Log in

View Full Version : CreateThread and breakpoints


lborup
January 27th, 2009, 09:19
Hi

While debugging some malware with Ida Pro i come across a call to CreateThread. If i put a software breakpoint on the address passed to CreateThread, it does not break...

Generally, how should i handle such thread creation while debugging, i would like to debug both the code following the call to CreateThread, but also the thread itself?

Best regards,
Lasse

lborup
January 28th, 2009, 06:34
Solved it. I played around a bit with homemade CreateThread example. The breakpoints worked, i just needed a better understanding of how to debug threads. I suspended the main thread to allow the others to run to their breakpoints.

Regards,
Lasse

Kayaker
January 28th, 2009, 14:02
Quote:
[Originally Posted by lborup].. suspended the main thread to allow the others to run to their breakpoints.


Hi

Maybe I'm simply misinterpreting what you wrote, but..

I've never really used the IDA debugger, but why is that step necessary? Normally you would just put a breakpoint on <LPTHREAD_START_ROUTINE lpStartAddress> passed to CreateThread and it should break..

and to continue debugging the main thread as well, a bp immediately after the CreateThread call itself..

lborup
January 28th, 2009, 16:19
Yes, that's where i placed my breakpoints. I just couldn't understand why the main thread continued (breaking at the breakpoint, of course) like nothing had happened, after CreateThread, and no new threads were listed in my threads window.
I guess, that when debugging, the normal scheduler is out of play, and the threads aren't started till i suspend the main thread, and give them a chance to run.
Or something like that... :-)

vvw
January 28th, 2009, 22:22
As an aside - It's possible for CreateThread to succeed but not have a new thread show up in your debuggers thread list if CreateThread was called with dwCreationFlag set to CREATE_SUSPENDED.

Also, remember that windbg (and other debuggers) may break into your process invasively by injecting a thread into your process and call DbgUiRemoteBreakIn, so don't be surprised when you see that extra thread.

lborup
January 29th, 2009, 02:41
Ok, thanks, i'll look out for that next time.

A related question: At one point i noticed a call to Loadlibrary(wininet.dll) resulted in an extra thread being created.
I was thinking that Loadlibrary calls wininet.dllmain() and wininet.dll does some initialization, but i am not quite sure.
Does anybody have some info on this?

Best regards,
Lasse

vvw
January 29th, 2009, 19:30
Are you positive of this? This doesn't seem to happen on my XP SP3 system.

I compiled this snippet, ran it via the debugger until I hit my inline int 3, looked at active threads (there is only 1), put a breakpoint on NtCreateThread and resumed execution. The breakpoint never gets hit, so no new threads get created during wininet initialization

Code:

#include <windows.h>
int main(void)
{
__asm int 3
LoadLibrary("wininet";
__asm int 3
return 0;
}



Output from my debugger

Code:

0:000> g
(b18.b94): Break instruction exception - code 80000003 (first chance)
eax=00330ed8 ebx=7ffde000 ecx=00330768 edx=00330000 esi=00a7f79e edi=00a7f6f2
eip=00401010 esp=0012ff84 ebp=0012ffc0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** WARNING: Unable to verify checksum for test.exe
test!main:
00401010 cc int 3

0:000> u @eip
test!main [c:\test\test.cpp @ 5]:
00401010 cc int 3
00401011 6830994000 push offset test!`string' (00409930)
00401016 ff150cd14000 call dword ptr [test!_imp__LoadLibraryA (0040d10c)]
0040101c cc int 3
0040101d 33c0 xor eax,eax
0040101f c3 ret
00401020 cc int 3
00401021 cc int 3

0:000> ~*
. 0 Id: b18.b94 Suspend: 1 Teb: 7ffdd000 Unfrozen
Start: test!mainCRTStartup (0040102a)
Priority: 0 Priority class: 32 Affinity: 1

