiting to continue. I have tried in OllyDbg 1.10 and 2.01, but always the same behaviour. I have also tried to debug the sample under different Windows OS versions (XP, 7), but always the same behaviour. I have also tried to debug the sample on my real Windows 7 system (so no Virtual Machine) without any luck. I supposed it was a network problem, so I tried to turn on every possible Windows Network Services, but again no luck. I also tried the different network methods of VirtualBox (Bridged, NAT, ...), but no luck. I then assumed it is maybe a problem with missing runtimes (.dll) so I installed every possible runtimes (.NET, C++ runtimes, ...), again no luck.

If a run the sample (.dll) on one of my (VM) systems (Windows XP, 7) without Ollydbg there is no problem and everything works as expected.

Does somebody have any clue what causes this behaviour? Is there a way to find out for what object WaitForSingleObject() function is waiting?

User avatar
EP_X0FF
Global Moderator
Posts: 4814
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: [OllyDbg] Problem stepping over HttpSendRequestEx()

Post by EP_X0FF » Wed Oct 24, 2012 3:46 am

What is the object name (if any) this thread waits? Break on NtWaitForSingleObject and esp+4 to get handle. Also someone may want to look on this file too.
Ring0 - the source of inspiration

Apocalypse
Posts: 12
Joined: Fri Oct 28, 2011 11:51 am

Re: [OllyDbg] Problem stepping over HttpSendRequestEx()

Post by Apocalypse » Wed Oct 24, 2012 12:06 pm

Look in THREADS menu in Olly, maybe this thread is suspended :roll:

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: [OllyDbg] Problem stepping over HttpSendRequestEx()

Post by R136a1 » Wed Oct 24, 2012 3:46 pm

@EP_X0FF

Unfortunately the handle doesn't have a name, but it is a handle from type event:

Image

@Apocalypse

I think the thread can't be in suspended state as it is waiting for a change in the status of a object (signaled):

Image

I will upload the sample as soon as I have finished the write-up of my analysis.

Any further ideas?

User avatar
EP_X0FF
Global Moderator
Posts: 4814
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: [OllyDbg] Problem stepping over HttpSendRequestEx()

Post by EP_X0FF » Thu Oct 25, 2012 4:36 am

Don't you think it can expect this Event to be signaled from other threads that are in inactive state?
Ring0 - the source of inspiration

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: [OllyDbg] Problem stepping over HttpSendRequestEx()

Post by R136a1 » Thu Oct 25, 2012 5:09 pm

I also considered this possibility, but there is no difference if the other Threads are active or not. In the following Screenshots I stepped to the call to HttpSendRequestEx() and once tried to step over (F8) and the other time tried to run (F9) the sample. The same behaviour: a new Thread is created and the sample runs in infinite loop waiting for the Event object to be signaled.

Step over (F8):
Image

Run (F9):
Image

User avatar
R136a1
Forum Admin
Posts: 218
Joined: Wed Jul 13, 2011 4:30 pm
Location: Netherlands

Re: [OllyDbg] Problem stepping over HttpSendRequestEx()

Post by R136a1 » Sat Nov 17, 2012 4:04 pm

Workaround

For anybody who is interested in this case, I finally found some kind of solution. I think the problem lies in OllyDbg's DLL Loader (Loaddll.exe). When I loaded the malware .dll through rundll32.exe (Windows tool) with OllyDbg (2.01!) everything works as expected and I was able to step over HttpSendRequestEx() function.

Post Reply