Log in

View Full Version : How can I handle waitforsingleobject() error while debugging?

Gweld
December 3rd, 2010, 06:38
Dear All,

While debuggging a malware using olly, after calling waitforsingleobject(nonsignaled handle, infinite/-1) it generates exception and terminates. I tried by changing exception handling options but it fails. The main functionality of the malware is after this call. How can I continue?

Thank You
JoePub
December 5th, 2010, 04:15
What exception does it generate? I find it strange that WaitForSingle object would generate an exception. Usually it will return an error if the handle is invalid and so on.
Indy
December 5th, 2010, 09:08
An exception may occur in service for only one reason. If the logger is running(ProcessHandleTracing) and passed invalid handle. This will generate #STATUS_INVALID_HANDLE. Logger can be used to detect prot's.
JoePub
December 5th, 2010, 10:48
Quote:
[Originally Posted by Indy;88510]An exception may occur in service for only one reason. If the logger is running(ProcessHandleTracing) and passed invalid handle. This will generate #STATUS_INVALID_HANDLE. Logger can be used to detect prot's.


What exception code does it generate, or does it map to the equivalent windows error code?

Gweld, if it's the windows exception code you could add that as a custom code within olly debug options to tell it to pass onto the program.
Indy
December 5th, 2010, 15:57
Quote:
This will generate #STATUS_INVALID_HANDLE.

If you winapi code is needed, then do RtlNtStatusToDosError(#STATUS_INVALID_HANDLE).
Gweld
December 6th, 2010, 02:38
Quote:
[Originally Posted by JoePub;88511]What exception code does it generate, or does it map to the equivalent windows error code?

Gweld, if it's the windows exception code you could add that as a custom code within olly debug options to tell it to pass onto the program.


JoePub and Indy, thank you for your replies. here is the detail

The malware is multithreaded and the Waitforsingleobject function is called with parameters a handle generated by CreateEventA(0,0,0,0) and infinite time; [Waitforsingleobject(0x000000A4(window),FFFFFFFF)]. When code is executed olly shows it is running different threads. After some time olly shows "Access violation when reading[F00D5C72]". When the exception is passed to the program, it terminates after executing 'call ntdll.ZwRaiseException'. But the malware did the infection with in this interval and I can't look how it infect.
Indy
December 6th, 2010, 12:08
Gweld
In the above case, you get the following result:
http://img697.imageshack.us/img697/2383/xcpt.png
Code:
.code

ProcessHandleTracing	equ 32



PROCESS_HANDLE_TRACING_ENABLE struct

Flags		ULONG ?

PROCESS_HANDLE_TRACING_ENABLE ends



%NTERR macro

	.if Eax

	   Int 3

	.endif

endm



Ep proc

Local Tracing:PROCESS_HANDLE_TRACING_ENABLE

	mov Tracing,0

	invoke ZwSetInformationProcess, NtCurrentProcess, ProcessHandleTracing, addr Tracing, sizeof(PROCESS_HANDLE_TRACING_ENABLE)

	%NTERR

	invoke WaitForSingleObject, 12345H, INFINITE

	ret

Ep endp

Do you experience #AV, in this case need more complete information(context, xcptrecord, backtrace etc.).
evaluator
December 7th, 2010, 05:18
well, since subject is malware, you can upload it here in passworded archive.
deroko
December 22nd, 2010, 16:40
Just a side note, why don't you simply set break after WaitForSingleObject, and trace another thread? so you can actually see what's going on there instead of waiting in this thread.