0:000> bp ntdll!NtCreateThread

0:000> bl
0 e 7c90d190 0001 (0001) 0:**** ntdll!NtCreateThread

0:000> g
ModLoad: 771b0000 7725a000 C:\WINDOWS\system32\wininet.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 77a80000 77b15000 C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 773d0000 774d3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
(b18.b94): Break instruction exception - code 80000003 (first chance)
eax=771b0000 ebx=7ffde000 ecx=7c801bfa edx=00140608 esi=00a7f79e edi=00a7f6f2
eip=0040101c esp=0012ff84 ebp=0012ffc0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
test!main+0xc:
0040101c cc int 3

0:000> u @eip
test!main+0xc [c:\test\test.cpp @ 8]:
0040101c cc int 3
0040101d 33c0 xor eax,eax
0040101f c3 ret
00401020 cc int 3
00401021 cc int 3
00401022 cc int 3
00401023 cc int 3
test!LoadLibraryA:
00401024 ff250cd14000 jmp dword ptr [test!_imp__LoadLibraryA (0040d10c)]

0:000> ~*
. 0 Id: b18.b94 Suspend: 1 Teb: 7ffdd000 Unfrozen
Start: test!mainCRTStartup (0040102a)
Priority: 0 Priority class: 32 Affinity: 1

0:000> g
eax=00000000 ebx=00000000 ecx=7c800000 edx=7c97b120 esi=7c90de50 edi=00000000
eip=7c90e4f4 esp=0012fe5c ebp=0012ff58 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c90e4f4 c3 ret


lborup
January 30th, 2009, 04:43
Just tested with your program snippet. Also on XP sp3. CreateThread does indeed get called on my system, and with a start address in advapi32.dll, that is not included in advapi32's exports... (smiley looking slightly baffled...)

blabberer
January 30th, 2009, 14:12
afaik wininet dllentry doesnt create any thread

try running .chkimg from windbg to see if there are any discrepencies in a symbolserver downloaded winninet for your os and your system32 wininet

maybe some hooks by av? , v ? exists

evaluator
January 30th, 2009, 16:41
ole32 does create thread(s)

lborup
January 31st, 2009, 05:14
Hmmm, i've located the function that starts the thread, its RegisterTraceGuidsA in advapi32.dll. So i guess some process has hooked wininet to perform some kind of eventlogging?

lborup
January 31st, 2009, 07:42
Apparently wininet.dll registers two event providers for windows event tracing, but the GUIDs they are registered with, does not appear in the list generated by the command:

logman query providers

Why that is, i don't know...

And why they are not registered when some of you load wininet.dll on Xp Sp3, i don't know either. Perhaps IE 8 installation changes wininet.dll?

I don't think i will get any further on the subject, since my limited reversing abilities have already been stretched beyond their limits on this matter

lborup
January 31st, 2009, 09:03
Btw, using "!chkimg wininet" i get the error "Error for wininet: Could not find image file for the module. Make sure binaries are included in the symbol path."
I am using the microsoft symbol server.

I can remove this error by setting the image file path to the windows\system32 dir, but doens't this just check the loaded module against the version on my own harddrive?

blabberer
January 31st, 2009, 12:07
you should set _nt_symbol_path
you should have active inet connection to ms symbol server or if you donot have active inet you would need to have a complete symbol cache along with the binaries

if the binary could not be found symbol path then !chkimg will err

btw if you have sfc active and if your dll cache folder holds a wininet.dll and there are no event viewer entries that state blah blah
then it is about 80% safe to use system32 dll

you can turn verbose on in !chlimg to look for some clues on what and where it is looking for
you can turn on !sym noisy to turn on symbol searching debug spew

Code:

0:006> !chkimg -d -v wininet.dll
Searching for module with expression: wininet.dll
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: F:\SYMBOLS\WININET.dll\411096D4a6000\WININET.dll
No range specified

Scanning section: .text
Size: 553868
Range to scan: 771b1000-7723838c
Total bytes compared: 553868(100%)
Number of errors: 0
0 errors : wininet.dll

lborup
January 31st, 2009, 14:55
The weird thing is, that i can fetch some dll's from microsoft symbol server, but not wininet...

