[R136a1]

Hey there,

I have a strange problem while trying to step over the HttpSendRequestEx() function in OllyDbg.
Every time I try to debug a malware sample by stepping over (F8) the HttpSendRequestEx() function a new Thread is created and the program is in a infinite loop. That is because HttpSendReuqest() function internally calls CreateThread() function and WaitForSingleObject() function:





I don't know what causes this behaviour and for what object the Thread is waiting to continue. I have tried in OllyDbg 1.10 and 2.01, but always the same behaviour. I have also tried to debug the sample under different Windows OS versions (XP, 7), but always the same behaviour. I have also tried to debug the sample on my real Windows 7 system (so no Virtual Machine) without any luck. I supposed it was a network problem, so I tried to turn on every possible Windows Network Services, but again no luck. I also tried the different network methods of VirtualBox (Bridged, NAT, ...), but no luck. I then assumed it is maybe a problem with missing runtimes (.dll) so I installed every possible runtimes (.NET, C++ runtimes, ...), again no luck.

If a run the sample (.dll) on one of my (VM) systems (Windows XP, 7) without Ollydbg there is no problem and everything works as expected.

Does somebody have any clue what causes this behaviour? Is there a way to find out for what object WaitForSingleObject() function is waiting?

[EP_X0FF]

What is the object name (if any) this thread waits? Break on NtWaitForSingleObject and esp+4 to get handle. Also someone may want to look on this file too.

[Apocalypse]

Look in THREADS menu in Olly, maybe this thread is suspended :roll:

[R136a1]

@EP_X0FF

Unfortunately the handle doesn't have a name, but it is a handle from type event:



@Apocalypse

I think the thread can't be in suspended state as it is waiting for a change in the status of a object (signaled):



I will upload the sample as soon as I have finished the write-up of my analysis.

Any further ideas?

[EP_X0FF]

Don't you think it can expect this Event to be signaled from other threads that are in inactive state?

[R136a1]

I also considered this possibility, but there is no difference if the other Threads are active or not. In the following Screenshots I stepped to the call to HttpSendRequestEx() and once tried to step over (F8) and the other time tried to run (F9) the sample. The same behaviour: a new Thread is created and the sample runs in infinite loop waiting for the Event object to be signaled.

Step over (F8):


Run (F9):

[R136a1]

Workaround

For anybody who is interested in this case, I finally found some kind of solution. I think the problem lies in OllyDbg's DLL Loader (Loaddll.exe). When I loaded the malware .dll through rundll32.exe (Windows tool) with OllyDbg (2.01!) everything works as expected and I was able to step over HttpSendRequestEx() function.