A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #16236  by R136a1
 Tue Oct 23, 2012 7:41 pm
Hey there,

I have a strange problem while trying to step over the HttpSendRequestEx() function in OllyDbg.
Every time I try to debug a malware sample by stepping over (F8) the HttpSendRequestEx() function a new Thread is created and the program is in a infinite loop. That is because HttpSendReuqest() function internally calls CreateThread() function and WaitForSingleObject() function:



I don't know what causes this behaviour and for what object the Thread is waiting to continue. I have tried in OllyDbg 1.10 and 2.01, but always the same behaviour. I have also tried to debug the sample under different Windows OS versions (XP, 7), but always the same behaviour. I have also tried to debug the sample on my real Windows 7 system (so no Virtual Machine) without any luck. I supposed it was a network problem, so I tried to turn on every possible Windows Network Services, but again no luck. I also tried the different network methods of VirtualBox (Bridged, NAT, ...), but no luck. I then assumed it is maybe a problem with missing runtimes (.dll) so I installed every possible runtimes (.NET, C++ runtimes, ...), again no luck.

If a run the sample (.dll) on one of my (VM) systems (Windows XP, 7) without Ollydbg there is no problem and everything works as expected.

Does somebody have any clue what causes this behaviour? Is there a way to find out for what object WaitForSingleObject() function is waiting?
 #16242  by EP_X0FF
 Wed Oct 24, 2012 3:46 am
What is the object name (if any) this thread waits? Break on NtWaitForSingleObject and esp+4 to get handle. Also someone may want to look on this file too.
 #16257  by R136a1
 Wed Oct 24, 2012 3:46 pm

Unfortunately the handle doesn't have a name, but it is a handle from type event:



I think the thread can't be in suspended state as it is waiting for a change in the status of a object (signaled):


I will upload the sample as soon as I have finished the write-up of my analysis.

Any further ideas?
 #16278  by R136a1
 Thu Oct 25, 2012 5:09 pm
I also considered this possibility, but there is no difference if the other Threads are active or not. In the following Screenshots I stepped to the call to HttpSendRequestEx() and once tried to step over (F8) and the other time tried to run (F9) the sample. The same behaviour: a new Thread is created and the sample runs in infinite loop waiting for the Event object to be signaled.

Step over (F8):

Run (F9):
 #16670  by R136a1
 Sat Nov 17, 2012 4:04 pm

For anybody who is interested in this case, I finally found some kind of solution. I think the problem lies in OllyDbg's DLL Loader (Loaddll.exe). When I loaded the malware .dll through rundll32.exe (Windows tool) with OllyDbg (2.01!) everything works as expected and I was able to step over HttpSendRequestEx() function.