Example:
Code:
0:000> !chkimg -d -v advapi32.dll
Searching for module with expression: advapi32.dll
SYMSRV: ADVAPI32.dll from http://msdl.microsoft.com/download/symbols: 332175 bytes - copied
DBGHELP: c:\websymbols\ADVAPI32.dll\4802A0B29b000\ADVAPI32.dll - OK
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\websymbols\ADVAPI32.dll\4802A0B29b000\ADVAPI32.dll
No range specified

Scanning section: .text
Size: 476473
Range to scan: 77dd1000-77e45539
Total bytes compared: 476473(100%)
Number of errors: 0
0 errors : advapi32.dll
0:000> !chkimg -d -v wininet.dll
Searching for module with expression: wininet.dll
SYMSRV: c:\websymbols\wininet.dll\48F7A64Fd0000\wininet.dll not found
SYMSRV: http://msdl.microsoft.com/download/symbols/wininet.dll/48F7A64Fd0000/wininet.dll not found
Error for wininet.dll: Could not find image file for the module. Make sure binaries are included in the symbol path.


And furthermore, i have reproduced the wininet -> RegisterTraceGuids -> CreateThread behaviour on a clean and updated Xp Sp3...
And it does somehow make some sense to me that loading wininet could result in some event providers being registered...

Am i really the only one who experience this, and in that case: What is wrong with me (or just my windows installation)?

lborup
January 31st, 2009, 16:04
When i perform a
Code:
!for_each_module !chkimg -lo 50 -d !${@#ModuleName} -v


all dll's are fetched, except iertutil.dll and wininet.dll

If i look at the flow in Wireshark, it looks alright, the other dlls are fetched from microsoft, for these two dll's a "http not found" is issued...

vvw
February 1st, 2009, 13:07
Perhaps your wininet.dll has been replaced or modified? I am using a local symbol store installed from

http://msdl.microsoft.com/download/symbols/packages/windowsxp/WindowsXP-KB936929-SP3-x86-symbols-full-ENU.exe

Code:

C:\WINDOWS\system32>dir wininet.dll
Volume in drive C has no label.
Volume Serial Number is CC93-5957

Directory of C:\WINDOWS\system32

04/14/2008 04:42 AM 666,112 wininet.dll
1 File(s) 666,112 bytes

-[~] md5sum wininet.dll
7a4f775abb2f1c97def3e73afa2faedd wininet.dll

C:\Program Files\Debugging Tools for Windows (x86)>symchk.exe /s c:\windows\symbols /v c:\WINDOWS\system32\wininet.dll
[SYMCHK] Searching for symbols to c:\WINDOWS\system32\wininet.dll in path c:\windows\symbols
DBGHELP: Symbol Search Path: c:\windows\symbols
[SYMCHK] Using search path "c:\windows\symbols"
DBGHELP: No header for c:\WINDOWS\system32\wininet.dll. Searching for image on disk
DBGHELP: c:\WINDOWS\system32\wininet.dll - OK
DBGHELP: c:\windows\symbols\wininet.pdb - file not found
DBGHELP: wininet - public symbols
c:\windows\symbols\dll\wininet.pdb
[SYMCHK] MODULE64 Info ----------------------
[SYMCHK] Struct size: 1672 bytes
[SYMCHK] Base: 0x771B0000
[SYMCHK] Image size: 696320 bytes
[SYMCHK] Date: 0x4802a13a
[SYMCHK] Checksum: 0x000aacd0
[SYMCHK] NumSyms: 0
[SYMCHK] SymType: SymPDB
[SYMCHK] ModName: wininet
[SYMCHK] ImageName: c:\WINDOWS\system32\wininet.dll
[SYMCHK] LoadedImage: c:\WINDOWS\system32\wininet.dll
[SYMCHK] PDB: "c:\windows\symbols\dll\wininet.pdb"
[SYMCHK] CV: RSDS
[SYMCHK] CV DWORD: 0x53445352
[SYMCHK] CV Data: wininet.pdb
[SYMCHK] PDB Sig: 0
[SYMCHK] PDB7 Sig: {24FEA59C-400D-4FB6-AE72-E7AC55C93943}
[SYMCHK] Age: 2
[SYMCHK] PDB Matched: TRUE
[SYMCHK] DBG Matched: TRUE
[SYMCHK] Line nubmers: FALSE
[SYMCHK] Global syms: FALSE
[SYMCHK] Type Info: FALSE
[SYMCHK] ------------------------------------
SymbolCheckVersion 0x00000002
Result 0x00030001
DbgFilename
DbgTimeDateStamp 0x4802a13a
DbgSizeOfImage 0x000aa000
DbgChecksum 0x000aacd0
PdbFilename c:\windows\symbols\dll\wininet.pdb
PdbSignature {24FEA59C-400D-4FB6-AE72-E7AC55C93943}
PdbDbiAge 0x00000002
[SYMCHK] [ 0x00000000 - 0x00030001 ] Checked "c:\WINDOWS\system32\wininet.dll"

