Results 1 to 4 of 4

Thread: Sleeping thread - How does it activate?

Threaded View

  1. #1
    Registered User
    Join Date
    Apr 2011
    Blog Entries

    Sleeping thread - How does it activate?

    Hi All,
    So I have been trying to reverse a piece of malware that is here - [I am guessing its the same coz the site didnt allow me to upload my file saying it had a copy]. It is called SkypeLauncher.exe.

    So everything is fine so far and I can reverse it okay. I however have a few doubts with respect to how threads work in this sample and generally.

    a) What happens is - 1 thread is created in Suspended state and ResumeThread is immediately called; it returns 1. The call back function is NOT triggered immediately (although documentation says if 1 is returned it should start immediately).

    b) The original code continues and eventually a sleep(1000) is called. At this point that old suspended thread suddenly gets called. I'd put a BP there previously; so I know. Question is...what decides the instant the suspended thread is called? Does the OS see..Oh main thread work..let me call a suspended thread to use resources well? Is this the logic?

    c) The third problem IMO is a very interesting one. While it has not stopped me from reversing, I really do not know why it works. The second thread continues running normally; remember first thread is still in sleep(1000). Eventually the 2nd thread comes to a recursive loop that seems to run for a very long time; I used Animate Over in Olly and it keeps going between the same instructions many many many times (I did not count how many though). The disassembly for this loop is in 1.png [attached]. It never exits; I'm sure I tried for at least 10-15 seconds. Didn't see the point in waiting longer. Now comes the interesting part (to me at least ). Instead of Trace or Animate over I ran the program [F9]. Immediately it seemed to break out of the loop and "resume" the previous sleep(1000) thread. This is shown in 2.png [attached]. I am sure it did not break out of that loop because I also ran a Hit Trace (Olly 2.01) and the instructions after that loop never got triggered even once. What is the difference wrt Thread Resumption between Trace/Animate and Run?

    Am I making sense? I have also attached the malware if you want to take a look at it yourselves. All opinions of course are always welcome as usual

    Attached Images Attached Images   
    Reversing articles, primarily from a newbie perspective -

    Latest article written -

Similar Threads

  1. How to automatically activate a button..
    By zambuka42 in forum The Newbie Forum
    Replies: 2
    Last Post: June 5th, 2008, 02:00
  2. Suspended thread
    By Gabbi in forum OllyDbg Support Forums
    Replies: 9
    Last Post: September 18th, 2004, 11:21
  3. Why remove my thread?
    By Limee AKA Lamer in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: September 4th, 2004, 08:34
  4. How to activate (unhide) options???
    By GEnto in forum The Newbie Forum
    Replies: 8
    Last Post: March 2nd, 2003, 16:00

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts