Слайд 2


Thread Local Storage callbacks were discovered in 2000.
However, widespread use didn’t occur

Thread Local Storage callbacks were discovered in 2000. However, widespread use didn’t
until 2004.
Now, it should be the first place to look for code,
since it runs before the main entrypoint.
And that can make all the difference…

Peter Ferrie, Microsoft Corporation

Слайд 3

Peter Ferrie, Microsoft Corporation

Entry Point

Peter Ferrie, Microsoft Corporation Entry Point

Слайд 4

Peter Ferrie, Microsoft Corporation

C3 RET

Peter Ferrie, Microsoft Corporation C3 RET

Слайд 5


So the main file does nothing.
If we assume that the structure is

So the main file does nothing. If we assume that the structure
normal,
then we could check the thread local storage table.
Just in case.

Peter Ferrie, Microsoft Corporation

Слайд 6

Peter Ferrie, Microsoft Corporation

TLS is present

(size doesn’t matter)

Peter Ferrie, Microsoft Corporation TLS is present (size doesn’t matter)

Слайд 7

Peter Ferrie, Microsoft Corporation

Callback pointer

Callback array

Peter Ferrie, Microsoft Corporation Callback pointer Callback array

Слайд 8


So the search moves to the callbacks,
of which there is only one,

So the search moves to the callbacks, of which there is only
but it looks peculiar.
It’s not a virtual address.

Peter Ferrie, Microsoft Corporation

Слайд 9

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 10

Imported TLS callbac
We know that the TLS callback array can be altered

Imported TLS callbac We know that the TLS callback array can be
at runtime.
We know that the TLS callbacks can point outside of the image.
Now we are looking at a new way to achieve that.
Imports are resolved before TLS callbacks are called.
So TLS callbacks can be imported addresses!
Let’s check the import table.

Peter Ferrie, Microsoft Corporation

Слайд 11

Peter Ferrie, Microsoft Corporation

TLS3.DLL

Peter Ferrie, Microsoft Corporation TLS3.DLL

Слайд 12

Peter Ferrie, Microsoft Corporation

a

Peter Ferrie, Microsoft Corporation a

Слайд 13


So the search moves to TLS3.DLL,
and the mysterious function called ‘a’.

Peter Ferrie,

So the search moves to TLS3.DLL, and the mysterious function called ‘a’. Peter Ferrie, Microsoft Corporation
Microsoft Corporation

Слайд 14

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 15


So that’s how it’s done.
If we let it run…

Peter Ferrie, Microsoft Corporation

So that’s how it’s done. If we let it run… Peter Ferrie, Microsoft Corporation

Слайд 16

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 17


The code runs.

Peter Ferrie, Microsoft Corporation

The code runs. Peter Ferrie, Microsoft Corporation
Имя файла: tls3.pptx
Количество просмотров: 23
Количество скачиваний: 0