SYMCHK: FAILED files = 0
SYMCHK: PASSED + IGNORED files = 1

0:000> .sympath
Symbol search path is: C:\windows\symbols;c:\windows\system32
0:000> !chkimg -d -v wininet.dll
Searching for module with expression: wininet.dll
Will apply relocation fixups to file used for comparison
Will ignore NOP/LOCK errors
Will ignore patched instructions
Image specific ignores will be applied
Comparison image path: c:\windows\system32\wininet.dll
No range specified

Scanning section: .text
Size: 562332
Range to scan: 771b1000-7723a49c
Total bytes compared: 562332(100%)
Number of errors: 0
0 errors : wininet.dll

lborup
February 1st, 2009, 15:01
vvw:
As can be seen from the following output, my wininet.dll obviously differs from yours, in both size and hashvalue. But looking a their date, i think mine might be a later build..? (If have the same size and date on two different systems).

Code:
C:\WINDOWS\system32>dir wininet.dll
Volume in drive C has no label.
Volume Serial Number is 98F3-70C7

Directory of C:\WINDOWS\system32

16-10-2008 21:38 826.368 wininet.dll
1 File(s) 826.368 bytes
0 Dir(s) 2.260.246.528 bytes free

C:\WINDOWS\system32>md5sum.exe wininet.dll
6741eaf7b7f110e803a6e38f6e5fa6b0 *wininet.dll


Had not tried using symchk.exe till now, got the following output:

Code:
C:\Program Files\Debugging Tools for Windows>symchk.exe /s srv*c:\symbols*http:/
/msdl.microsoft.com/download/symbols /v c:\WINDOWS\system32\wininet.dll
[SYMCHK] Searching for symbols to c:\WINDOWS\system32\wininet.dll in path srv*c:
\symbols*http://msdl.microsoft.com/download/symbols
DBGHELP: Symbol Search Path: srv*c:\symbols*http://msdl.microsoft.com/download/s
ymbols
[SYMCHK] Using search path "srv*c:\symbols*http://msdl.microsoft.com/download/sy
mbols"
DBGHELP: No header for c:\WINDOWS\system32\wininet.dll. Searching for image on
disk
DBGHELP: c:\WINDOWS\system32\wininet.dll - OK
SYMSRV: wininet.pdb from http://msdl.microsoft.com/download/symbols: 499026 byt
es - copied
DBGHELP: wininet - public symbols
c:\symbols\wininet.pdb\3BE968617D4449418A350102592CC0722\wininet.pdb
[SYMCHK] MODULE64 Info ----------------------
[SYMCHK] Struct size: 1672 bytes
[SYMCHK] Base: 0x78050000
[SYMCHK] Image size: 851968 bytes
[SYMCHK] Date: 0x48f7a64f
[SYMCHK] Checksum: 0x000d6979
[SYMCHK] NumSyms: 0
[SYMCHK] SymType: SymPDB
[SYMCHK] ModName: wininet
[SYMCHK] ImageName: c:\WINDOWS\system32\wininet.dll
[SYMCHK] LoadedImage: c:\WINDOWS\system32\wininet.dll
[SYMCHK] PDB: "c:\symbols\wininet.pdb\3BE968617D4449418A350102592CC0722\wininet.
pdb"
[SYMCHK] CV: RSDS
[SYMCHK] CV DWORD: 0x53445352
[SYMCHK] CV Data: wininet.pdb
[SYMCHK] PDB Sig: 0
[SYMCHK] PDB7 Sig: {3BE96861-7D44-4941-8A35-0102592CC072}
[SYMCHK] Age: 2
[SYMCHK] PDB Matched: TRUE
[SYMCHK] DBG Matched: TRUE
[SYMCHK] Line nubmers: FALSE
[SYMCHK] Global syms: FALSE
[SYMCHK] Type Info: FALSE
[SYMCHK] ------------------------------------
SymbolCheckVersion 0x00000002
Result 0x00030001
DbgFilename
DbgTimeDateStamp 0x48f7a64f
DbgSizeOfImage 0x000d0000
DbgChecksum 0x000d6979
PdbFilename c:\symbols\wininet.pdb\3BE968617D4449418A350102592CC0722\win
inet.pdb
PdbSignature {3BE96861-7D44-4941-8A35-0102592CC072}
PdbDbiAge 0x00000002
[SYMCHK] [ 0x00000000 - 0x00030001 ] Checked "c:\WINDOWS\system32\wininet.dll"

