blabberer
February 1st, 2009, 19:43
yep a thread is created in this version of wininet
Code:
0:000> !dlls -v -c wininet.dll
Dump dll containing 0x41fd0000:
0x00242230: c:\wininet.dll
Base 0x41fd0000 EntryPoint 0x41fd1784 Size 0x000d0000
Flags 0x80084004 LoadCount 0x00000001 TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED
Company Name Microsoft Corporation
Product Name Windows® Internet Explorer
Product Version 7.00.6000.16674
Original Filename wininet.dll
File Description Internet Extensions for Win32
File Version 7.00.6000.16674 (vista_gdr.080415-1732)
Log data
Address Message
OllyDbg v1.10
File 'C:\wininet.dll'
New process with ID 00000F50 created
00410070 Main thread with ID 00000EAC created
00400000 Module H:\Borland\odbg110\LOADDLL.EXE
77D40000 Module C:\WINDOWS\system32\USER32.DLL
77F10000 Module C:\WINDOWS\system32\GDI32.dll
7C800000 Module C:\WINDOWS\system32\kernel32.dll
7C900000 Module C:\WINDOWS\system32\ntdll.dll
41FD0000 Module C:\wininet.dll
77C10000 Module C:\WINDOWS\system32\msvcrt.dll
77F60000 Module C:\WINDOWS\system32\SHLWAPI.dll
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.dll
77E70000 Module C:\WINDOWS\system32\RPCRT4.dll
71660000 Module C:\Normaliz.dll
Analysing wininet
5448 fuzzy procedures
3425 calls to known, 3485 calls to guessed functions
821 loops, 185 switches or cascaded if's
41FD1784 Entry point of debugged DLL
7C810856 New thread with ID 00000698 created <------------------
5DCA0000 Module C:\iertutil.dll
41FD1784 Entry point of debugged DLL
traceguids is called its part of etw tracing profiling and instrumentation code (wmi event tracing)
Code:
Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0006F7F8 41FFDA23 ADVAPI32.RegisterTraceGuidsA wininet.41FFDA1D 0006F82C
0006F7FC 420376DF Arg1 = 420376DF
0006F800 4206DE10 Arg2 = 4206DE10
0006F804 41FFDC84 Arg3 = 41FFDC84
0006F808 00000001 Arg4 = 00000001
0006F80C 0006F824 Arg5 = 0006F824
0006F810 00000000 Arg6 = 00000000
0006F814 00000000 Arg7 = 00000000
0006F818 4206DE18 Arg8 = 4206DE18
0006F830 41FFDBFF wininet.41FFD9E4 wininet.41FFDBFA 0006F82C
0006F834 41FFDCA4 Arg1 = 41FFDCA4
0006F848 41FD1683 wininet.41FD17AE wininet.41FD167E 0006F844
0006F84C 41FD0000 Arg1 = 41FD0000
0006F850 00000001 Arg2 = 00000001
0006F854 00000000 Arg3 = 00000000
this createfiles a device
Code:
0006F5A0 77DF9FD4 |FileName = "\\.\WMIDataDevice"
0006F5A4 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0006F5A8 00000000 |ShareMode = 0
0006F5AC 00000000 |pSecurity = NULL
0006F5B0 00000003 |Mode = OPEN_EXISTING
0006F5B4 40000080 |Attributes = NORMAL|OVERLAPPED
0006F5B8 00000000 \hTemplateFile = NULL
and a deviceiocontrol is sent
Code:
0006F598 0000003C |hDevice = 0000003C (window)
0006F59C 0022414C |IoControlCode = 22414C
0006F5A0 00872E60 |InBuffer = 00872E60
0006F5A4 00000068 |InBufferSize = 68 (104.)
0006F5A8 00872E60 |OutBuffer = 00872E60
0006F5AC 00000050 |OutBufferSize = 50 (80.)
0006F5B0 0006F62C |pBytesReturned = 0006F62C
0006F5B4 0006F5C4 \pOverlapped = 0006F5C4
and after several createevents a thread is created in dllentry of this wininet
Code:
0006F67C 00000000 |pSecurity = NULL
0006F680 00000000 |StackSize = 0
0006F684 77DF9981 |ThreadFunction = ADVAPI32.77DF9981
0006F688 00000000 |pThreadParm = NULL
0006F68C 00000000 |CreationFlags = 0
0006F690 0006F6A0 \pThreadId = 0006F6A0
this function is probably an overlapped callback
i fetched this dll from some chinese dll repository
www.zhaodll.com
ms doesnt have this binary in symbol cache
Code:
0:000> lm m wini*;!chkimg -d -v wininet.dll
start end module name
41fd0000 420a0000 wininet (pdb symbols) C:\Program Files\Debugging Tools for Windows (x86)\sym\wininet.pdb\D2F390EB58274066B10ACDE1CAE39DB62\wininet.pdb
Searching for module with expression: wininet.dll
SYMSRV: C:\Program Files\Debugging Tools for Windows (x86)\sym\wininet.dll\480EB823d0000\wininet.dll not found
SYMSRV: http://msdl.microsoft.com/download/symbols/wininet.dll/480EB823d0000/wininet.dll not found
Error for wininet.dll: Could not find image file for the module. Make sure binaries are included in the symbol path.
;
exists