tls3

Март 6, 2021

Содержание

2. Thread Local Storage callbacks were discovered in 2000. However, widespread use didn’t occur until 2004. Now,
3. Peter Ferrie, Microsoft Corporation Entry Point
4. Peter Ferrie, Microsoft Corporation C3 RET
5. So the main file does nothing. If we assume that the structure is normal, then we
6. Peter Ferrie, Microsoft Corporation TLS is present (size doesn’t matter)
7. Peter Ferrie, Microsoft Corporation Callback pointer Callback array
8. So the search moves to the callbacks, of which there is only one, but it looks
9. Peter Ferrie, Microsoft Corporation
10. Imported TLS callbac We know that the TLS callback array can be altered at runtime. We
11. Peter Ferrie, Microsoft Corporation TLS3.DLL
12. Peter Ferrie, Microsoft Corporation a
13. So the search moves to TLS3.DLL, and the mysterious function called ‘a’. Peter Ferrie, Microsoft Corporation
14. Peter Ferrie, Microsoft Corporation
15. So that’s how it’s done. If we let it run… Peter Ferrie, Microsoft Corporation
16. Peter Ferrie, Microsoft Corporation
17. The code runs. Peter Ferrie, Microsoft Corporation
19. Скачать презентацию

Слайд 2

Thread Local Storage callbacks were discovered in 2000.
However, widespread use didn’t occur

Thread Local Storage callbacks were discovered in 2000. However, widespread use didn’t

until 2004.
Now, it should be the first place to look for code,
since it runs before the main entrypoint.
And that can make all the difference…

Peter Ferrie, Microsoft Corporation

Слайд 3

Peter Ferrie, Microsoft Corporation
Entry Point

Peter Ferrie, Microsoft Corporation Entry Point

Слайд 4

Peter Ferrie, Microsoft Corporation
C3 RET

Peter Ferrie, Microsoft Corporation C3 RET

Слайд 5

So the main file does nothing.
If we assume that the structure is

So the main file does nothing. If we assume that the structure

normal,
then we could check the thread local storage table.
Just in case.

Peter Ferrie, Microsoft Corporation

Слайд 6

Peter Ferrie, Microsoft Corporation
TLS is present
(size doesn’t matter)

Peter Ferrie, Microsoft Corporation TLS is present (size doesn’t matter)

Слайд 7

Peter Ferrie, Microsoft Corporation
Callback pointer
Callback array

Peter Ferrie, Microsoft Corporation Callback pointer Callback array

Слайд 8

So the search moves to the callbacks,
of which there is only one,

So the search moves to the callbacks, of which there is only

but it looks peculiar.
It’s not a virtual address.

Peter Ferrie, Microsoft Corporation

Слайд 9

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 10

Imported TLS callbac
We know that the TLS callback array can be altered

Imported TLS callbac We know that the TLS callback array can be

at runtime.
We know that the TLS callbacks can point outside of the image.
Now we are looking at a new way to achieve that.
Imports are resolved before TLS callbacks are called.
So TLS callbacks can be imported addresses!
Let’s check the import table.

Peter Ferrie, Microsoft Corporation

Слайд 11

Peter Ferrie, Microsoft Corporation
TLS3.DLL

Peter Ferrie, Microsoft Corporation TLS3.DLL

Слайд 12

Peter Ferrie, Microsoft Corporation
a

Peter Ferrie, Microsoft Corporation a

Слайд 13

So the search moves to TLS3.DLL,
and the mysterious function called ‘a’.
Peter Ferrie,

So the search moves to TLS3.DLL, and the mysterious function called ‘a’. Peter Ferrie, Microsoft Corporation

Microsoft Corporation

Слайд 14

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 15

So that’s how it’s done.
If we let it run…
Peter Ferrie, Microsoft Corporation

So that’s how it’s done. If we let it run… Peter Ferrie, Microsoft Corporation

Слайд 16

Peter Ferrie, Microsoft Corporation

Peter Ferrie, Microsoft Corporation

Слайд 17

The code runs.
Peter Ferrie, Microsoft Corporation

The code runs. Peter Ferrie, Microsoft Corporation