tls2

Февраль 23, 2021

Содержание

2. Thread Local Storage callbacks were discovered in 2000. However, widespread use didn’t occur until 2004. Now,
3. Peter Ferrie, Microsoft Corporation Entry Point
4. Peter Ferrie, Microsoft Corporation C3 RET
5. So the main file does nothing. If we assume that the structure is normal, then we
6. Peter Ferrie, Microsoft Corporation TLS is present (size doesn’t matter)
7. Peter Ferrie, Microsoft Corporation Callback pointer Callback array
8. So the search moves to the callbacks, of which there is only one... or is there?
9. Peter Ferrie, Microsoft Corporation
10. Am I Missing Somethi CODE:00401010 push offset LibFileName ; "tls2" CODE:00401005 call j_LoadLibraryA CODE:0040100A mov ds:TlsCallbacksEnd,
11. I Am Missing Somethi No, that’s not it. Peter Ferrie, Microsoft Corporation
12. Let’s revisit the code: CODE:00401010 push offset LibFileName ; "tls2" CODE:00401005 call j_LoadLibraryA CODE:0040100A mov ds:TlsCallbacksEnd,
13. It’s All About Image It’s the TlsCallBacks extended array trick again. Q. What value does the
14. Peter Ferrie, Microsoft Corporation
15. Of course it will. You just have to ask nicely. Or take a cue from a
16. When the SectionAlignment value is less than 4kb, the file header is marked Writable and Executable
17. So we go from this… Peter Ferrie, Microsoft Corporation
18. To this… Peter Ferrie, Microsoft Corporation
19. Peter Ferrie, Microsoft Corporation
21. Скачать презентацию

Слайд 2

Thread Local Storage callbacks were discovered in 2000.
However, widespread use didn’t occur

Thread Local Storage callbacks were discovered in 2000. However, widespread use didn’t

until 2004.
Now, it should be the first place to look for code,
since it runs before the main entrypoint.
And that can make all the difference…

Peter Ferrie, Microsoft Corporation

Слайд 3

Peter Ferrie, Microsoft Corporation
Entry Point

Peter Ferrie, Microsoft Corporation Entry Point

Слайд 4

Peter Ferrie, Microsoft Corporation
C3 RET

Peter Ferrie, Microsoft Corporation C3 RET

Слайд 5

So the main file does nothing.
If we assume that the structure is

So the main file does nothing. If we assume that the structure

normal,
then we could check the thread local storage table.
Just in case.

Peter Ferrie, Microsoft Corporation

Слайд 6

Peter Ferrie, Microsoft Corporation
TLS is present
(size doesn’t matter)

Peter Ferrie, Microsoft Corporation TLS is present (size doesn’t matter)

Слайд 7

Peter Ferrie, Microsoft Corporation
Callback pointer
Callback array

Peter Ferrie, Microsoft Corporation Callback pointer Callback array

Слайд 8

So the search moves to the callbacks,
of which there is only one...

So the search moves to the callbacks, of which there is only

or is there?

Peter Ferrie, Microsoft Corporation

Слайд 9

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 10

Am I Missing Somethi
CODE:00401010 push offset LibFileName ; "tls2"
CODE:00401005 call j_LoadLibraryA
CODE:0040100A mov

Am I Missing Somethi CODE:00401010 push offset LibFileName ; "tls2" CODE:00401005 call

ds:TlsCallbacksEnd, eax
Hmm, LoadLibrary("tls2")
Maybe DllMain contains something interesting?

Peter Ferrie, Microsoft Corporation

Слайд 11

I Am Missing Somethi
No, that’s not it.
Peter Ferrie, Microsoft Corporation

I Am Missing Somethi No, that’s not it. Peter Ferrie, Microsoft Corporation

Слайд 12

Let’s revisit the code:
CODE:00401010 push offset LibFileName ; "tls2"
CODE:00401005 call j_LoadLibraryA
CODE:0040100A mov

Let’s revisit the code: CODE:00401010 push offset LibFileName ; "tls2" CODE:00401005 call

ds:TlsCallbacksEnd, eax

Peter Ferrie, Microsoft Corporation

Слайд 13

It’s All About Image
It’s the TlsCallBacks extended array trick again.
Q. What value

It’s All About Image It’s the TlsCallBacks extended array trick again. Q.

does the new callback contain?
A. The DLL’s imagebase.
Q. DEP won’t let that run, right?
A. …

Peter Ferrie, Microsoft Corporation

Слайд 14

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 15

Of course it will.
You just have to ask nicely.
Or take a cue

Of course it will. You just have to ask nicely. Or take

from a driver.

Peter Ferrie, Microsoft Corporation

Слайд 16

When the SectionAlignment value is less than 4kb,
the file header is marked

When the SectionAlignment value is less than 4kb, the file header is

Writable and Executable
(unless the last section characteristics override it).
That turns the ImageBase into code.

Peter Ferrie, Microsoft Corporation

Слайд 17

So we go from this…
Peter Ferrie, Microsoft Corporation

So we go from this… Peter Ferrie, Microsoft Corporation

Слайд 18

To this…
Peter Ferrie, Microsoft Corporation

To this… Peter Ferrie, Microsoft Corporation

Слайд 19

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation