tls1 (2)

Март 2, 2021

Содержание

2. Thread Local Storage callbacks were discovered in 2000. However, widespread use didn’t occur until 2004. Now,
3. Peter Ferrie, Microsoft Corporation Entry Point
4. Peter Ferrie, Microsoft Corporation C3 RET
5. So the main file does nothing. If we assume that the structure is normal, then we
6. Peter Ferrie, Microsoft Corporation TLS is present (size doesn’t matter)
7. Peter Ferrie, Microsoft Corporation Callback pointer Callback array
8. So the search moves to the callbacks, of which there is only one... or is there?
9. Peter Ferrie, Microsoft Corporation
10. Am I Missing Somethi CODE:00401013 mov ds:TlsCallbacksEnd, offset loc_401000 CODE:0040101D retn Who ever heard of a
11. It’s about what you write, and where you write it. By writing to TlsCallbacksEnd, the array
12. Peter Ferrie, Microsoft Corporation
13. The second entry is executed after the first one returns. The array can be extended infinitely.
15. Скачать презентацию

Слайд 2

Thread Local Storage callbacks were discovered in 2000.
However, widespread use didn’t occur

Thread Local Storage callbacks were discovered in 2000. However, widespread use didn’t

until 2004.
Now, it should be the first place to look for code,
since it runs before the main entrypoint.
And that can make all the difference…

Peter Ferrie, Microsoft Corporation

Слайд 3

Peter Ferrie, Microsoft Corporation
Entry Point

Peter Ferrie, Microsoft Corporation Entry Point

Слайд 4

Peter Ferrie, Microsoft Corporation
C3 RET

Peter Ferrie, Microsoft Corporation C3 RET

Слайд 5

So the main file does nothing.
If we assume that the structure is

So the main file does nothing. If we assume that the structure

normal,
then we could check the thread local storage table.
Just in case.

Peter Ferrie, Microsoft Corporation

Слайд 6

Peter Ferrie, Microsoft Corporation
TLS is present
(size doesn’t matter)

Peter Ferrie, Microsoft Corporation TLS is present (size doesn’t matter)

Слайд 7

Peter Ferrie, Microsoft Corporation
Callback pointer
Callback array

Peter Ferrie, Microsoft Corporation Callback pointer Callback array

Слайд 8

So the search moves to the callbacks,
of which there is only one...

So the search moves to the callbacks, of which there is only

or is there?

Peter Ferrie, Microsoft Corporation

Слайд 9

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 10

Am I Missing Somethi
CODE:00401013 mov ds:TlsCallbacksEnd, offset loc_401000
CODE:0040101D retn
Who ever heard of

Am I Missing Somethi CODE:00401013 mov ds:TlsCallbacksEnd, offset loc_401000 CODE:0040101D retn Who

a one-line callback?

Peter Ferrie, Microsoft Corporation

Слайд 11

It’s about what you write, and where you write it.
By writing to

It’s about what you write, and where you write it. By writing

TlsCallbacksEnd, the array is extended in memory.
Now the array contains two entries, not one.

Peter Ferrie, Microsoft Corporation

Слайд 12

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 13

The second entry is executed after the first one returns.
The array can

The second entry is executed after the first one returns. The array

be extended infinitely.
Existing entries can be altered at runtime, too.
For example, one entry can decrypt the others.

Peter Ferrie, Microsoft Corporation