Слайд 2


Thread Local Storage callbacks were discovered in 2000.
However, widespread use didn’t occur

Thread Local Storage callbacks were discovered in 2000. However, widespread use didn’t
until 2004.
Now, it should be the first place to look for code,
since it runs before the main entrypoint.
And that can make all the difference…

Peter Ferrie, Microsoft Corporation

Слайд 3

Peter Ferrie, Microsoft Corporation

Entry Point

Peter Ferrie, Microsoft Corporation Entry Point

Слайд 4

Peter Ferrie, Microsoft Corporation

C3 RET

Peter Ferrie, Microsoft Corporation C3 RET

Слайд 5


So the main file does nothing.
If we assume that the structure is

So the main file does nothing. If we assume that the structure
normal,
then we could check the thread local storage table.
Just in case.

Peter Ferrie, Microsoft Corporation

Слайд 6

Peter Ferrie, Microsoft Corporation

TLS is present

(size doesn’t matter)

Peter Ferrie, Microsoft Corporation TLS is present (size doesn’t matter)

Слайд 7

Peter Ferrie, Microsoft Corporation

Callback pointer

Callback array

Peter Ferrie, Microsoft Corporation Callback pointer Callback array

Слайд 8


So the search moves to the callbacks,
of which there is only one...

So the search moves to the callbacks, of which there is only
or is there?

Peter Ferrie, Microsoft Corporation

Слайд 9

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 10

Am I Missing Somethi
CODE:00401013 mov ds:TlsCallbacksEnd, offset loc_401000
CODE:0040101D retn
Who ever heard of

Am I Missing Somethi CODE:00401013 mov ds:TlsCallbacksEnd, offset loc_401000 CODE:0040101D retn Who
a one-line callback?

Peter Ferrie, Microsoft Corporation

Слайд 11


It’s about what you write, and where you write it.
By writing to

It’s about what you write, and where you write it. By writing
TlsCallbacksEnd, the array is extended in memory.
Now the array contains two entries, not one.

Peter Ferrie, Microsoft Corporation

Слайд 12

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 13


The second entry is executed after the first one returns.
The array can

The second entry is executed after the first one returns. The array
be extended infinitely.
Existing entries can be altered at runtime, too.
For example, one entry can decrypt the others.

Peter Ferrie, Microsoft Corporation

Имя файла: tls1-(2).pptx
Количество просмотров: 29
Количество скачиваний: 0