SYMCHK: FAILED files = 0
SYMCHK: PASSED + IGNORED files = 1


About your use of !chkimg: When you use a local symbol store + your system32 folder, doesn't chkimg check wininet.dll against your own local version? Thereby checking a file against itself.
Would i not rather be interested in checking it against a copy from microsofts symbol server? This can be done for most dlls, as i can see the dll-file itself is downloaded to the local symbol-store, except for with wininet and iertutils, for which there is no file available on the symbol server...

blabberer
February 1st, 2009, 16:35
vvw wininet seems to be for xp-sp3 and ie 6 combo

Internet Explorer 6 on all supported 32-bit versions of Windows XP

Wininet.dll 6.0.2900.5583 666,112 21-Apr-2008 06:44 x86 SP3 SP3GDR


and yours seems to be sp2 of windows server 2003 and ie 7

Internet Explorer 7 on all supported 32-bit versions of Windows Server 2003

Wininet.dll 7.0.6000.16674 826,368 25-Apr-2008 17:12 x86 SP2 SP2GDR

and this wininets seems to be part of security update ms08-031

you can check the various wininets of this security update in this mskb

http://support.microsoft.com/kb/950759

blabberer
February 1st, 2009, 19:43
yep a thread is created in this version of wininet

Code:

0:000> !dlls -v -c wininet.dll
Dump dll containing 0x41fd0000:

0x00242230: c:\wininet.dll
Base 0x41fd0000 EntryPoint 0x41fd1784 Size 0x000d0000
Flags 0x80084004 LoadCount 0x00000001 TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED
Company Name Microsoft Corporation
Product Name Windows® Internet Explorer
Product Version 7.00.6000.16674
Original Filename wininet.dll
File Description Internet Extensions for Win32
File Version 7.00.6000.16674 (vista_gdr.080415-1732)


Log data
Address Message
OllyDbg v1.10

File 'C:\wininet.dll'
New process with ID 00000F50 created
00410070 Main thread with ID 00000EAC created
00400000 Module H:\Borland\odbg110\LOADDLL.EXE
77D40000 Module C:\WINDOWS\system32\USER32.DLL
77F10000 Module C:\WINDOWS\system32\GDI32.dll
7C800000 Module C:\WINDOWS\system32\kernel32.dll
7C900000 Module C:\WINDOWS\system32\ntdll.dll
41FD0000 Module C:\wininet.dll
77C10000 Module C:\WINDOWS\system32\msvcrt.dll
77F60000 Module C:\WINDOWS\system32\SHLWAPI.dll
77DD0000 Module C:\WINDOWS\system32\ADVAPI32.dll
77E70000 Module C:\WINDOWS\system32\RPCRT4.dll
71660000 Module C:\Normaliz.dll
Analysing wininet
5448 fuzzy procedures
3425 calls to known, 3485 calls to guessed functions
821 loops, 185 switches or cascaded if's
41FD1784 Entry point of debugged DLL
7C810856 New thread with ID 00000698 created <------------------
5DCA0000 Module C:\iertutil.dll
41FD1784 Entry point of debugged DLL

traceguids is called its part of etw tracing profiling and instrumentation code (wmi event tracing)

Code:

Call stack of main thread
Address Stack Procedure / arguments Called from Frame
0006F7F8 41FFDA23 ADVAPI32.RegisterTraceGuidsA wininet.41FFDA1D 0006F82C
0006F7FC 420376DF Arg1 = 420376DF
0006F800 4206DE10 Arg2 = 4206DE10
0006F804 41FFDC84 Arg3 = 41FFDC84
0006F808 00000001 Arg4 = 00000001
0006F80C 0006F824 Arg5 = 0006F824
0006F810 00000000 Arg6 = 00000000
0006F814 00000000 Arg7 = 00000000
0006F818 4206DE18 Arg8 = 4206DE18
0006F830 41FFDBFF wininet.41FFD9E4 wininet.41FFDBFA 0006F82C
0006F834 41FFDCA4 Arg1 = 41FFDCA4
0006F848 41FD1683 wininet.41FD17AE wininet.41FD167E 0006F844
0006F84C 41FD0000 Arg1 = 41FD0000
0006F850 00000001 Arg2 = 00000001
0006F854 00000000 Arg3 = 00000000



this createfiles a device

Code:

0006F5A0 77DF9FD4 |FileName = "\\.\WMIDataDevice"
0006F5A4 C0000000 |Access = GENERIC_READ|GENERIC_WRITE
0006F5A8 00000000 |ShareMode = 0
0006F5AC 00000000 |pSecurity = NULL
0006F5B0 00000003 |Mode = OPEN_EXISTING
0006F5B4 40000080 |Attributes = NORMAL|OVERLAPPED
0006F5B8 00000000 \hTemplateFile = NULL



and a deviceiocontrol is sent

Code:

0006F598 0000003C |hDevice = 0000003C (window)
0006F59C 0022414C |IoControlCode = 22414C
0006F5A0 00872E60 |InBuffer = 00872E60
0006F5A4 00000068 |InBufferSize = 68 (104.)
0006F5A8 00872E60 |OutBuffer = 00872E60
0006F5AC 00000050 |OutBufferSize = 50 (80.)
0006F5B0 0006F62C |pBytesReturned = 0006F62C
0006F5B4 0006F5C4 \pOverlapped = 0006F5C4



and after several createevents a thread is created in dllentry of this wininet

Code:

0006F67C 00000000 |pSecurity = NULL
0006F680 00000000 |StackSize = 0
0006F684 77DF9981 |ThreadFunction = ADVAPI32.77DF9981
0006F688 00000000 |pThreadParm = NULL
0006F68C 00000000 |CreationFlags = 0
0006F690 0006F6A0 \pThreadId = 0006F6A0



this function is probably an overlapped callback

i fetched this dll from some chinese dll repository
www.zhaodll.com

ms doesnt have this binary in symbol cache

Code:

0:000> lm m wini*;!chkimg -d -v wininet.dll
start end module name
41fd0000 420a0000 wininet (pdb symbols) C:\Program Files\Debugging Tools for Windows (x86)\sym\wininet.pdb\D2F390EB58274066B10ACDE1CAE39DB62\wininet.pdb
Searching for module with expression: wininet.dll
SYMSRV: C:\Program Files\Debugging Tools for Windows (x86)\sym\wininet.dll\480EB823d0000\wininet.dll not found
SYMSRV: http://msdl.microsoft.com/download/symbols/wininet.dll/480EB823d0000/wininet.dll not found
Error for wininet.dll: Could not find image file for the module. Make sure binaries are included in the symbol path.

lborup
February 2nd, 2009, 03:29
Nice, mystery solved.

Thanks for taking the time.

Best regards,
Lasse